POC exploit code for SQL Server 2000 released
L33tdawg: The exploit code is located here. I know that Bugtraq should be carrying the exploit code in about a day or so, but in the meantime, I'm guessing the primary link on Scan's site should be more than sufficient. If not, I can always hook up a copy on HITB's servers. Good work once again from the guys over at Scan Associates... Incidentally, the link to neophasis.com, is for the overview of the problem discovered by David Litchfield on the 25th of July. Much love to spoonfork and sk for allowing HITB to release this code before Bugtraq *grin*!
Microsoft's database server SQL Server 2000 exhibits two buffer overrun
vulnerabilities that can be exploited by a remote attacker without ever
having to authenticate to the server. What further exacerbates these issues
is that the attack is channeled over UDP. Whether the SQL Server process
runs in the security context of a domain user or the local SYSTEM account,
successful exploitation of these security holes will mean a total compromise
of the target server and its data.
SQL Server can be configured to listen for incoming client connections in
several different ways. It can be configured such that clients can use named
pipes over a NetBIOS session (TCP port 139/445) or sockets with clients
connecting to TCP port 1433 or both. Which ever method is used the SQL
Server will always listen on UDP port 1434. This port is designated as the
Microsoft SQL Monitor port and clients will send a message to this port to
dynamically discover how the client should connect to the Server. This
message is a single byte packet, the byte being 0x02. There are other messages that can be sent to this port and these can be worked out with simple experimentation.
- Thu, 2013-05-23 10:39
- Thu, 2013-05-23 10:35
- Thu, 2013-05-23 10:30