NT IIS MDAC RDS Vulnerability

_/info\_ _/discussion\_ _/exploit\_ _/solution\_ _/credit\_ _/help\_
Exploit posted to bugtraq by R.F Prigogine aka Rain Forest Puppy.

run perl -x msadc.pl
Command line switches (copied from rfp's post):

-h <ip or domain> this is the host to scan. You MUST either
use either -h or -R.

-d <value 0-?> this is the delay between connections.
Value is in number of seconds. I added
this because hammering the RDS components
caused the server to occasionally stop
responding :) Defaults to 1. Use -d 0
to disable.

-V Use VbBusObj instead of DataFactory to
run the queries. NOTE: please read the -N
information below as to suggestions for
checking if VbBusObj exists. VbBusObj
does not give good error reporting;
therefore it is quite possible to have
false positives (and false negatives).
Consider VbBusObj support 3 stages before
beta. Don't say I didn't warn you.

-v verbose. This will print the ODBC error
information. Really only for
troubleshooting purposes.

-e external dictionary file to use on step
5--the 'DSN dictionary guess' stage. The
file should just be plaintext, one DSN
name per line file with all the DSN names
you want to try. Quite honestly a normal
dictionary file won't do you much good.
You can probably do pretty damn well with
a few dozen or two good ones, like 'www',
'data', 'database', 'sql', etc.

-R resume. You can still specify -v or -d
with -R. This will cause the script to
read in rds.save and execute the command
on the last valid connection.

-N Use VbBusObj to try to get the machine's
NetBIOS name. It may return no name
if the VbBusObj is unavailable. I suggest
you use -N to see if VbBusObj exists (a
NetBIOS name will be returned if so)
before you use -V.

-X perform an Index Server table dump instead.
None of the other switches really apply
here, other than -v (although -d still
works, there's no need to slow down one
query). This dumps the root paths from
Index Server, which can be rather lengthy.
I suggest you pipe the output into a file.
Also, if there is a lot of return
information, this command may take a while
to complete. Be patient. And I don't
suggest you use this command more than
once a minute...it caused my P200 w/
128 RAM to stop answering requests, and
in general borked inetinfo.exe. If you do
decide to CONTROL-C during the middle of the
data download the script will save all
received data into a file called 'raw.out',
so you don't loose everything you've
already received. NOTE: this is the raw
data, which is in Unicode.


NOTE ON SUCCESS: The script reports 'Success!' when it has issued a valid
SQL statement. 'Success!' does *NOT* mean that your command worked. If
they have MDAC 2.1+ shell commands are worthless, so the script will
report 'Success!' (it went through) but your command didn't run (MDAC 2.1
didn't interpret it). There's no return indication to know whether your
command worked or not. As with the ODBC commands, you're flying blind.

  • /data/vulnerabilities/exploits/msadc.pl



    • Copyright 1999 Security-Focus.Com, All Rights Reserved
    disclaimer