For historical purposes only (everything should compile/run fine). An
TGZ archive is attached to this email, and a mirror is available on my
website : http://nicob.net/mirrors/sap_sploits.tgz
o testing users and passwords with RfcOpenEx (account locking bypass) :
- allow networked attack on SAP passwords
- now deprecated in favor of THC Hydra
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sapchk.c
o customized RFC_SYSTEM_INFO (information disclosure) :
- will leak OS type, SAP version, real IP address, ...
- need the RFC SDK to compile
- port : TCP/3300+SYSNR
- exploit : sap-banner.c
o original Win32 gwrd bug by FX (remote command execution) :
- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a CreateProcess() call
- can be used for "cmd /c ..." evil
- port : UDP/3300+SYSNR
- exploit : r3mote_win_UDPexec.pl
o linux port of the gwrd bug (remote command execution) :
- patched in 4.6D patch 1767 and 6.40 patch 4
- partial control on a execve() call
- each argument but the first must be max 8 characters long
- exploitable remotely under some conditions
- port : UDP/3300+SYSNR
- exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh
o two bytes UDP crash in enserver.exe (remote DoS) :
- patched in 6.40 patch 6
- port : UDP/64999
- exploit : SAP_WebAS_UDP_DoS.c
- no, that's not related to the DoS published earlier this month
With many thanks to security (at) sap (dot) com [email concealed], the OaiTeam, FX from Phenoelit and
all the valuable Darklab members.
Nicob
? WEì<ksȲûÕ??$`Àr?Ø$q?]`'»e»(!
XHIØÙ~»gFÒpdÏ©?R8h¦»?3AmG¬;ñ?itÿ?M?U»¿£??¶®ÿÆf溪?ÛÕ
_}³ZØÞ66_tc£jlþ?ÆòkFfð?X~ïp·õÿ?^O?T&aP9^eÌJ¹IÈààhgã[?,å?)
ª± t|>DCoÿ?Nã?®®&®W=EèOÆf9¦Àò½(ð]0{?|`S?å02m½?9µG?Ð?³?7Ёl:v}'2{.?k'?#0-??¶O
zlc0Òc6ñl@è?¶Y9[U]¯?m?Àñy>s^õ¿ã»²^Cþ?ãÕªàÀñ¢åÛ¬ Æo¡Ez¯:Æÿ?=(UF?˭þ]7Pz¶Ã@{1è;.̐I'ùULÏ®?Cv`3
jpµ,Q¡à}? 7ÐÀCDÃm^ï
t[е4aè??&V~ÕµZØVùÆ&`ÿ;aauÈhSÐÊK?y?¼ͭ<?#Å md©W?fò?Vph0?¯P?9û»zòOyOÙ;©}?H?
#ùÆÿbjN?[BìsQl?²gέ?®#u©eµ®J<?"XÆ"_(Z"6EcÑñK8A_r?h«w{ñ?[W7½#??n¼KÒõÿ+;$F;PÒA«yRz±qàG~µ6±Zñ?± aÛA
µ@JǤh¯5?_+?
ø?-,BB ï?y
¾ªl?^??Èï»?p?7$qàxQw¬r:??,¿ùÅ(ñÿ:0Êð?¥qkeD½Q£ø_Ûÿ
?ñ?b80ÿÑ?·!ùn?Ñnà}C0pB?¥ ?V?I?Jg;?¯u{u¯¿ÊFùj ·2ÆÙ?_{®
Ã<¢-?(c?I
JG?<Fs-Þ6Z¹R.?9?h¿?¢?,ÀØò1U£À±?mØ-r'»æI]3^VƯåªn?
?# DÌtc³ÞdÛo¾9}WêRÈ^J[VQX@^?¼?!iZæ?Hy? ì")?ùÞFr¾$;|
p Lo?S'A??peþ?6Õ
T7ÊÕ?h|øKyiÑB?Wh
¾?®sà?æ
²dåiàM?!È£%¯?
#gÊdpB?l?Jæ¡Z9( Ge ?a@?¾?kec»þu3Û?õA~¥bqF>¦
@]sY!g?z??:#£@Eq,Æ?p6v,n<ÌòÐMÈx?N?Bs`)PÅ?
®m(?=Þ}z9©[?R#¼4Û1ÌÞQã~?b"Åõ®j1(?E/Hr%XZÿ H®?¥£U2-Xf?]ÆÆ`Tu?£ºGb*%v}7êBÒÛ??ð-Õ9M=?bw&hLSþ?%pw?qµ¡_{5<
ÿZ Ï?ñ?^R&?Êÿ[ãÿv5?ÿՏÿºñ3þÿNõ?åܸXÈm+vg,þ<0C46YLF9¶`¹?tÐbƁoq77
0a??!?Ì»r£a²?<?3 ??vLb;%I4?¼>ê?2?(|a@a8`?¿wåø?Н?
£oq:$C½SB<??
Yn³m T²;û-t}?]?½?at,$?/p¿??¢ñN¥2
m¯<r¬À~TÆ?T`T©0¯4 +¶?(+=3d?#?¢-?XeB&÷
nðƺ=Fa*XC¾¬P?O7TñS?{bª·èñG6lêwùÀÆ]>1põ.?v?O¼!>o}8pãnP7_ªÈb±Ñ6? ÌQï3f ?7r»Hv???Ðñ,o8h®»¶?Ofx?@urbl¾àkåt/¡ Õ??,¶Ï}?ÿÐ}L#K=~ûDÿ·n?ÿÆVu{3?ÿµêÆÿjµj?ÿ?
)<Y<?b5ca=rv¢?Z?Õ{*s*[û?0*?W ;^/[O
X¥*?¬¼²¡?õå?*V®Z?¹2¼@Ug¡u?¡W2CÑ{?r,ÊÑÑI½2r¹¦?_¡}Y
Bð4=h?7«4¦?NØ¬¢à:<x#;1VT*(¬JP:E`PmJ>¼J.2?mÌ¢¡È=?àU
Ù?_¾6!ù6õA¶?fc?iҐ"Ò*5¥fïPSÊwlØ?<ì5ðÏ?ÆÞï·½??£ T?Å?¯y?p?¥>p¶?]så?Ð~»9À??UØ!syñ?Ð l·Ùnµ»·Gæ?j??ûG?ÌåyI£U?¼¬Ñrsêþzæ.fh»qûFkk·øbøqYÒ?Õ«z
Ñ+=n?'¶èeSò(³Zõ& gèñFaø?UB Øæ9 Þ^kt<ÆÆq )¶N?9Xz}Mo&>ª?[ÅÊ?À?£?SùÞ?¿chu{?>?¾H1Ù0Kè
òã?3C¯n?`C5w9Eø}:e`ÛûÌ.g }X[IÏØÃk{ù8,²·3?eò@³ê
6+«mZ??º??3£vADSï«yo??9{y$d@?³?i¶4)£>IT Ra 2 ?&?À?~åãÐ?wårxh?®+ìK?@ û?$&VF?|?Wjà®IIJØ?ø¡ï}«?Qyx.Gq¿ð??O,D?d|ø£Ãì???? pÀ?Bå3vPDuù/æ³?8Kã??êå¬yE?ÿ¯¯sÕ?u?ì¢/=Wg??ØސY?+±??R))VD"Ù'SBty2?µNÆ1"¼¿à
"X º [¿$.'£¹Ê?è¯à£bn
CB?zh)?¡8AÑÒ?Fûg
½oX³LfXãY^xµ"?Ì
ÙbcÒU-eæ¬øg=|¼vØZ?ª?ð?K?±?ÕÅò #ºQDZ??¥H?ð+gȬª?R%?®JLc??NcÅ?{
o?x¡jrgÌ,t?£¢?Ì?Ni?Ì«Q?õ?mFfÊ·£Ïu}>¿Êã
?câ^?®?>_¶ rè{3/Sª@BèQ&tª (,??ЏƩ®j{?I]+fhê©zf"c=U"ÒåÈN;RTJ ½¢ãFi?PmÏ£Ê;!;lÞ-Eµ¦%2)1þ?/?àèÙ?ȱx¥¥es].u+{ï?{¿u-v
?¼a?
b?p*#'I$%?vM?Ù?¼ì?þ³%?:C?{8® ©È®Ã?HeIÈ^?Ì*??W??(Ñh"Sl&<??Þ?{Ïs̲nLpùà??[?B?
ñ©sÙ
J*ùd?®=$òP?ì{ ï??<+ð?g6?+%Pæ±WK?ÿf ?|m?!?l¶8àæÆTõ?|Q?!#Ñ£¾xgkfϽ??'?Ñb?=p¹ì?rO¿(nÌy=?ñQû
DÛ]ù?Q]ì2m?BætÃ??ì?¡h3"?yì½o9PÐHøM?ÀÕ;e$Z?=*L
UèO¼GZ?Þ?E6³?sÅòÒ?|aº?;'|A+Jï6òø õ?Ñþ+&M??&!¹þy¶~/?Ï
¬<?|;L?????ǴoS?¿ÿN]ÆNZL¢±²Õ³?L:¬kY9iþkê¥rÊ`U??a_l3Ñs9
±ÃJ?¦Õd·
]iïñ"<? Y¬?qm,K+}7?Ø]2ÒÈûlå¾?bòãx?NOò±iT?+ª 9Åu?¬T?ð¬T^n[ZñC¥Ælõ?)þÈÐ*Ò£a$??Ûi?V?&8ñ
Z?fJQ+ï?f[03?ò?|S!=º`,OX?>U?*,?Ø0:#¾õÛ?:?¯?¶ÏH
Ãitf???þG[ìUæiþ?]?@ù?}9.#S¼A
g??ÛPº«Kð?Þx?û"??bgX?æt?-Ewq@-z* @È x??8:&þx¡????QY8c~?h³ðJv?N7 »??6`.K&EÛ?æ?s³ ?. ¦Ê$/}#Æ
t?E¾?<#(@?Å|anÊ^[$ìE o]R?Põ?h&#?}9¶?£ûås@ï `??ïGµH?êmr¦zÿZ~?¹`Ah^ñ?»KA
Ã
@b·¹èÿÌxJH|6"$??bd¥GØ?eÏS?³?4Ã?gX,¦øÊï?·?k¹£L?A-'õ
H EC?U¿Û:D'Aû?;w: ????ÿ9ÐÿW_(xkxùþù¿¾µ]Û?Ïÿ7k¶Æ6<ÿÿ?¡q_*_?;ÛGrz¹¦ã??
ï|ò¯?òa¡z. AÏ?ù ?y?Þº¡c¢???<Ȑn<¬?OÑYÕÊ?$»ìè)B.¹/Pø^x8 û&A@h'jÏw<FG"ñ£WAp#»å-9eZQ=Nύa±Ù½q4:GèÙiñ©l?"'4
Ñ:k¥ÅG?ñ?ޏð+&ÞãE?º)«0]j±}2^nòX?B¡S
Ò]Õñe9<"< BV$þÌ?Ï?L?:Ñ??&êðû}d??h±À7Ñ0,Ò«YÞ?ò0-èÑ u©?>ÑM*f
aۍ7ã®xGP?¾ks#Kè??~wJ ?èÑ_²LwFïÀQ?¿o?«wmz|?Shè?b<Ã<
tnÊÙ¡>L:tª?HæñïûÞ??¿¥(gÊ?ÿ½?ñf¡ÅZ~W?? ½E'à(k?8G~¾È?Êo>g³J8{n(ðÞz/·øÅ6ÌﬡxÿJ<¡³'pÈMªo:$`dm
%·ò5õ5UµX?ÿ>ÑHÒÅ?æ;?xTl`±1²ÏÀI.ÙªX~V2?1-ê@±¿%ò97}4L
b{¾p 3æÆã?¥{ñ?Mì^7v;U?OfÆ3?$³#??Ûèù?Û?"Ùÿ®_ÅÑ?*õZ|>OÿÅϺ.$Ãø
;$?¯û?õz¢»ïw¾ÃVÀ-Ïÿo굍ÿ-¬ÿk??ÿqU{ñ'åw ¡ÌUE8þ >???è?n±?ãåþ¯L<?o𠝁gºÙ6Jæ faE¼ØN;Fa¶%àx¶³o³>t)7
ÆÆf?Fs8æÙN?¿?Bo®Q>26?¯ÀÅ¿-?µ)ÿù¬?Ià?fµïvyÒìµ?½$Q?½
1s?Þu??Fkq?"N@ñ¿K±"*Fy¥$e»?T*Ñku1±¦ bN
W?¶E¡¥CO@ͨÕ¶3û¼}kãå?«Hk®Ñ?h)?Dûe?Ì~d½ê*+ÿ?v@Æu?~?$
¢_?Ò{ÿaQq'Vxø%£:Ê&i2P(w6?ÐÙØÅi>G?wÐX6YÈw&ñ3?u1Y]hwì?
¦~`º~¿¿;6r?ø1 å»8x6¡ÒfcH?sm¶hûºlb?æ?X¥Yl?xr®qÙ$%7)?p2R©]v
Æw?æ«x;Ã[Ææ?~??~À ?~?Þk?êèw¡6qòì¢ùt»z>3þ:+QA?A?ª45]3q
ã
õ¢®?cïÕian?/@õÅZ?(¾ûZqù(ã}8/vc<
e²±È2H&?/|?À¿¯¯'³:QY+bªù??þ¿«ûmÛïþ+?5H[vì CyZl5?!FZ`8¶
?-Rê·ï~wG}Y^½fÀ^D?D??»£Hòªx?¢O?Ñg!zÐ#¢Ì<¥Q0ã~0ðù;jåÛ??:³²Å
YnÑæ/4?õ?Oã_?³Ê?KtñU]/¹Ãfì}Jv~4???e±3Øï-??ûv#?êåÕ
69
Ìf?¬µ-GæõV<?eþù·~±??à±1£g?UO?º?ù:?skm?4xOIµ«?X¡ÛS*tÃ
¾ÏY[&k ©??
wû£vøæZÈ;>GX?Õl};?
x?©03ø8<t½(1p?Xi2bH<qDQº1X32v7ìd~èP
?³E
vUMJÙwBXea0Õ±?m£mÏÑ?ñõ?·þ7Õ?Ì?¢2 o²¥?ã
9e{ ¦?¹ùÞ·o¹¯þd:½»x?4?Ò9«ùf5Pð,?/?xL£mb²?=¯?Nû ÿ T?CX 42?¯*w{òj{Cà?ÊðIwµ?¹RØJ©µ3
1WлW ¹??2·øL=^òÏ
À«?O?Ã-¾ ??u¿r
4Gyw?sþ2xÈLR?ѳehFѯ±I?s=3?èi¹OieÆÏU#Þn¾Aï/%¿2æ$V?#{=È?±àp'ÑÙ1C m`R!õ?p.F?o½ÈÃN?8þÐK?ãø ¹¬cµ=?o2½ÿEðRÅ©?àdê?¾['ÛÑ?e-j|øæ5åï"+jþ³HønÊ38
k»å,p7+Ì?QK·?fa;jã?Û.}?J?YÈs}ÙV?¢/¡HN';:øa?'µ¥?¦V²
?Ñ ?®#ûF?»}5øc¥I`?%?C¦O¹z1YÐ
¬3??r3?+Û?U©À¦Ê&b¬ ?rtNå
QUwÊxqv"µbEO??*?<#[º¼e?@Mà9Ã?½?|H7Ø¥?ù{à³èù%UèF/`"êã
Ì$?mV??¡?jEºU
ø?ÏPmÌz¢u*ª$&¼¼ n ??¦?~M[?nM±Ï?ª~JS½º!£k
3 È?&kê±j?`µi¹<A/Vo/b³k¡ÈÀu?ª'Ѷj?1¹I@]4"ûQ(F:®":ï_à åìûN8Z¢{Xz?PÆ??ãR)da#t)_J??u(?}-($9fÿ?D~®3?uqÕì#"ÑÊlùøvz1?Vt©>»ø¹=?Z?/m²Ùÿ?
?àZ»j;û@t}?ƶO*
ð1uêûG"?ìñ&æ¦tø|?3{¥zR5P?õ?5m?
#iU Ð63¯lOmY¯?f?£?b??£})+h$N??1w?ñÅy?2«Ñs?¼s?NZ?là
+³e®?Ûð¡?ðgæ¡?)??dd?Þ+ÃEh$A@?43?C?¦~/~ÞÅ8{Û|e?;Q?{
¥xAC:^X??¥'(q?C>iXÿ{oªIMjR??Ԥ&5©IMjR??Ԥ&5©IMjÒÒ#º5Ðx-----BEG
IN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBFVwb6uhlqje80vsMRAoFTAKDYshxHgVVGfPXM8jP6lReGvHDMeACfTdkE
MdEqkiZ6MnOQIdcvi3TeVs0=
=kyZL
-----END PGP SIGNATURE-----