CVE-2008-5416

Microsoft SQL Server <9.00.1399.06 - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2008-5416. PoCs published by Metasploit, Guido Landi, SECFORCE, including Metasploit module exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.

AI-analyzed exploit summary This is a Metasploit module exploiting a heap-based buffer overflow in Microsoft SQL Server via the undocumented 'sp_replwritetovarbin' stored procedure. It uses return-oriented programming (ROP) to achieve reliable remote code execution on various versions of MSSQL 2000 and 2005.

Description

Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal Database (WYukon) SP2 allows remote authenticated users to cause a denial of service (access violation exception) or execute arbitrary code by calling the sp_replwritetovarbin extended stored procedure with a set of invalid parameters that trigger memory overwrite, aka "SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability."

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16396

This is a Metasploit module exploiting a heap-based buffer overflow in Microsoft SQL Server via the undocumented 'sp_replwritetovarbin' stored procedure. It uses return-oriented programming (ROP) to achieve reliable remote code execution on various versions of MSSQL 2000 and 2005.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft SQL Server 2000/2005, MSDE, Windows Internal Database
Auth required
Prerequisites: Network access to MSSQL server · Valid credentials for SQL authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16392

This is a Metasploit module exploiting a heap-based buffer overflow in Microsoft SQL Server's undocumented 'sp_replwritetovarbin' stored procedure (CVE-2008-5416). It uses return-oriented programming (ROP) to achieve reliable remote code execution on various versions of MSSQL 2000 and 2005.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft SQL Server 2000/2005, MSDE, Windows Internal Database
Auth required
Prerequisites: Authenticated database session · Access to undocumented stored procedure
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Guido Landi · localwindows
https://www.exploit-db.com/exploits/7501

This is a functional exploit for CVE-2008-4270, targeting a heap overflow in Microsoft SQL Server's sp_replwritetovarbin function. It uses a series of crafted T-SQL queries to overwrite memory and execute a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft SQL Server 2000
Auth required
Prerequisites: Valid SQL Server credentials or SQL injection vulnerability · Network access to the target SQL Server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 3 stars
by SECFORCE · poc
https://github.com/SECFORCE/CVE-2008-5416

This repository contains a functional Metasploit exploit for CVE-2008-5416, targeting a heap-based buffer overflow in Microsoft SQL Server's undocumented 'sp_replwritetovarbin' stored procedure. The exploit uses return-oriented programming (ROP) to achieve reliable remote code execution across multiple SQL Server versions.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft SQL Server 2000/2005, MSDE, Windows Internal Database
Auth required
Prerequisites: Network access to vulnerable SQL Server · Valid SQL Server credentials
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck, Rodrigo Marcos · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb

This Metasploit module exploits a heap-based buffer overflow in Microsoft SQL Server's undocumented 'sp_replwritetovarbin' stored procedure via SQL injection, achieving remote code execution through return-oriented programming (ROP) techniques. It targets multiple versions of MSSQL 2000 and MSDE, leveraging precise memory corruption to hijack execution flow.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft SQL Server 2000 / MSDE (versions 8.00.194, 8.00.384, 8.00.534, 8.00.760, 8.00.2039)
Auth required
Prerequisites: Valid MSSQL credentials · Network access to the target MSSQL server
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin.rb

This Metasploit module exploits a heap-based buffer overflow in Microsoft SQL Server's undocumented 'sp_replwritetovarbin' stored procedure (CVE-2008-5416). It uses return-oriented programming (ROP) to achieve reliable remote code execution by smashing vtable pointers and hijacking the stack.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft SQL Server 2000/2005, MSDE, Windows Internal Database
Auth required
Prerequisites: Authenticated database session · Access to 'sp_replwritetovarbin' procedure
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (22)

Core 22
Core References
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/3380
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33034
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/50917
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1021363
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7501
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1021490
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/47182
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/696644
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/499042/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/499085/100/0/threaded
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/4706
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32710
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6217
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-041A.html
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0304.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/516397/100/0/threaded

Scores

EPSS 0.8662
EPSS Percentile 99.7%

Details

CWE
CWE-119
Status published
Products (2)
microsoft/sql_server 2000
microsoft/sql_server 2005
Published Dec 10, 2008
Tracked Since Feb 18, 2026