module
MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution
| Disclosed | Created |
|---|---|
| 07/17/1998 | 05/30/2018 |
Disclosed
07/17/1998
Created
05/30/2018
Description
This module can be used to execute arbitrary commands on IIS servers
that expose the /msadc/msadcs.dll Microsoft Data Access Components
(MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj
or AdvancedDataFactory to inject shell commands into Microsoft Access
databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).
Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively
used in the wild in the late Ninties. MDAC versions affected include MDAC
1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS
installed, and NT4 Servers with the NT Option Pack installed or upgraded
2000 systems often running IIS3/4/5 however some vulnerable installations
can still be found on newer Windows operating systems. Note that newer
releases of msadcs.dll can still be abused however by default remote
connections to the RDS is denied. Consider using VERBOSE if you're unable
to successfully execute a command, as the error messages are detailed
and useful for debugging. Also set NAME to obtain the remote hostname,
and METHOD to use the alternative VbBusObj technique.
that expose the /msadc/msadcs.dll Microsoft Data Access Components
(MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj
or AdvancedDataFactory to inject shell commands into Microsoft Access
databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).
Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively
used in the wild in the late Ninties. MDAC versions affected include MDAC
1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS
installed, and NT4 Servers with the NT Option Pack installed or upgraded
2000 systems often running IIS3/4/5 however some vulnerable installations
can still be found on newer Windows operating systems. Note that newer
releases of msadcs.dll can still be abused however by default remote
connections to the RDS is denied. Consider using VERBOSE if you're unable
to successfully execute a command, as the error messages are detailed
and useful for debugging. Also set NAME to obtain the remote hostname,
and METHOD to use the alternative VbBusObj technique.
Author
aushack
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/windows/iis/msadc
msf /(c) > show actions
...actions...
msf /(c) > set ACTION < action-name >
msf /(c) > show options
...show and set options...
msf /(c) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.