007
EXH-0072003Fictional reconstruction
376 Bytes
January 25, 2003. A single malformed UDP packet to SQL Server can own the process. Someone weaponises it into the fastest-spreading worm the internet had yet seen.
Type
Classic
Difficulty
Intermediate
Era
2000s
Time
9 min
Briefing
NOC says `udp/1434` from everywhere. You do not have production access in this simulation, only notes, a patch bulletin, and a snippet of `pcap-summary.txt`. Work backward from the port.
Your role
Database administrator called in when core routers start seeing line-rate UDP 1434.
Objective
Connect the worm to its root cause, a buffer overflow on a UDP listener, and name the missing patch.
Terminal environment
- user
- dbadmin
- host
- mssql-arch-01
- cwd
- /home/dbadmin
- steps
- 3
Enter the terminalAbout 9 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.