Hi Luis, The --os-bof is outdated and should not be used these days. If you want to exploit MS09-004 use Metasploit relevant exploit instead[1] - careful that it may crash the DBMS as this is an unreliable heap-based buffer overflow vulnerability.
[1] https://raw.github.com/rapid7/metasploit-framework/HEAD/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb Bernardo On 3 December 2013 19:57, Luis Rocha <luiscro...@gmail.com> wrote: > Hello List, Miroslav, > > Did you had any chance to further look into this? > > thx > Luis > > ---------- Forwarded message ---------- > From: Luis Rocha <luiscro...@gmail.com> > Date: Sun, Dec 1, 2013 at 10:47 PM > Subject: Re: [sqlmap-users] Ms09-004 on W2K3SP2 > To: Miroslav Stampar <miroslav.stam...@gmail.com> > > > Thank you for your time Miroslav! > > > With the latest version : sqlmap/1.0-dev-59d667d ... when running with > --banner --os-bof, it produces the same output as before: > > --- > Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) > Oct 14 2005 00:33:37 > Copyright (c) 1988-2005 Microsoft Corporation > Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) > --- > > (..) > > [16:43:53] [CRITICAL] sqlmap can not exploit the stored procedure buffer > overflow because it does not have a valid return code for the underlying > operating system (Windows 2003 Service Pack 0) > [16:43:53] [WARNING] HTTP error codes detected during run: > 500 (Internal Server Error) - 2 times > > [*] shutting down at 16:43:53 > > Exception AttributeError: "'NoneType' object has no attribute 'error'" in > <bound method Popen.__del__ of <lib.core.subprocessng.Popen object at > 0xa1c0bcc>> ignored > > > > > > On Sun, Dec 1, 2013 at 10:25 PM, Miroslav Stampar > <miroslav.stam...@gmail.com> wrote: >> >> Hi. >> >> Please retry it now. >> >> Bye >> >> >> On Sun, Dec 1, 2013 at 9:54 PM, Luis Rocha <luiscro...@gmail.com> wrote: >>> >>> Here you have: >>> >>> [15:52:47] [INFO] the back-end DBMS is Microsoft SQL Server >>> [15:52:47] [INFO] fetching banner >>> [15:52:47] [INFO] resumed: Microsoft SQL Server 2005 - 9.00.1399.06 >>> (Intel X86) \n\tOct 14 2005 00:33:37 \n\tCopyright (c) 1988-2005 Microsoft >>> Corporation\n\tExpress Edition on Windows NT 5.2 (Build 3790: Service Pack >>> 2)\n >>> >>> [15:52:47] [CRITICAL] unhandled exception in sqlmap/1.0-dev-663b1e7, >>> retry your run with the latest development version from the GitHub >>> repository. If the exception persists, please send by e-mail to >>> 'sqlmap-users@lists.sourceforge.net' or open a new issue at >>> 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text >>> and any information required to reproduce the bug. The developers will try >>> to reproduce the bug, fix it accordingly and get back to you. >>> sqlmap version: 1.0-dev-663b1e7 >>> Python version: 2.6.5 >>> Operating system: posix >>> >>> (..) >>> >>> Technique: BOOLEAN >>> Back-end DBMS: Microsoft SQL Server (fingerprinted) >>> Traceback (most recent call last): >>> File "./sqlmap.py", line 95, in main >>> start() >>> File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line >>> 582, in start >>> action() >>> File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 32, >>> in action >>> setHandler() >>> File "/pentest/database/sqlmap-dev/lib/controller/handler.py", line >>> 100, in setHandler >>> if handler.checkDbms(): >>> File >>> "/pentest/database/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py", line >>> 73, in checkDbms >>> self.getBanner() >>> File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py", >>> line 59, in getBanner >>> bannerParser(kb.data.banner) >>> File "/pentest/database/sqlmap-dev/lib/parse/banner.py", line 114, in >>> bannerParser >>> parseXmlFile(paths.GENERIC_XML, handler) >>> File "/pentest/database/sqlmap-dev/lib/core/common.py", line 1655, in >>> parseXmlFile >>> parse(stream, handler) >>> File "/usr/lib/python2.6/xml/sax/__init__.py", line 33, in parse >>> parser.parse(source) >>> File "/usr/lib/python2.6/xml/sax/expatreader.py", line 107, in parse >>> xmlreader.IncrementalParser.parse(self, source) >>> File "/usr/lib/python2.6/xml/sax/xmlreader.py", line 123, in parse >>> self.feed(buffer) >>> File "/usr/lib/python2.6/xml/sax/expatreader.py", line 207, in feed >>> self._parser.Parse(data, isFinal) >>> File "/usr/lib/python2.6/xml/sax/expatreader.py", line 301, in >>> start_element >>> self._cont_handler.startElement(name, AttributesImpl(attrs)) >>> File "/pentest/database/sqlmap-dev/lib/parse/handler.py", line 73, in >>> startElement >>> self._feedInfo("sp", "Service Pack %s" % >>> self._match.group(int(self._sp))) >>> IndexError: no such group >>> >>> [*] shutting down at 15:52:47 >>> >>> >>> >>> thx >>> Luis >>> >>> >>> On Sun, Dec 1, 2013 at 9:33 PM, Miroslav Stampar >>> <miroslav.stam...@gmail.com> wrote: >>>> >>>> Hi. >>>> >>>> Can you please update to the latest revision and include --banner >>>> together with --os-bof? >>>> >>>> Kind regards, >>>> Miroslav Stampar >>>> >>>> >>>> On Sun, Dec 1, 2013 at 9:09 PM, Luis Rocha <luiscro...@gmail.com> wrote: >>>>> >>>>> Yes, its the following: >>>>> >>>>> --- >>>>> Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) >>>>> Oct 14 2005 00:33:37 >>>>> Copyright (c) 1988-2005 Microsoft Corporation >>>>> Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2) >>>>> --- >>>>> >>>>> Thank you, >>>>> Luis >>>>> >>>>> >>>>> On Sun, Dec 1, 2013 at 8:46 PM, Miroslav Stampar >>>>> <miroslav.stam...@gmail.com> wrote: >>>>>> >>>>>> Hi. >>>>>> >>>>>> It seems that sqlmap was not able to parse "service pack" information >>>>>> from retrieved banner. >>>>>> >>>>>> Can you please write back what do you get for --banner? >>>>>> >>>>>> Kind regards, >>>>>> Miroslav Stampar >>>>>> >>>>>> >>>>>> On Sat, Nov 30, 2013 at 8:07 PM, Luis Rocha <luiscro...@gmail.com> >>>>>> wrote: >>>>>>> >>>>>>> Hello All, >>>>>>> >>>>>>> Since this is my first post I want to make sure that I write that >>>>>>> sqlmap is a brilliant tool and congratulations to the devteam! >>>>>>> >>>>>>> >>>>>>> I have a question that you might know. I am using sqlmap version >>>>>>> 1.0-dev-cda27ec. >>>>>>> >>>>>>> >>>>>>> Consider a victim system running Windows 2003 SP2 English version >>>>>>> with HAL version : 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) with >>>>>>> MSSQL2005 >>>>>>> on VMware Workstation. >>>>>>> >>>>>>> >>>>>>> From the attacker I am trying to take advantage of the MS09-004 and >>>>>>> when I try to execute the ./sqlmap.py -u 'http://vulnerable/page.aspx' >>>>>>> --data=`cat data` --prefix="1', 1);" --suffix="--" --fresh-queries >>>>>>> --os-bof >>>>>>> it generates an error: >>>>>>> >>>>>>> [13:17:51] [CRITICAL] sqlmap can not exploit the stored procedure >>>>>>> buffer overflow because it does not have a valid return code for the >>>>>>> underlying operating system (Windows 2003 Service Pack 0) >>>>>>> >>>>>>> >>>>>>> I took a look at the file /plugins/dbms/mssqlserver/takeover.py and >>>>>>> saw the following lines commented out: >>>>>>> >>>>>>> 2003 Service Pack 2 updated at 12/2008 (....) >>>>>>> >>>>>>> 2003 Service Pack 2 updated at 09/2009 (....) >>>>>>> >>>>>>> >>>>>>> I remove the comment but still the same problem. ...the tool seems to >>>>>>> determine that the OS does not contain any SP when in fact it has SP2... >>>>>>> >>>>>>> >>>>>>> Any ideas? >>>>>>> >>>>>>> >>>>>>> Thank you, >>>>>>> >>>>>>> Luis >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Rapidly troubleshoot problems before they affect your business. Most >>>>>>> IT >>>>>>> organizations don't have a clear picture of how application >>>>>>> performance >>>>>>> affects their revenue. With AppDynamics, you get 100% visibility into >>>>>>> your >>>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>>>>>> AppDynamics Pro! >>>>>>> >>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sqlmap-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> http://about.me/stamparm >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> http://about.me/stamparm >>> >>> >> >> >> >> -- >> Miroslav Stampar >> http://about.me/stamparm > > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > _______________________________________________ > sqlmap-users mailing list > sqlmap-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) ------------------------------------------------------------------------------ Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk _______________________________________________ sqlmap-users mailing list sqlmap-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/sqlmap-users
