MSSQL Server Local and Remote exploit(Proof for executing administrative commands remotely by using SA account)

[Egemen Tas <egement () KARYDE COM TR>]

Hello ,

It is known that MS SQL Server comes with default SA(Sys Admin) account with NULL password.
It seems that many system administrators do not take care of dangers of this situation.
Because while we are searching the net we have found that over %80 of hosts we have scanned still have account SA with 
NO Password.
So I have decided to prove that this situation leeds full compromise of the system.
There are tools running on *nix like OS but I think using this one is easier than some silly unix staff...

Yes this was the story behind the SQLExec.c exploit...
By default SQL server comes with a few strored procedures.xp_cmdshell is one of them and used for executing commands 
with SQL server.
Again by default SQL server installs it self with administrative privileges(Administrator).
If some one has a right to access master database this means he can execute commands on the host.
If the connected user is SA then commands are executed with the context of SQL server(Administrator by default) 
otherwise with the context of SQLExecutiveCmdExecAccount.
Of course these behaviours occur with default installations.

Attached there is an exploit file SQLExec.zip.The included binary works under Windows 9X/NT/2K.
It is suitable for script kiddies also and executes commands with administrative privileges.
You can also see the output of the commands(Unlike msadc.pl ) on the screen just like you are executing on your 
terminal.

Regards ,
Egemen Tas
(Don't jail the curious , just a bit freedom)

Attachment: SQLExec.zip
Description: