For historical purposes only (everything should compile/run fine). An TGZ archive is attached to this email, and a mirror is available on my website : http://nicob.net/mirrors/sap_sploits.tgz o testing users and passwords with RfcOpenEx (account locking bypass) : - allow networked attack on SAP passwords - now deprecated in favor of THC Hydra - need the RFC SDK to compile - port : TCP/3300+SYSNR - exploit : sapchk.c o customized RFC_SYSTEM_INFO (information disclosure) : - will leak OS type, SAP version, real IP address, ... - need the RFC SDK to compile - port : TCP/3300+SYSNR - exploit : sap-banner.c o original Win32 gwrd bug by FX (remote command execution) : - patched in 4.6D patch 1767 and 6.40 patch 4 - partial control on a CreateProcess() call - can be used for "cmd /c ..." evil - port : UDP/3300+SYSNR - exploit : r3mote_win_UDPexec.pl o linux port of the gwrd bug (remote command execution) : - patched in 4.6D patch 1767 and 6.40 patch 4 - partial control on a execve() call - each argument but the first must be max 8 characters long - exploitable remotely under some conditions - port : UDP/3300+SYSNR - exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh o two bytes UDP crash in enserver.exe (remote DoS) : - patched in 6.40 patch 6 - port : UDP/64999 - exploit : SAP_WebAS_UDP_DoS.c - no, that's not related to the DoS published earlier this month With many thanks to security@xxxxxxx, the OaiTeam, FX from Phenoelit and all the valuable Darklab members. Nicob
Attachment:
sap_sploits.tgz
Description: application/compressed-tar
Attachment:
signature.asc
Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=