Bugtraq mailing list archives
Old SAP exploits
From: Nicob <nicob () nicob net>
Date: Sun, 12 Nov 2006 12:35:22 +0100
For historical purposes only (everything should compile/run fine). An TGZ archive is attached to this email, and a mirror is available on my website : http://nicob.net/mirrors/sap_sploits.tgz o testing users and passwords with RfcOpenEx (account locking bypass) : - allow networked attack on SAP passwords - now deprecated in favor of THC Hydra - need the RFC SDK to compile - port : TCP/3300+SYSNR - exploit : sapchk.c o customized RFC_SYSTEM_INFO (information disclosure) : - will leak OS type, SAP version, real IP address, ... - need the RFC SDK to compile - port : TCP/3300+SYSNR - exploit : sap-banner.c o original Win32 gwrd bug by FX (remote command execution) : - patched in 4.6D patch 1767 and 6.40 patch 4 - partial control on a CreateProcess() call - can be used for "cmd /c ..." evil - port : UDP/3300+SYSNR - exploit : r3mote_win_UDPexec.pl o linux port of the gwrd bug (remote command execution) : - patched in 4.6D patch 1767 and 6.40 patch 4 - partial control on a execve() call - each argument but the first must be max 8 characters long - exploitable remotely under some conditions - port : UDP/3300+SYSNR - exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh o two bytes UDP crash in enserver.exe (remote DoS) : - patched in 6.40 patch 6 - port : UDP/64999 - exploit : SAP_WebAS_UDP_DoS.c - no, that's not related to the DoS published earlier this month With many thanks to security () sap com, the OaiTeam, FX from Phenoelit and all the valuable Darklab members. Nicob
Attachment:
sap_sploits.tgz
Description:
Attachment:
signature.asc
Description: Ceci est une partie de message numériquement signée
Current thread:
- Old SAP exploits Nicob (Nov 13)