CVE-2009-4988
published 2010-08-25CVE-2009-4988: Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.52%
99.2th percentile
Stack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a long GIOP request to TCP port 30000.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | business_one_2005-a | — | — |
| sap | business_one_2005-a | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x47\x49\x4f\x50\x01\x00\x01\x00
bytes↗
\x47\x49\x4f\x50\x01\x00\x01\x00
- →Detect exploit attempts by matching TCP traffic to port 30000 beginning with the 8-byte GIOP magic header '\x47\x49\x4f\x50\x01\x00\x01\x00' followed by an abnormally large payload (>1000 bytes), indicative of the buffer overflow trigger. ↗
- →The PoC exploit sends the GIOP header followed by '\x2f\x5c' repeated 500 times as padding before the return address; this pattern on port 30000 is a strong indicator of exploitation. ↗
- →Monitor for NOP sled patterns (\x90 * 44 or \x90 * 384) appended after a return address in TCP streams to port 30000, consistent with shellcode delivery in this exploit. ↗
- →The Metasploit module uses tao2005.dll as the ROP gadget source (push esp/ret at 0x00547b82); presence of this DLL loaded in NT_Naming_Service.exe and crashes at that address indicate active exploitation. ↗
- ·The PoC hardcodes a test IP (10.0.0.241) and is confirmed only against Windows Server 2003 R2 STD/ENT SP2; the return address 0x773a73fb (User32.dll JMP ESP) is OS/SP-specific and will differ on other platforms. ↗
- ·The Metasploit module targets only 'Sap Business One 2005 B1 Universal' with a single return address (0x00547b82 from tao2005.dll); exploitation against other OS/SP combinations requires a different return address. ↗
- ·Affected versions are specifically SAP Business One 2005 A 6.80.123 and 6.80.320; other versions are not confirmed vulnerable. ↗
- ·The Metasploit payload space is limited to 400 bytes with null bytes as bad characters; payloads exceeding this or containing \x00 will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-30
CVE-2009-4988 SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: sap_2005_license.rb 11180 2010-11-30 20:19:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SAP Business One License Manager 2005 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the SAP Business One 2005
License Manager 'NT Naming Service' A and B releases. By sending an
excessively long string the stack is overwritten enabling arbitrary
code execution.
},
'Author' => 'Jacopo Cervini',
'Version' => '$Re
Exploit-DB
SAP Business One 2005-A License Manager - Remote Buffer Overflow
exploitdb·2009-08-01
CVE-2009-4988 SAP Business One 2005-A License Manager - Remote Buffer Overflow
SAP Business One 2005-A License Manager - Remote Buffer Overflow
---
#!/usr/bin/python
import socket, time
#########################################INFO################################################
# NT_Naming_Service.exe (License Manager 2005 for SAP Business One 2005-A) is #
# vulnerable to a stack-based buffer overflow allowing for full system compromise by #
# an unauthenticated user that has TCP/IP access to SAP's license service on TCP port 30000.#
# Mike Arnold ---> mikey27 .::at::. hotmail.com #
############################################################################################
header = ("########################################################################\r\n"
"# SAP Business One 2005-A License Manager remote overflow PoC #\r\n"
"# Tested on 2005-A (6.80.123)
Metasploit
SAP Business One License Manager 2005 Buffer Overflow
metasploit
SAP Business One License Manager 2005 Buffer Overflow
SAP Business One License Manager 2005 Buffer Overflow
This module exploits a stack buffer overflow in the SAP Business One 2005 License Manager 'NT Naming Service' A and B releases. By sending an excessively long string the stack is overwritten enabling arbitrary code execution.
No writeups or analysis indexed.
http://secunia.com/advisories/36103http://www.exploit-db.com/exploits/9319http://www.securityfocus.com/archive/1/505489/100/0/threadedhttp://www.securityfocus.com/bid/35933http://www.securitytracker.com/id?1022655http://www.vupen.com/english/advisories/2009/2170https://exchange.xforce.ibmcloud.com/vulnerabilities/52256http://secunia.com/advisories/36103http://www.exploit-db.com/exploits/9319http://www.securityfocus.com/archive/1/505489/100/0/threadedhttp://www.securityfocus.com/bid/35933http://www.securitytracker.com/id?1022655http://www.vupen.com/english/advisories/2009/2170https://exchange.xforce.ibmcloud.com/vulnerabilities/52256
2010-08-25
Published