Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

module

MS99-025 Microsoft IIS MDAC msadcs.dll RDS Arbitrary Remote Command Execution

Disclosed
Jul 17, 1998
Created
May 30, 2018

Description

This module can be used to execute arbitrary commands on IIS servers
that expose the /msadc/msadcs.dll Microsoft Data Access Components
(MDAC) Remote Data Service (RDS) DataFactory service using VbBusObj
or AdvancedDataFactory to inject shell commands into Microsoft Access
databases (MDBs), MSSQL databases and ODBC/JET Data Source Name (DSN).
Based on the msadcs.pl v2 exploit by Rain.Forest.Puppy, which was actively
used in the wild in the late Ninties. MDAC versions affected include MDAC
1.5, 2.0, 2.0 SDK, 2.1 and systems with the MDAC Sample Pages for RDS
installed, and NT4 Servers with the NT Option Pack installed or upgraded
2000 systems often running IIS3/4/5 however some vulnerable installations
can still be found on newer Windows operating systems. Note that newer
releases of msadcs.dll can still be abused however by default remote
connections to the RDS is denied. Consider using VERBOSE if you're unable
to successfully execute a command, as the error messages are detailed
and useful for debugging. Also set NAME to obtain the remote hostname,
and METHOD to use the alternative VbBusObj technique.

Author

Platform

Windows

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


msf > use exploit/windows/iis/msadc
msf exploit(msadc) > show targets
...targets...
msf exploit(msadc) > set TARGET < target-id >
msf exploit(msadc) > show options
...show and set options...
msf exploit(msadc) > exploit

Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.