Re: [PEN-TEST] RDS exploit simulation

[rain forest puppy <rfp () WIRETRIP NET>]

Okey dokey, this is actually a revelevant topic, since I've received a lot
of email on it.  I'm working on a RDS-FAQ, but in the meantime:

You are vulnerable if you have MDAC 1.5 installed.  MDAC 2.0 is *kinda*
vulnerable, but for all intents and purposes, not via msadcs.dll.  MDAC
> 2.0 is not vulnerable.

Now, keep in mind:
- Installing MS SQL 7.0 installs MDAC 2.x
- Installing Office 2000 installs MDAC 2.x
- Installing IE 5.x installs MDAC 2.x
- Installing almost any MS server product after 2000 usually installs MDAC
        2.x.
- Windows 2000 is not vulnerable.  IIS 5.0 is not vulnerable.


For the differences between MDAC 1.5, 2.0, and 2.1+, please see RFP9907:
"You, your servers, RDS, and thousands of script kiddies" at
http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2

Slightly dated, as there are newer copies of MDAC (I believe 2.5 is now
out), but it will discuss what is vulnerable vs. what is not.

As for me, I use NT Server 4.0 regular or enterprise, install SP3, install
IE 4.01 (comes on NT Option Pack 4), and then IIS 4.0.  Now the newer
Option Packs might be retrofitted, but the original releases had the
vulnerable MDAC.

Just keep in mind there are a *LOT* of applications nowadays that package
updated DB components with them that may patch the vulnerability when
installed.  You can always look at the version of the msjet.dll in winnt
directory...any 4.x is not vulnerable.  The jetcopkg installs 3.5X (don't
remember the value), MDAC 2.0 installs 3.52, and MDAC 1.5 installs 3.50.
The 3.x line (apart from the patched jetcopkg.exe) is vulnerable.

- rfp