Hi Luis,

The --os-bof is outdated and should not be used these days.
If you want to exploit MS09-004 use Metasploit relevant exploit
instead[1] - careful that it may crash the DBMS as this is an
unreliable heap-based buffer overflow vulnerability.

[1] 
https://raw.github.com/rapid7/metasploit-framework/HEAD/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb

Bernardo

On 3 December 2013 19:57, Luis Rocha <luiscro...@gmail.com> wrote:
> Hello List, Miroslav,
>
> Did you had any chance to further look into this?
>
> thx
> Luis
>
> ---------- Forwarded message ----------
> From: Luis Rocha <luiscro...@gmail.com>
> Date: Sun, Dec 1, 2013 at 10:47 PM
> Subject: Re: [sqlmap-users] Ms09-004 on W2K3SP2
> To: Miroslav Stampar <miroslav.stam...@gmail.com>
>
>
> Thank you for your time Miroslav!
>
>
> With the latest version : sqlmap/1.0-dev-59d667d ... when running with
> --banner --os-bof, it produces the same output as before:
>
> ---
> Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
> Oct 14 2005 00:33:37
> Copyright (c) 1988-2005 Microsoft Corporation
> Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
> ---
>
> (..)
>
> [16:43:53] [CRITICAL] sqlmap can not exploit the stored procedure buffer
> overflow because it does not have a valid return code for the underlying
> operating system (Windows 2003 Service Pack 0)
> [16:43:53] [WARNING] HTTP error codes detected during run:
> 500 (Internal Server Error) - 2 times
>
> [*] shutting down at 16:43:53
>
> Exception AttributeError: "'NoneType' object has no attribute 'error'" in
> <bound method Popen.__del__ of <lib.core.subprocessng.Popen object at
> 0xa1c0bcc>> ignored
>
>
>
>
>
> On Sun, Dec 1, 2013 at 10:25 PM, Miroslav Stampar
> <miroslav.stam...@gmail.com> wrote:
>>
>> Hi.
>>
>> Please retry it now.
>>
>> Bye
>>
>>
>> On Sun, Dec 1, 2013 at 9:54 PM, Luis Rocha <luiscro...@gmail.com> wrote:
>>>
>>> Here you have:
>>>
>>> [15:52:47] [INFO] the back-end DBMS is Microsoft SQL Server
>>> [15:52:47] [INFO] fetching banner
>>> [15:52:47] [INFO] resumed: Microsoft SQL Server 2005 - 9.00.1399.06
>>> (Intel X86) \n\tOct 14 2005 00:33:37 \n\tCopyright (c) 1988-2005 Microsoft
>>> Corporation\n\tExpress Edition on Windows NT 5.2 (Build 3790: Service Pack
>>> 2)\n
>>>
>>> [15:52:47] [CRITICAL] unhandled exception in sqlmap/1.0-dev-663b1e7,
>>> retry your run with the latest development version from the GitHub
>>> repository. If the exception persists, please send by e-mail to
>>> 'sqlmap-users@lists.sourceforge.net' or open a new issue at
>>> 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following text
>>> and any information required to reproduce the bug. The developers will try
>>> to reproduce the bug, fix it accordingly and get back to you.
>>> sqlmap version: 1.0-dev-663b1e7
>>> Python version: 2.6.5
>>> Operating system: posix
>>>
>>> (..)
>>>
>>> Technique: BOOLEAN
>>> Back-end DBMS: Microsoft SQL Server (fingerprinted)
>>> Traceback (most recent call last):
>>>   File "./sqlmap.py", line 95, in main
>>>     start()
>>>   File "/pentest/database/sqlmap-dev/lib/controller/controller.py", line
>>> 582, in start
>>>     action()
>>>   File "/pentest/database/sqlmap-dev/lib/controller/action.py", line 32,
>>> in action
>>>     setHandler()
>>>   File "/pentest/database/sqlmap-dev/lib/controller/handler.py", line
>>> 100, in setHandler
>>>     if handler.checkDbms():
>>>   File
>>> "/pentest/database/sqlmap-dev/plugins/dbms/mssqlserver/fingerprint.py", line
>>> 73, in checkDbms
>>>     self.getBanner()
>>>   File "/pentest/database/sqlmap-dev/plugins/generic/enumeration.py",
>>> line 59, in getBanner
>>>     bannerParser(kb.data.banner)
>>>   File "/pentest/database/sqlmap-dev/lib/parse/banner.py", line 114, in
>>> bannerParser
>>>     parseXmlFile(paths.GENERIC_XML, handler)
>>>   File "/pentest/database/sqlmap-dev/lib/core/common.py", line 1655, in
>>> parseXmlFile
>>>     parse(stream, handler)
>>>   File "/usr/lib/python2.6/xml/sax/__init__.py", line 33, in parse
>>>     parser.parse(source)
>>>   File "/usr/lib/python2.6/xml/sax/expatreader.py", line 107, in parse
>>>     xmlreader.IncrementalParser.parse(self, source)
>>>   File "/usr/lib/python2.6/xml/sax/xmlreader.py", line 123, in parse
>>>     self.feed(buffer)
>>>   File "/usr/lib/python2.6/xml/sax/expatreader.py", line 207, in feed
>>>     self._parser.Parse(data, isFinal)
>>>   File "/usr/lib/python2.6/xml/sax/expatreader.py", line 301, in
>>> start_element
>>>     self._cont_handler.startElement(name, AttributesImpl(attrs))
>>>   File "/pentest/database/sqlmap-dev/lib/parse/handler.py", line 73, in
>>> startElement
>>>     self._feedInfo("sp", "Service Pack %s" %
>>> self._match.group(int(self._sp)))
>>> IndexError: no such group
>>>
>>> [*] shutting down at 15:52:47
>>>
>>>
>>>
>>> thx
>>> Luis
>>>
>>>
>>> On Sun, Dec 1, 2013 at 9:33 PM, Miroslav Stampar
>>> <miroslav.stam...@gmail.com> wrote:
>>>>
>>>> Hi.
>>>>
>>>> Can you please update to the latest revision and include --banner
>>>> together with --os-bof?
>>>>
>>>> Kind regards,
>>>> Miroslav Stampar
>>>>
>>>>
>>>> On Sun, Dec 1, 2013 at 9:09 PM, Luis Rocha <luiscro...@gmail.com> wrote:
>>>>>
>>>>> Yes, its the following:
>>>>>
>>>>> ---
>>>>> Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86)
>>>>> Oct 14 2005 00:33:37
>>>>> Copyright (c) 1988-2005 Microsoft Corporation
>>>>> Express Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
>>>>> ---
>>>>>
>>>>> Thank you,
>>>>> Luis
>>>>>
>>>>>
>>>>> On Sun, Dec 1, 2013 at 8:46 PM, Miroslav Stampar
>>>>> <miroslav.stam...@gmail.com> wrote:
>>>>>>
>>>>>> Hi.
>>>>>>
>>>>>> It seems that sqlmap was not able to parse "service pack" information
>>>>>> from retrieved banner.
>>>>>>
>>>>>> Can you please write back what do you get for --banner?
>>>>>>
>>>>>> Kind regards,
>>>>>> Miroslav Stampar
>>>>>>
>>>>>>
>>>>>> On Sat, Nov 30, 2013 at 8:07 PM, Luis Rocha <luiscro...@gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Hello All,
>>>>>>>
>>>>>>> Since this is my first post I want to make sure that I write that
>>>>>>> sqlmap is a brilliant tool and congratulations to the devteam!
>>>>>>>
>>>>>>>
>>>>>>> I have a question that you might know. I am using sqlmap version
>>>>>>> 1.0-dev-cda27ec.
>>>>>>>
>>>>>>>
>>>>>>> Consider a victim system running Windows 2003 SP2 English version
>>>>>>> with HAL version : 5.2.3790.3959 (srv03_sp2_rtm.070216-1710) with 
>>>>>>> MSSQL2005
>>>>>>> on VMware Workstation.
>>>>>>>
>>>>>>>
>>>>>>> From the attacker I am trying to take advantage of the MS09-004 and
>>>>>>> when I try to execute the ./sqlmap.py  -u 'http://vulnerable/page.aspx'
>>>>>>> --data=`cat data` --prefix="1', 1);" --suffix="--"  --fresh-queries 
>>>>>>> --os-bof
>>>>>>> it generates an error:
>>>>>>>
>>>>>>>  [13:17:51] [CRITICAL] sqlmap can not exploit the stored procedure
>>>>>>> buffer overflow because it does not have a valid return code for the
>>>>>>> underlying operating system (Windows 2003 Service Pack 0)
>>>>>>>
>>>>>>>
>>>>>>> I took a look at the file /plugins/dbms/mssqlserver/takeover.py and
>>>>>>> saw the following lines commented out:
>>>>>>>
>>>>>>> 2003 Service Pack 2 updated at 12/2008 (....)
>>>>>>>
>>>>>>> 2003 Service Pack 2 updated at 09/2009 (....)
>>>>>>>
>>>>>>>
>>>>>>> I remove the comment but still the same problem. ...the tool seems to
>>>>>>> determine that the OS does not contain any SP when in fact it has SP2...
>>>>>>>
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>>>
>>>>>>> Thank you,
>>>>>>>
>>>>>>> Luis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Rapidly troubleshoot problems before they affect your business. Most
>>>>>>> IT
>>>>>>> organizations don't have a clear picture of how application
>>>>>>> performance
>>>>>>> affects their revenue. With AppDynamics, you get 100% visibility into
>>>>>>> your
>>>>>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
>>>>>>> AppDynamics Pro!
>>>>>>>
>>>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>>>>>>> _______________________________________________
>>>>>>> sqlmap-users mailing list
>>>>>>> sqlmap-users@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>> http://about.me/stamparm
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>> http://about.me/stamparm
>>>
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>> http://about.me/stamparm
>
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> sqlmap-users mailing list
> sqlmap-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>



-- 
Bernardo Damele A. G.

E-mail / Jabber: bernardo.damele (at) gmail.com
Mobile: +447788962949 (UK 07788962949)

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
_______________________________________________
sqlmap-users mailing list
sqlmap-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sqlmap-users

Reply via email to