For historical purposes only (everything should compile/run fine). An
TGZ archive is attached to this email, and a mirror is available on my
website : http://nicob.net/mirrors/sap_sploits.tgz
o testing users and passwords with RfcOpenEx (account locking bypass) :
- allow networked attack on SAP passwords
- now deprecated in favor of THC Hydra
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sapchk.c
o customized RFC_SYSTEM_INFO (information disclosure) :
- will leak OS type, SAP version, real IP address, ...
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sap-banner.c
o original Win32 gwrd bug by FX (remote command execution) :
- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a CreateProcess() call
- can be used for "cmd /c ..." evil
- port : UDP/3300+SYSNR
- exploit : r3mote_win_UDPexec.pl
o linux port of the gwrd bug (remote command execution) :
- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a execve() call
- each argument but the first must be max 8 characters long
- exploitable remotely under some conditions
- port : UDP/3300+SYSNR
- exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh
o two bytes UDP crash in enserver.exe (remote DoS) :
- patched in 6.40 patch 6
- port : UDP/64999
- exploit : SAP_WebAS_UDP_DoS.c
- no, that's not related to the DoS published earlier this month
With many thanks to security (at) sap (dot) com [email concealed], the OaiTeam, FX from Phenoelit and
all the valuable Darklab members.
For historical purposes only (everything should compile/run fine). An
TGZ archive is attached to this email, and a mirror is available on my
website : http://nicob.net/mirrors/sap_sploits.tgz
o testing users and passwords with RfcOpenEx (account locking bypass) :
- allow networked attack on SAP passwords
- now deprecated in favor of THC Hydra
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sapchk.c
o customized RFC_SYSTEM_INFO (information disclosure) :
- will leak OS type, SAP version, real IP address, ...
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sap-banner.c
o original Win32 gwrd bug by FX (remote command execution) :
- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a CreateProcess() call
- can be used for "cmd /c ..." evil
- port : UDP/3300+SYSNR
- exploit : r3mote_win_UDPexec.pl
o linux port of the gwrd bug (remote command execution) :
- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a execve() call
- each argument but the first must be max 8 characters long
- exploitable remotely under some conditions
- port : UDP/3300+SYSNR
- exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh
o two bytes UDP crash in enserver.exe (remote DoS) :
- patched in 6.40 patch 6
- port : UDP/64999
- exploit : SAP_WebAS_UDP_DoS.c
- no, that's not related to the DoS published earlier this month
With many thanks to security (at) sap (dot) com [email concealed], the OaiTeam, FX from Phenoelit and
all the valuable Darklab members.
Nicob
? WEì<ksÚȲûÕü??â$`óÀr?Ø$q?]`'»e»(!
XH\IذÙÜß~»gFÒpüÚdÏ©?R8h¦§»§§?3AmäG¬;ñ?i÷tÿ?M?U»¿ü£??×¶®ÓÿÆöf溪?ÛÕ
_}³ZÝØÞ66_tc£jlþú?ËÆòkFfð?çX~ïp·õÿ?^O?T&aPé9^eÌJ×¹IÈààhg§ã[?,ÚÍå?Â)
ª\± t|ü>DCoÿ?NãÚ?®®&®WÎ=EèOÆf9¦ëÎÀò½(ð]0ÁÂ{?|`Së?å02m½¸?9µG?Ð?³?7ÍÐÁl:v}'2{.?k'?ë#0-??¶çO
\zlßc0Òc6ñl@è?¶Y9[U]¯?m?Àñy>s^õ§¿ã»²Í^Cþ?ãÕªàÎÀñ¢åÛ¬ Æo¡Ez¯¸:üÆÿ?=á(UF?Ëþ]7Pz¶Ã@{ç\1è;.óÌÓI'ùUËLÏ®?C§v`3
ÔËájópµ,\Q¡à}? 7ÐÀéCDÃm^ï
tí[е4çaè??ÂÝ&äVÇ~ÕµZÍØVù¤Æ&`ÿ;aauÈhçSÝÐÊâK?y?\¼Í<?#Å Á md\©çW°?fò?çV¤ph0?ü¯P?9Á°û»zòOyëOÔÙ;©}?H?
#ùׯÿbjN?Â[BìÔsQÄl?²gÎé?®#u©eµ®áJ<?"XÆ"_(Z"6EcÑñK8éA_r?×h«ÂwÓ{×ñ?[W7½#¤??nó¼KÒÁõÿ+;$F¨ó;P\ÒÎÎA«yRzí±ëüqàG~ýµ6±ÇZñ?± aÛAý
µ@J÷Ǥh¯5?_+?
ø\?-Óóü,BB¤ ï?y
¾ªl?^??Èï»?p?7$ÖqàxQÂw¬Ór:?ë?,Ó×Ü¿íùÅ(ñÿ:0ÇÊáð?¥qkü×eüßD½Q£ø_ÛÜúÿ
Ä?ñ?b8¤0ÿÑ?·!ùn?Ñnà´}×C0pB?É¥ ?ÓV?IöÁ?Jg;?¯ËuÚ{uí¯¿ÊFùj ö·2ÆÙ?í_{®
ÍÃä<¢-?(ßc?I
ÓJG?<¸Fs-äÞ6ëZ¹R.?9ô?h¿?¢?,À¸ÇØÜò1U£À±?mØ-r'ö»æI]3^VËÆÖ¯åªn?
?#é ô¨\DÌútc³ÞdÛo¾9}W×êáRÈ^J[VQX@^?¼?!iZæ?Hy?÷ ì"ú)?ùÞFrá¾$;|
p Lo?S'A??Ópéeþ?6ËÕ
üT7ÊÕÍÍÜÓ?h|øKyiÇѨB?Wh
¾?®sÉà?\æ
²dåiàM?!ÓÈ£%¯?
#gÊdpB?ôl?Jæ¡Z9( Ge ÓÓ?a@?¾?kec»éÝþu3Û÷?õA~÷¥bqF>¦
@]sâYÜ!´g?z?Á?¤:#£@Eq,Æ?p6v,n<ÌòÐMÈx?N?Bs`\)PÅ?
®m(?=Þ}zÔ9©[?R#¼í4Ûë1ÌÞQëãÁ~?b"Åõ¸®j1ë(?E/¸H¸r%XZÿ H®?¥£U2-Xf?]ÆÆ`Tu?£ºGb*Í%v}7êBÒÛ??ð-ÚÕ9ÂM=?bÂw§&hL§Sþ?§%pw?qµ¡_{5<
ÿZ Ïý?Äñ?^R&×?÷ÝÊÿ[ãÿv5?ÿÕÚÿºñ3þÿëNõ?åܸXÈm+vg,þ<0C46YLF9¶`¹?tÐbÆoq7ßÄÂ7
0a??!ä?Ì»rߣaÚ²?<ý?3 ??vLb;%I4?¼>ê?2?(|a@aÁ8`Ô?¿wåø?Ð?
£oqú:$ÄCé½SB<§??
Ynî³m Tü²;û-t}?É]?½?aât,$?/p¿??¢ñN¥2
m¯<r¬Àý~TÆ?T\§`T©0¯4 +¶ë?(+=3d?#?¢-?áXÝeB¸Ó&÷
÷¤nÇÂðƺ=Fýa*XC¾¬îPÎ?O7üTñS?{bª·èñG6lêwùÄÀÆ]>1põ.?¸v?O¼!>úËo}8pãnP7_ªÈb±Ñ6?° Ì\Q÷ï3f ?7r»Hv???Ðñ,o8hÚÎÓ®»¶?Ofxí?@urbl¾àýÍkåt/¡ ¸Õ??ç,Ó¶ÂÏ}?ÿÐ}L#K=äË~ëûDÿ·n?ÿÆVu{3?ÿµêöÆÿjµjü?ÿ?â
)<Y<?b5ca=rvÖ¢ý?Z?Õ{*s*[û?0°*?W úíÖ;^ß/[O
X¥*?¬¼²§¡?õåÎ?¸Ö*ÔV®¤Z?¹2¼@ÓËUg¡Ôu?¡W2CÑ{?rú,ÊöÑÑI½2Är¹Â¦?_¡}Y
BðÉ4=hí?î7ë«4¦?NÎØ¬¢à:<x#;1äVT*Ë(¬JP:\E`PmJ>Ý÷¼J.2?m̢ܡÈ=?äàU
Ù?_¾Î6!Áù6´õA¶Í?fc?iÒ"Ò*5¥fïPSîÊwlØ?<ìî5ðÏ?ÆÞïÝ·§½??£ T?äÅ?¯y?póä?¥>p¶?]sÖå?óÐ~»×9Àü??UØ!sÇyñ?Ð l·Ùnµ»·GÝæ?j??ûG?ÌåyáI£U?¼¬ÑÝrÜýsêþzæ.fh»q÷ûFkk·øbøqYÒ?Õ«z
ÑÔ+é=n´?'ͶèeSòä(ü³Zõâ& g´è¤ñFaø?U¨B Øæ9 ÞÉç^kt<ÆÆ´Ýq )¶N?9Xz}ÇMo&ý>Ϊ?[ÅÜÊ?À?£?SùÞ?¿chu{?>?ܾH1Ùö0Kè
òã?3C¯n\?`Cë5w9Eø\¤}:e¸ë`ÖÛíûÌ.g §}X[IÏ\ߨÃk{ù8×ôô,²·Î3?eò@³ê
Î6¸+«méZ??º??3£vAD´Sï«yo??9{y$d×ç@?§³?i¶4)£>äI§áTÔ Ra 2 ?&?À?ß~åãÐÝ?îwåÄrxh?®+ìK?@ ûî?$&VF?|?Wjà®ÚÇIIJØ?ø¡ï}«?Qyx.Gq¿ð??O¨,D?d|´ø£¤âÃìé?×??? ¨üpÀ?Bå3vPDuÄù/æ÷³?8KãÖ?é?êå¬ÁyE?ÿ¯¯sÕ?u?ìÇ¢óÇ/¤=WgÎ??ØÞY?+±??R))É×VD"Ù'SBty2?µNÆ1Ö"¼¨¿àë
"×X º [¿$.'£¹óÊ?è¯àó£ébn
×CÇB?zh)?¡¨8°AÑÒ?Fûg
˽o°ËXîͳLfXãY^xµ"¤?ÝÌ
ÙÂôäbÇcÒU-eæ\¬øg=|¼vØZ?éíª¸?ð?Kâ?±?üÕíÅîò #ĺQDZ??¥îH?çð¨+´çgäÈý¬ª?R%?®JLc?¤?úN×cÍÅ?¤{
oÖ×?x¡jrgÌ,Çt?£¢Ä?Ì?Ni\?ÚÌ«Q?õÍ?mFfÊ·£Ïu}>¿Êã
?câ^?®?úÎ>_¶ îrèÂ{3/Sª@BèQ&tª (,??ÐÆ©®j{?ÍÖI]+Âfhê©zf"c=U"ÒËåÈN;ÍöRTJ ½¢ãF§ói?PmÏ£ÊÄÝ;!;l´Þ-Eµ¦%2)1\þ?/ÚâÍ?àè¸Ù?ȱx¥¥ÎeÔs].uÖó+{ï?{¿×u-v
?¼a?
b\?p*#'Iç$%?\vM?Ù?¼ìîß?Ëþ³%?:C?Ô{8® ©ȮäÃ?HeIÈ^?Ìü*??W¤?á?Ë(ÑhÇ"¸Sl&<Ö??Þ?{ÏÂsÌÚ²nLpùà?Ü?[?B?ä
ñ©sÙÄ
ýó´J*¤ùd?®=Ý$òÉP?ìÜ{ ï??<+ð?g6?+%Pæ±WK?ÿÎf ?|m?!?l¶8àæÆTõ?|Q?!#Ñ£ý¾xgëkfϽÎ?î?'?âÑÉb?=p¹ì?rO¿(ónÌôy=?íñQû
DÛ]ù?Q]ì2m?Bæó´üËtÓÃ??ì?¡h3¸"?üyÜìî½o´9PÐHøM?÷´ÀÕ;eÍ÷$Z?=*L
UèO¼GZ?¨Þ?EÚ6³?sÅòÒÔ?|aº?;'Í|ÓA+JÖï6òø õ?Ñþ¨+&M??Ó&!¹ôþy¶~/¤?ÓÏÇ
¬<?|ô;¨L???Í?ö?Ç´oS?¿ÿN]ÆNZL¢±²Õ³?§L:¬kY9iþkê¥rÊ`ÉüU??a_l3Ñs9
±Ã¤ýJ?×ܦÕód·
]iïñö"<? Y¬?qm,K+}7÷?ؤ]2ÒÈûlËå¾ä?bòãx?NOò±iT?+ªË ç9Åu?ö¬T?ð¬T^n[ËäZñC¥×Ælõ?)¤þÈÐ*Ò£aß$??Ûi?çV¤?&8ñ
Z?fJQ+ï?ýf[03?ò?|ÜS!Î=κ`,OX?>UÎÇîü×?*Î,?Ø0:#¾õÛ?:?¯?¶ÏÂH
Ãi\útf´???þG[ìUôæäi°þ?]?@ù?}9.#S¼A
g¤??ÛPº«Kð?Þx?û"??bgX?æät?-§EwáÄq@-z* @ÈéÄ x??8:&ýþx¡????QY8c~?h³ðJv?N7 »?Ö?Ö6`.K&EÛôî?\æ?s³ Ô?Â. ¦Ê$/}×#Æ
t?E¾?<#(@¨?Å|anÊ^Ä´[$çìE o]ßäR?Pßõ?h&#Ó?}9¶?£ûås@ï `?÷?ïÉGôµH?êmâr¦zÿZ~ß?¹Î`Ah^ñ?»KA
Ã
@Ób·¹Äè¸ÿÌxJáH|6"Î$â\?Ö?bd¥GÖØ?eÏS?³?4Ã?gâX,¦øÊÜï?·ß?k¹£LÚ?\A-'õ
H ECî?U¿Û:D'Aû?;w: Ô????ÿ9ÐÿW_(xkxùýÎþéúöù¿¾µ]Û?Ïÿ7k¶Æ6ý<ÿÿ×÷?¡Îq_*_?;ÛäGrz¹¦ýóã??
ï|òú¯?§òa¡z.úó íçAÚÏ?´ù í?yÉ?Þº¡c¢???<ßÈ÷n<¬?OÑÄYÕÊ?$»ìè)éB.¹/PÔø^§x8 Îûö&A@h'éjÂÏw<óFG"ñ£WApý#»å-9eZQ=áúúNÏîaɱٽq4:üýGáèüÙiñ©lÝ?"'4
Ñ:k¥ÅG?ñ?ÞÄáðÍ+&ÞãE?ºÂ)Á«0]já±}2^nòáXÍ?Bë¡S
Ò]Õñe9<"< BV$þÌ?Ï?ÄL?:Ñ?ß?&êð\ûü}dÝ??\h±À§7Ñ0,Ò«YôÞ?òß0-¤èÑÉ u©?>äÔÑMÎ*f
aÛ\¸7ã®xGP?¾köúÜs#Kè?°?~wJÓ ×?èÑ_Ú²LwFïÀQ?¿o?«wmz|?ÉS¤hè?b<Ã×<ó
tnÊÙ¡ä>L:tª?HæñïûÞ??¿¥(gÊäý?ÿ½?ñéf¡îÅZ~W?ó? ½E'Äßà(k?8G~¾È?éÊo>gä³JÔ8{n(ðÞz¸ä´/·øÅ6Ìﬡ×xÿJ<¡³'pÈMªo:î$`üdm
%·ò5õ5ËUµXÄ?ÿ>ÚÑHÒÅ?æ;?xÓTl`´±1\²ÏÀI.ÙªX~V2ç?1-ê@±¿Á%ò97}4L
b{¾p 3æÆãâ?¥{ñ?Mì^ü7v;U?OfÆ3?$³#??Ûèù?Û?á"Ùÿ®_×ÅÑ?*õZ|>OÿÅϺ.$Ãøí
;$?¯û?õzí¢»ïw¾ÃVÀ-Ïÿoêµäýÿ-¬ÿk¨??ëÿqUÖ{ñ'åw ´¡ÌUEç8þ >?â??è§?nú±?ÁÇã×åþ¯L<?oßð gºÙ6JÓæ faE¼î´ØN;Fa¶%ëà§âxí¶ä³o³>t)¸7ÚÇ
ÆÆf?Fs8æÙN?¿?Bo®Q>26?¯ÀÅ¿-?µ)ÿù¬?Ià?ÄfµïvßüyÒìµ÷?í½÷$îQÚ?½í´
Ô1s?Þu?ý?FkqÚ?"NÚ@¸ñ¿K±"¸Â*Fy¥$Ée»?T*ÑkÇu1±¦Ô bN
W?ö¶¤ÄE¡¥COÉ@ͨն3íû¼}kãåË?«HkÇ®Ñ?h)¤?Dûe?̤ô~dÚ½ê*+ÿ?v@Æîu?~?$
¢¤_?Ò{ÿaQq'VÎxø%£:Êô&i2âP÷(w6?ÎÐÝÙØÅiÓ>G?wÐÝX6Y¨ÈwÓ&ñ3?u1Y]hwì?
¦~`º~¿¿;6rç?ø1 å»8x6¡´ÒfcHç?sm¶hûºlb?Äæ°?X¥Yl?xýr®qÙ$%7)?p2R©ÜÂ]vÎ
¸Æw?çæ«x;Ã[Ææ?~??~À ?~?ÞkÇ?êèw¡6éqòì¢Úùt»z>í3þ:+ßQA?ÂA?ª4¤Ú5]3qí
ã
íõ¢®ç?cßïçÕian?ô/öç@çõÅëZ?(¾ü\ûZqù(ã}ë8/vÉcâ<
e²±¨È2H&?/|?À¿¯¯'³:QY+bªù??¤Çþ¿«ûmÛâïþ+?5H[vì ËCyZl5?!FZ`8¶Ü
?-ÁRêö·ï~wG}Y^½fÀ^D´?D?î?Ç»£Hòªx?¢O?Ñg!zÐ#¤×¢Ì<¥Q0¨ã~0ðù;jåÛ??:³²Å
YnÑæ/4?õ?Oã\_Ú?³Ê?KtëñUâ]/¹Ãfì}Jv~4??ü?e´±3Øï-?Ä?ûv#?êåÕ
69
éÌfÂ?άµ-GæõV<?eþù·~±??à±1£g?UôO?º?ùç:?skm?4xOIµçË«?X¡ÛßS*tÃä
¾Ï´Y[&k ©â??
wû£vøæüZÈ;>GX?Õl};?
x?©03éÎø¨8<t½(1p?XÉÉi2bH<qDQº1X3°2v7ôâìd~èP
Ó?³Eü
ý×vUM\JÙwBXea0Õ±?m£mÏÑ?ñÂõ¤?·þ7Õ?Ì?¢2 o²¥?Üã
9eÓ{ ¦?¹ùéÇÞý·o¹÷óÝͯþd:½»ýx?4?÷Ò9«ùfýô5Pð,?/?xL£mb²?=¯?Nû ÿ T?CX Ç42?¯*Öw{òj{Cà?ÊðIwµ?¹ßRØJ©µ×ä3
1WлW ¹??Ô2·øL=^òÏ
À«?O?Ã-¾ó ??u¿r
4°Gyw?sþá2xÈLR?ѳ¸ehFѯ±ßI?s=3?èi¹ÇOieÆÏËU#Þn¾÷ÄAï/%¿2æ¨$ÝÝüV?#{=È?±àp'ÂÑÙ1Cô m`R!õ?p.F?o½È¸ÃN?8þÐK?ãø ×¹¬cµ=?o2½ÿî¸EðRôÅ©?àdêç?¾['ÛÑÖ?e´-jç|øäæ5Ýåï"+jþdzHønÊ38
k»å,p7Ë+Ì?QK·ëÚë?fÚa;jã?Û.}?J?YÈÇs}ÙV?´ëÍ¢/¡HNÜ';:øa?'µ¥?×ü¦V²
?Ñ´\ ë?®#üûF?»}5øc¥I`?%?C¦O¹zÝ1YËîÐ
¬3??´r3Â?+áÛ?U©À¦Ê&bɬá ?rtNå
QUwÊxqívá"µbEÓÔO??*?<#Î[º¼e?Î@Mà9ø?½?|×H7Ø¥Ú?ùÓÂ{à³èù%UèFÝ/`"êã
Ì$?mV??¡?jEºU
ø?ÏPmÌz¢öu*ª$&¼´¼ n ??ߦ?~M[?nM±Ï?ª~JýS½º!ú£k¨
3 Èü?ÇÁ&kê±Îj?`µi¹<AÖ/Vo/b³k¡ÈÀu?ªýÖ'Ѷj?1¹I@]íÔ4"ËûQ×(F:®"Í:ï_à åìô¤ûNâ8Z¢{Xz?PÆÝ??ãR)da#t)_J??u(?}-($9fÿ?D~®3ý?uqÕìËî#Ýó"ÑÊlÁùøvz1?Vtó©>»ø¹=?Z?/óm²ÙÿÝ?
?àZ»j;û@t}?ƶOá*
ð1uêûG"?áìñ&æó¦töø|?3{Á¥z¨R5PÇ?õ?5m?
Ëö#iU Ðú6ô3¯lOmY¯?f?£?bú??£})+hú$N?°?1w?ñÅöyîÖ?2ý«Ñs?¼ás?NZ?\là
+³íe¸®?Û¤ð¡?óðgæ\¡?)??dödÚ?Þ+ÃEh$A@?43Ö?C?¦~/~ÞÅ8{ÄÛ¤|e?;Q?{
¥xAC:^X??ÍÔ¥'(q?CË>iXüÿ{oªIMjR??Ô¤&5©IMjR??Ô¤&5©IMjÒËÒß#º5Ðx-----BEG
IN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBFVwb6uhlqje80vsMRAoFTAKDYshxHgVVGfPXM8jP6lReGvHDMeACfTdkE
MdEqkiZ6MnOQIdcvi3TeVs0=
=kyZL
-----END PGP SIGNATURE-----
[ reply ]