#######################################################################
#!/usr/bin/perl
#
# isurlscan.pl - Testing User-Agent: overflow field
# 
# This tool simply checks an IIS machine for the implementation of  the
# URLScan information security control provided by Microsoft. This tool
# does not comply with RFC 2616 and is therefore detectable.
#
# Detects:
#  - URLScan up to 6.0.3547.0
#  - Other versions ??
#
# References:
#  - Stephen Cope <mail@nonsense.kimihia.org.nz>
#  - RFC 2616
#
# Quickhack code: feel free to modify, update, delete, ... this piece
# of quickly slapped together code for your own fun and profit :)
# 
#######################################################################

 use IO::Socket;
 use Net::hostent;

 print "isurlscan.pl - Test Microsoft URL Scan Usage, by Filip Maertens\n";
 die " [x] Too little arguments, syntax: isurlscan [host] (port)\n\n" if @ARGV == 0;

 #######################################################################
 # COMMAND LINE STUFF

   $port = $ARGV[1];
   $port = "80" if $ARGV[1] == "";
   $host = inet_ntoa(gethostbyname($ARGV[0])->addr);

 print " Evaluating parameters:\n";
 print "  - Hostname : $ARGV[0], ($host:$port)\n";
 print "  - Port     : $port\n";
 print " Creating request: ";

   $request = "HEAD /isurlscan.exe HTTP/1.0\nHost:$ARGV[0]\nUser-Agent:IsURLScan v0.01\r\n\r\n";

 print "Done\n";


 #######################################################################
 # ZHA REEL STUFF
 
 print " Connection status: ";
   
   $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "Failed.\n";
   print "Alive\n";
   print $socket "$request";

   # Check returned data

   my $the_response=<$socket>;

   # get the header data :: if you feel savvy, you might want to insert more controls here
   
   while(<$socket>=~ m/^(\S+):\s+(.+)/) { 
         # skip over the headers 
   } 

   my $data=''; 

   # get the entity body 

   while (<$socket>) {
          $data.=$_
   }; 

   close($socket);

   $status = "RFC 2616 compliant";
   $status = "Non RFC 2616 compliant, URL Scan might be implemented" if length($data) > 0;

 print " Target status: ";

 print "$status\n\n";

#######################################################################
#								  (EOF)