CVE-2001-0241
published 2001-06-27CVE-2001-0241: Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
87.03%
99.7th percentile
Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0.
Detection & IOCsextracted from sources · hover to see the quote
othermsw3prt.dll call ebx gadgets: 0x6A8C3105, 0x6A8C317F, 0x6A8C3267, 0x6A8C32AD, 0x6A8C3DB9, 0x6A8C3DC2, 0x6A8C3E23, 0x6A8C4D88, 0x6A8C4DD1, 0x6A8C4DFB, 0x6A8C5383, 0x6A8C5395, 0x6A8C565D, 0x6A8C6437, 0x6A8C6451, 0x6A8C66C2, 0x6A8C66FB, 0x6A8C6B04, 0x6A8C6B1D, 0x6A8C73A4, 0x6A8C73D8, 0x6A8C73F4, 0x6A8C9C55, 0x6A8C9C86, 0x6A8CCF13, 0x6A8CCF4B, 0x6A8CCF62↗
bytes↗
\x47\x45\x54\x20\x2f\x4e\x55\x4c\x4c\x2e\x70\x72\x69\x6e\x74\x65\x72\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a
- →Detect HTTP GET requests targeting the .printer ISAPI extension path /NULL.printer, which is the specific URI used in all known exploit variants for CVE-2001-0241. ↗
- →Alert on HTTP requests to any *.printer URI where the Host: header exceeds ~420 bytes, as this is the overflow trigger condition documented across all exploit PoCs. ↗
- →Detect the exploit check pattern: HTTP GET /NULL.printer followed shortly by a second request with Host: header padded to 257+ bytes ('X'*257), which is the Metasploit check() fingerprint. ↗
- →The exploit overwrites an exception frame to control EIP; the return address 0x732c45f3 is used for Windows 2000 SP0-SP1 targets and can be used as a memory signature in exploit traffic. ↗
- →The vulnerable DLL is msw3prt.dll; presence of this DLL loaded in inetinfo.exe combined with IIS 5.0 on Windows 2000 SP0/SP1 indicates an exploitable configuration. ↗
- →HTTP response containing 'Error in web printer' to a GET /NULL.printer request confirms the .printer ISAPI extension is active and the target may be vulnerable. ↗
- →An HTTP 500 response to a GET /NULL.printer request with an oversized Host header (257+ bytes) is a strong indicator of successful overflow trigger. ↗
- ·If Web-based Printing has been configured via Group Policy, attempts to disable or unmap the .printer ISAPI extension through Internet Services Manager will be silently overridden, leaving the system exposed even after apparent remediation. ↗
- ·Windows 2000 automatically restarts IIS when it detects the web server is unresponsive after a crash, meaning the attack may leave no persistent crash evidence and the administrator may be unaware of exploitation. ↗
- ·The Metasploit module targets only Windows 2000 SP0 and SP1; the exploit may require multiple attempts if IIS is left in a hung state after a successful compromise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)
exploitdb·2010-04-30
CVE-2001-0241 Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)
Microsoft IIS 5.0 - Printer Host Header Overflow (MS01-023) (Metasploit)
---
##
# $Id: ms01_023_printer.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS 5.0 Printer Host Header Overflow',
'Description' => %q{
This exploits a buffer overflow in the request processor of
the Internet Printing Protocol ISAPI module in IIS. This
module works against Windows 2000 service pack 0 and 1. If
the service stops responding after a successful compromise,
run the exploit a couple more times to completely k
Exploit-DB
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (3)
exploitdb·2005-02-02
CVE-2001-0241 Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (3)
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (3)
---
/*
source: https://www.securityfocus.com/bid/2674/info
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overr
Exploit-DB
Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (2)
exploitdb·2001-05-08
CVE-2001-0241 Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (2)
Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (2)
---
/* IIS 5 remote .printer overflow. "jill.c" (don't ask).
*
* by: dark spyrit
*
* respect to eeye for finding this one - nice work.
* shouts to halvar, neofight and the beavuh bitchez.
*
* this exploit overwrites an exception frame to control eip and get to
* our code.. the code then locates the pointer to our larger buffer and
* execs.
*
* usage: jill
*
* the shellcode spawns a reverse cmd shell.. so you need to set up a
* netcat listener on the host you control.
*
* Ex: nc -l -p -vv
*
* I haven't slept in years.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char *argv[]){
/* the whole request rolled into one, pretty huh?
Exploit-DB
Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (1)
exploitdb·2001-05-07
CVE-2001-0241 Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (1)
Microsoft Windows Server 2000 SP1/SP2 - isapi .printer Extension Overflow (1)
---
/***********************************************************************
iishack 2000 - eEye Digital Security - 2001
This affects all unpatched windows 2000 machines with the .printer
isapi filter loaded. This is purely proof of concept.
Quick rundown of the exploit:
Eip overruns at position 260
i have 19 bytes of code to jump back to the beginning of the buffer.
(and a 4 byte eip jumping into a jmp esp located in mfc42.dll). The
jumpback was kinda weird, requiring a little forward padding to protect
the rest of the code.
The buffer itself:
Uou only have about 250ish bytes before the overflow(taking into
account the eip and jumpback), and like 211 after it. this makes
things tight. This is why i hardcode
Exploit-DB
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (1)
exploitdb·2001-05-01
CVE-2001-0241 Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (1)
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (1)
---
#source: https://www.securityfocus.com/bid/2674/info
#Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
#* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overr
Exploit-DB
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (2)
exploitdb·2001-05-01
CVE-2001-0241 Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (2)
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (2)
---
/*
source: https://www.securityfocus.com/bid/2674/info
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overr
Exploit-DB
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (4)
exploitdb·2001-05-01
CVE-2001-0241 Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (4)
Microsoft IIS 5.0 - '.printer' ISAPI Extension Buffer Overflow (4)
---
source: https://www.securityfocus.com/bid/2674/info
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridd
Metasploit
MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
metasploit
MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
MS01-023 Microsoft IIS 5.0 Printer Host Header Overflow
This exploits a buffer overflow in the request processor of the Internet Printing Protocol ISAPI module in IIS. This module works against Windows 2000 Server and Professional SP0-SP1. If the service stops responding after a successful compromise, run the exploit a couple more times to completely kill the hung process.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=98874912915948&w=2http://www.cert.org/advisories/CA-2001-10.htmlhttp://www.osvdb.org/3323http://www.securityfocus.com/bid/2674https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-023https://exchange.xforce.ibmcloud.com/vulnerabilities/6485https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1068http://marc.info/?l=bugtraq&m=98874912915948&w=2http://www.cert.org/advisories/CA-2001-10.htmlhttp://www.osvdb.org/3323http://www.securityfocus.com/bid/2674https://docs.microsoft.com/en-us/security-updates/securitybulletins/2001/ms01-023https://exchange.xforce.ibmcloud.com/vulnerabilities/6485https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1068
2001-06-27
Published