lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 12 Nov 2006 12:35:22 +0100 From: Nicob <nicob@...ob.net> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: Old SAP exploits For historical purposes only (everything should compile/run fine). An TGZ archive is attached to this email, and a mirror is available on my website : http://nicob.net/mirrors/sap_sploits.tgz o testing users and passwords with RfcOpenEx (account locking bypass) : - allow networked attack on SAP passwords - now deprecated in favor of THC Hydra - need the RFC SDK to compile - port : TCP/3300+SYSNR - exploit : sapchk.c o customized RFC_SYSTEM_INFO (information disclosure) : - will leak OS type, SAP version, real IP address, ... - need the RFC SDK to compile - port : TCP/3300+SYSNR - exploit : sap-banner.c o original Win32 gwrd bug by FX (remote command execution) : - patched in 4.6D patch 1767 and 6.40 patch 4 - partial control on a CreateProcess() call - can be used for "cmd /c ..." evil - port : UDP/3300+SYSNR - exploit : r3mote_win_UDPexec.pl o linux port of the gwrd bug (remote command execution) : - patched in 4.6D patch 1767 and 6.40 patch 4 - partial control on a execve() call - each argument but the first must be max 8 characters long - exploitable remotely under some conditions - port : UDP/3300+SYSNR - exploit : r3mote_unix_UDPexec.pl and r3mote_unix_wrapper.sh o two bytes UDP crash in enserver.exe (remote DoS) : - patched in 6.40 patch 6 - port : UDP/64999 - exploit : SAP_WebAS_UDP_DoS.c - no, that's not related to the DoS published earlier this month With many thanks to security@....com, the OaiTeam, FX from Phenoelit and all the valuable Darklab members. Nicob Download attachment "sap_sploits.tgz" of type "application/x-compressed-tar" (6993 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (192 bytes)
Powered by blists - more mailing lists