#!/usr/bin/perl
##############################################################
## Malice version .5.3.1 246 Vuln and counting! ##
##############################################################
## Created for the Pyrotic Bulk Security Scanner ##
## Written By: Natas edited by Doom(smashstack@hushmail.com)##
## Some subs taken from Infinity 1.3 ##
## Released under the GNU license(www.gnu.org) ##
##############################################################
## AN OFFICIAL -ROOT SHELL HACKERS- PRESINTATION ##
## rsh.defacements.com --- irc.dugnet.net #rsh ##
##############################################################
## -Questions/Comments- mailto: natas187@hushmail.com ##
##############################################################
## REALEASE NOTES: ##
## -Lots of CGI holes added to private (beta test) version ##
## -Uses null (%00) and HEAD requests to fool IDS ##
## (even smart IDS) and firewall systems, a la ##
## r.f.p's paper on anti-IDS cgi scanning tactics ##
##############################################################
## BUGS: ##
## -May not run well against some Apache servers ##
## -Does not hex encode URLS (im working on it) ##
## -Sometimes hangs on BSD boxen. Try changing ##
## "HTTP/1.0\r\n\r\n" to "HTTP/1.0\n\n" ##
##############################################################
## What is Malice?: Malice is a cgi & websever vuln scanner ##
## and a webserver information and enumeration tool. It not ##
## only checks for known bugs, but also intresting ##
## directories, making it great for retrieving general info ##
## about a server. It utilizes several well-known anti-ids ##
## tactics, to aviod user detection. It also grabs the ##
## webserver banner, and allows you to define the webserver ##
## port ##
##############################################################
## Changes: Change Log: August 15, 2000 1:26 am. ##
## In addition to adding two new cgi scripts, i (natas) ##
## added dir scanning, which scans for _useful_ and hidden ##
## directories, a la some weird linux cgi scanner that was ##
## recently on packetsotrm. admin.php3 sploit by ##
## starman jones. Sept 26: added alternate cgi directory ##
## scanning, and two more vulns. Also added the ability for ##
## th user to specify the Webserver port. Also added was an ##
## automated websever banner grabber. peace- natas ##
## October 5th (.5.1). 5 new cgi/webserver vulns added. ##
## October 9th (soon to be .5.2) PHPix and APlio PRO web ##
## shell vulns added. 3 more alternate cgi directories ##
## added. October 12th: shitloads of vulns added. 10/18/00: ##
## Anaconda and Webserver cgi vulns added. Fixed some bugs ##
## in the scanning, added premature ending anti-ids tactic ##
## to stop smart-ids detection. And rfp's IIS unicode bug. ##
## October 28th: added two cgi bugs. October 29th: added ##
## FormNow.cgi bug. ##
##############################################################
## Hex News: /cgi-bin/ = "%2f%63%67%69%2d%62%69%6e%2f" ##
##############################################################
## Thanx to: Babboon,k_line,eb0la and Doom for there ##
## beta testing ##
##############################################################
## Shoutz: Doom, babboon, eb0la, matic, mystik, datagram, ##
## mutualfear, wicked, Dr. Likwid, b00b, pimpshiz, _initd, ##
## bi0cide, NeonLenz, Piffy, Asrael, NetRebel, Pranknet.org ##
## and everyone at #rsh on dugnet ##
##############################################################
## Note: ##
## The script will hang on some scans. If it does just wait ##
## a little bit. We are trying to fix it but it takes time ##
## to test it on different systems and different servers. ##
##############################################################
use IO::Socket;
%exploits = ( "Alternate cgi directory detected: /cgi-win/" => "/cgi-win/",
"Alternate cgi directory detected: /cgi/" => "/cgi/",
"Alternate cgi directory detected: /cgi-shl/" => "/cgi-shl/",
"Alternate cgi directory detected: /cgi-temp" => "/cgi-temp/",
"ALternate cgi directory detected: /cgi-src" => "/cgi-src/",
"Alternate cgi directory detected: /cgibin/" => "/cgibin/",
"SuSE 6.3/6.4 alternate CGI directory" => "/cgi-bin-sdb/",
"VTI PVT [service.pwd]" => "/_vti_pvt/service.pwd",
"VTI PVT [administrators.pwd]" => "/_\vti_pvt/administrators.pwd",
"VTI PVT [authors.pwd]" => "/_vti_pvt/authors.pwd",
"VTI PVT [users.pwd]" => "/_vti_pvt/users.pwd",
"VTI INF [_vti_inf.html]" => "/_vti_inf.html",
"VTI BIN [shtml.dll]" => "/_vti_bin/shtml.dll",
"VTI BIN [shtml.exe]" => "/_vti_bin/shtml.exe",
"un1g1.1" => "/cgi-bin/unlg1.1",
"ung1g1.2" => "/cgi-bin/unlg1.2",
"rwwwshell.pl" => "/cgi-bin/rwwwshell.pl",
"gH.cgi" => "/cgi-bin/gH.cgi",
"PHF(Bugtraq ID 629)" => "//cgi-bin//phf",
"Count.cgi(Bugtraq ID 128)" => "/./cgi-bin/./Count.cgi",
"Test.cgi" => "//cgi-bin//test-cgi",
"nph-test-cgi(Bugtraq ID 686)" => "//cgi-bin//nph-test-cgi",
"nph-publish" => "/cgi-bin/nph-publish",
"php.cgi(Bugtraq ID 712)" => "///cgi-bin///php.cgi",
"News Publisher CGI vuln" => "/cgi-bin/news/news.cgi",
"PHP(Bugtraq ID 911)" => "/cgi-bin/php",
"Handler(Bugtraq ID 380)" => "/cgi-bin/handler",
"WebGais" => "/cgi-bin/webgais",
"WebSendMail" => "/cgi-bin/websendmail",
"Webdist.cgi(Bugtraq ID 374)" => "/cgi-bin/webdist.cgi",
"faxsurvey" => "/cgi-bin/faxsurvey",
"htmlscript" => "/cgi-bin/htmlscript",
"pfdispaly" => "/cgi-bin/pfdispaly.cgi",
"Perl.exe(Bugtraq ID 194)" => "/cgi-bin/perl.exe",
"wwwboard.cgi" => "/cgi-bin/wwwboard.cgi",
"wwwboard.pl" => "/cgi-bin/wwwboard.pl",
"PHPix Transversal" => "/Album/",
"FormNow Sendmail bind to shell" => "/cgi-bin/formnow.cgi",
"APlio PRO web shell" => "/cgi-bin/authentiicate.cgi",
"www-sql" => "/cgi-bin/www-sql",
"view-source" => "/cgi-bin/view-source",
"campas" => "/cgi-bin/campas",
"aglimpse" => "/cgi-bin/aglimpse",
"glimpse" => "/cgi-bin/glimpse",
"man.sh" => "/cgi-bin/man.sh",
"AT-admin.cgi" => "/cgi-bin/AT-admin.cgi",
"IIS UNICODE vuln (possibly). Run iis5.pl." => "/scripts/..%c1%1c../",
"IIS UNICODE vuln (possibly). Run iis5.pl." => "/scripts/..%c1%9c../",
"IIS UNICODE vuln (possibly). Run iis5.pl." => "/scripts/..%c0%af../",
"filemail.pl" => "/cgi-bin/filemail.pl",
"maillist.pl" => "/cgi-bin/maillist.pl",
"JJ" => "/cgi-bin/jj",
"info2www" => "/cgi-bin/info2www",
"files.pl" => "/cgi-bin/files.pl",
"Finger" => "/cgi-bin/finger",
"Bnbform.cgi" => "/cgi-bin/bnbform.cgi",
"Survery.cgi" => "/cgi-bin/survey.cgi",
"Anyform2" => "/cgi-bin/AnyForm2",
"textcounter.pl" => "/cgi-bin/textcounter.pl",
"classifieds.cgi" => "/cgi-bin/classifieds.cgi",
"environ.cgi" => "/cgi-bin/environ.cgi",
"Wrap(Bugtraq ID 373)" => "/cgi-bin/wrap",
"CgiWrap(Bugtraq ID 777)" => "/cgi-bin/cgiwrap",
"Shopping Cart (Shop.cgi) transversal" => "/cgi-bin/shop.cgi",
"Edit.pl" => "/cgi-bin/edit.pl",
"WebEvent remote Login" => "/scripts/we3.3.3/webevent.pl",
"Perlshop.cgi" => "/cgi-bin/perlshop.cgi",
"Webbbs.cgi(Bugtraq ID 803)" => "/cgi-bin/webbbs.cgi",
"whois_raw.cgi(Bugtraq ID 304)" => "/cgi-bin/whois_raw.cgi",
"Anyboard.cgi" => "/cgi-bin/AnyBoard.cgi",
"/cgi-dos/args.bat" => "/cgi-dos/args.bat",
"/cgi-dos/args.cmd" => "/cgi-dos/args.cmd",
"/cgi-win/uploader.exe" => "/cgi-win/uploader.exe",
"Wguest.exe" => "/cgi-bin/wguest.exe",
"rguest.exe" => "/cgi-bin/rguest.exe",
"/scripts/issadmin/bdir.htr" => "/scripts/issadmin/bdir.htr",
"/scripts/CGImail.exe" => "/scripts/CGImail.exe",
"/scripts/tools/newdsn.exe" => "/scripts/tools/newdsn.exe",
"/scripts/fpcount.exe" => "/scripts/fpcount.exe",
"/scripts/counter.exe" => "/scripts/counter.exe",
"/scripts/visadmin.exe" => "/scripts/visadmin.exe",
"/cfdocs/expelval/openfile.cfm" =>"/cfdocs/expelval/openfile.cfm",
"/cfdocs/expelval/exprcalc.cfm" =>"/cfdocs/expelval/exprcalc.cfm",
"/cfdocs/expelval/displayopenedfile.cfm"=>"/cfdocs/expelval/displayopenedfile.cfm",
"/cfdocs/expelval/sendmail.cfm" => "/cfdocs/expelval/sendmail.cfm",
"search97.vts" =>"/search97.vts",
"/?PageServices" =>"/?PageServices",
"/scripts/pfieffer.bat" => "/scripts/pfieffer.bat",
"/scripts/pfieffer.cmd" => "/scripts/pfieffer.cmd",
"Msadc" => "/msadc/Samples/SELECTOR/showcode.asp",
"MultiHTML transversal" => "/cgi-bin/multihtml.pl",
"Anaconda Dir Null byte Vuln" => "/cgi-bin/apexec.pl",
"Webstore Transversal" => "/cgi-bin/Web_store/web_store.cgi?",
"/domcfg.nsf/?open" => "/domcfg.nsf/?open",
"BOA webserver transversal" => "/etc/motd",
"/......../autoexec.bat" => "/......../autoexec.bat",
"/scripts/pfieffer.bat" => "/scripts/pfieffer.bat",
"/scripts/pfieffer.cmd" => "/scripts/pfieffer.cmd",
"/iisadmpwd/achg.htr" => "/iisadmpwd/achg.htr",
"/iisadmpwd/aexp.htr" => "/iisadmpwd/aexp.htr",
"/iisadmpwd/aexp2.htr" => "/iisadmpwd/aexp2.htr",
"/iisadmpwd/aexp2b.htr" => "/iisadmpwd/aexp2b.htr",
"/iisadmpwd/aexp3.htr" => "/iisadmpwd/aexp3.htr",
"/iisadmpwd/aexp4.htr" => "/iisadmpwd/aexp4.htr",
"/iisadmpwd/aexp4b.htr" => "/iisadmpwd/aexp4b.htr",
"/iisadmpwd/anot.htr" => "/iisadmpwd/anot.htr",
"/iisadmpwd/anot3.htr" => "/iisadmpwd/anot3.htr",
"5daydatacopier.cgi" => "/cgi-bin/day5datacopier.cgi",
"day5anotifier.cgi" => "/cgi-bin/day5datanotifier.cgi",
"_AuthChangeUrl" => "/_AuthChangeUrl",
"passwd" => "/cgi-bin/passwd",
"passwd.txt" => "/cgi-bin/passwd.txt",
"form-totaller" => "/form-totaller/form-totaller.cgi",
"everythingform.cgi" => "/everythingform.cgi",
"password" => "///cgi-bin///password",
"fun dir: /backup" => "/backup/",
"fun dir: /temp" => "/temp/",
"fun dir: /test" => "/test/",
"fun dir: /hidden" => "/hidden/",
"fun dir: /private" => "/private/",
"fun dir: /_private" => "/_private/",
"fun dir: /misc" => "/misc/",
"fun dir: /data" => "/data/",
"fun dir: /restricted" => "/restricted/",
"fun dir: /backdoor" => "/backdoor/",
"fun dir: /scripts" => "/scripts/",
"fun dir: /script" => "/script/",
"fun dir: /temp" => "/temp/",
"fun dir: /logs" => "/logs/",
"fun dir: /log" => "/log/",
"fun dir: /system" => "/system/",
"fun dir: /bin" => "/bin/",
"fun dir: /dev" => "/dev/",
"fun dir: /perl" => "/perl/",
"fun dir: /auth" => "/auth/",
"fun dir: /admin" => "/admin/",
"fun dir: /cgi-bin" => "/cgi-bin/",
"fun dir: /cgi-local" => "/cgi-local/",
"fun dir: /shtml" => "/shtml/",
"fun dir: /config" => "/config",
"fun dir: /priv" => "/priv/",
"fun dir: /internal" => "/internal",
"password.txt" => "/cgi-bin/password.txt",
"session/adminlogin" => "/session/adminlogin",
"ax.cgi" => "/cgi-bin/ax.cgi",
"ax-admin.cgi" => "/cgi-bin/ax-admin.cgi",
"/etc/passwd" => "/etc/passwd",
"/etc/group" => "/etc/group",
"/~root" => "/~root",
"Upload.pl" => "/cgi-bin/upload.pl",
"Victim might be vulnerable to the MSADC exploit" => "//msadc",
"dumpenv.pl" => "/cgi-bin/dumpenv.pl",
"/scripts/convert.bas" => "/scripts/convert.bas",
"/perl/files.pl" => "/perl/files.pl",
"Root! Phf.pp" => "/cgi-bin/phf.pp",
"Root! Phf.cgi" => "/cgi-bin/phf.cgi",
"WebDAV transversal" => "/secret/secret/sql_tool.shtml",
"wwwadmin.pl" => "/cgi-bin/wwwadmin.pl",
"formmail.pl" => "/cgi-bin/formmail.pl",
"sendform.cgi" => "/cgi-bin/sendform.cgi",
"getdrvs.exe" => "/scripts/tools/getdrvs.exe",
"cached_feed.cgi" => "/cgi-bin/cached_feed.cgi",
"SSI remote file browsing" => "/cgi-bin/ssi/",
"CyberOffice ShoppingCart Customer info" => "/_private/shopping_cart.mdb",
"WebTeachers WebData database feed" => "/cgi-bin/webdata_test.pl",
"Easy Advertiser exploit" => "/cgi-bin/stats.cgi",
"TalentSoft remote file browsing" => "/cgi-bin/webplus.cgi",
"Guestbook.cgi" => "/cgi-bin/guestbook.cgi",
"Finger" => "/cgi-bin/finger?\@localhost",
"Pfdisplay.cgi" => "/cgi-bin/pfdisplay.cgi",
"Handler.cgi" => "/cgi-bin/handler.cgi",
"Wrap.cgi" => "/cgi-bin/wrap.cgi",
"Password.pwl" => "/cgi-bin/password.pwl",
"Password.pwd" => "/cgi-bin/password.pwd",
"_AuthChangeUrl" => "/cgi-bin/_AuthChangeUrl",
"Passwd.pwl" => "/cgi-bin/passwd.pwl",
"passwd.pwd" => "/cgi-bin/passwd.pwd",
"No-such-file.pl" => "/scripts/no-such-file.pl",
"/......" => "/....../",
"To long!" => "/.html/............./config.sys",
"/doc/" => "/doc",
"Another ISS Exploit" => "/scripts/issadmin/bdir.htr",
"/_vti_pvt/shtml.exe" => "/_vti_pvt/shtml.exe",
"/_vti_inf.html" => "/_vti_inf.html",
"test.bat" => "/cgi-bin/test.bat",
"input2.bat" => "/cgi-bin/input2.bat",
"ssi/envout.bat" => "/ssi/envout.bat",
"cgi-shl/win-c-sample.exe" => "/cgi-shl/win-c-sample.exe",
"default.asp" => "/default.asp",
"Server%20logfile" => "/server%20logfile",
".htaccess bug" => "/.htaccess",
".htaccess. bug" => ".htaccess.",
"dcmcfg.nsf" => "/domcfg.nsf/?open",
"Webhits.exe" => "/scripts/samples/search/webhits.exe",
"fpexplore.exe" => "/cgi-bin/fpexplore.exe",
"gueryhit.htm" => "/samples/search/queryhit.htm",
"responder.cgi" => "/cgi-bin/responder.cgi",
"Catalog_type.asp" => "/ASPSamp/AdvWorks/equipment/catalog_type.asp",
"session/adminlogin" => "/session/adminlogin?RCpage=/sysadmin/index.stm",
"bigconf.cgi" => "/cgi-bin/bigconf.cgi",
"/cgi-bin/ss.cfg" => "/cgi-bin/ss.cfg",
"ss.cfg" => "/ss.cfg",
"Php PhotoAlbum" => "/phpPhotoAlbum/getalbum.php",
"YaBB.pl" => "/cgi-bin/YaBB.pl",
"visadmin.exe" => "/cgi-bin/visadmin.exe?user=guest",
"input.bat(Bugtraq ID 762)" => "/cgi-bin/input.bat?|dir..\..\windows",
"indes.asl::$DATA" => "/index.asp::$DATA",
"startstop.html" => "/CFIDE/Administrator/startstop.html",
"Yet another ISS Exploit" => "/GetFile.cfm?FT=Text&FST=Plain&FilePath=C:\WINNT\repair\sam._",
"openfile.cfm" => "/cfdocs/expeval/openfile.cfm",
"GetFile.cfm" => "/GetFile.cfm?",
"ExprCalc.cfm" => "/cfdocs/expeval/ExprCalc.cfm",
"//../../config.sys" => "//../../config.sys",
"/../../config.sys" => "/../../config.sys",
"main.asp%81" => "/main.asp%81",
"/adsamples/config/site.csc" => "/adsamples/config/site.csc",
"isn.dll" => "/scripts/iisadmin/ism.dll?http/dir",
"Search.cgi(Bugtraq ID 921)" => "/cgi-bin/search.cgi",
"bb-hist.sh(Bugtraq ID 142)" => "/cgi-bin/bb-hist.sh",
"kcms_configure(Bugtraq ID 452)" => "/usr/openwin/bin/kcms_configure",
"Bugtraq ID 162" => "/cgi-bin/s97_cgi s97r_cgi tasmgr",
"ppdscgi.exe(Bugtraq ID 491)" => "/cgi-bin/ppdscgi.exe",
"admin.php3 bug (discovered by starmanjones)" => "/admin.php3",
"dfire.cgi(Bugtraq ID 564)" => "/cgi-bin/dfire.cgi",
"guestbook.pl(Bugtraq ID 776)" => "/cgi-bin/guestbook.pl",
"Anyform.cgi(Bugtraq ID 719)" => "/cgi-bin/AnyForm.cgi",
"w3-msql(Bugtraq ID 591, 898)" => "/cgi-bin/w3-msql",
"Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt",
"Bugtraq ID 770" => "/cgi-bin/alibaba.pl|dir",
"Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt",
"status.cgi(Bugtraq ID 914)" => "/cgi-bin/status.cgi",
"FormHandler 1.0, 2.0(Bugtraq ID 799, 798)" => "/cgi-bin/FormHandler.cgi",
"webwho.pl(Bugtraq ID 892)" => "/cgi-bin/webwho.pl",
"carbo.dll" => "/carbo.dll",
"cart32.exe" => "/scripts/cart32.exe",
"Bugtraq ID 1455" => "/cgi-bin/bb-hostsvc.sh",
"Bugtraq ID 142" => "/cgi-bin/bb-hist.sh",
"admpw" => "/admin-serv/config/admpw",
"ralfchat config.pm" => "/cgi-bin/config.pm",
"Buqtraq ID 964" => "/cgi-bin/htimage.exe?2.2",
"Bugtraq ID 964" => "/cgi-bin/htimage.exe?2.2",
"Bugtraq ID 936" => "/cgi-bin/ls",
"Sawmill" => "/cgi-bin/sawmill5",
"Alibaba post32.exe" => "/cgi-bin/post32.exe",
"Alibaba post16.exe" => "/cgi-bin/post16.exe",
"Alibaba get16.exe" => "/cgi-bin/get16.exe",
"Bugtraq ID 1431" => "/cgi-bin/pollit/ Poll_it_SSI_v2.0.cgi" );
&menu();
sub menu() {
print "\n\n";
print "\ Malice .5.3\n\n";
print "\ Anti IDS scanner that uses null scans with HEAD requests\n\n";
print "\ Much props to doom for editing this.\n\n";
{ &exploitnouselist() }
sub exploitnouselist() {
print "\nHost: ";
chomp($host=<STDIN>);
print "\nPort: ";
chomp($port=<STDIN>);
&cgiscannerloop("$host");
&menu();
sub cgiscannerloop() {
$host = inet_aton($host);
$ServerAddr = sockaddr_in($port, $host);
$protocol_name = "tcp";
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if(connect(CLIENT, $ServerAddr)) {
send(CLIENT,"HEAD / HTTP/1.0\r\n\r\n",0);
recv(CLIENT, $banner, 10000, undef);
# $banner=<CLIENT>;
close(CLIENT);
print "\n\n$banner\n";
}
else { print "\nCant connect\n"; }
$host = "@_";
$serverIP = inet_aton($host);
$serverAddr = sockaddr_in($port, $serverIP);
$number = 0;
print "\n\nChecking $host for CGI holes.....:\n\n";
foreach $key (keys %exploits) {
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
gethostbyname($host) or print "Please define target\n";
if(!gethostbyname($host)) { print "Please check target IP address for errors\n"; }
else {
if(connect(CLIENT, $serverAddr)) {
send(CLIENT,"HEAD%00 $exploits{$key} HTTP/1.0\r\n\r\n",0);
## When scanning some solaris box/some appache webservers, remove the "%00"
## If Malice hangs try changing HTTP/1.0\r\n\r\n" to "HTTP/1.0\n\n"
$check=<CLIENT>;
($http,$code,$therest) = split(/ /,$check);
if($code == 200) {
print "Exploit Found: $key\nLocation: $exploits{$key}\n\n";
$number++;
if($storelogs eq "yes") {
open(log, ">>log._") or &dienice("Couldn't open
log._ for writing. Please make sure the file exists and is
writable.\n"); print log "Vulnerability: $key\nServer:
$host\nLocation: $exploits{$key}\n\n"; close(log); }
}
else { if($verbosemode eq "y") { print "$key Exploits Not Found\n"; } }
}
close (CLIENT);
}
}
if($number == 0) { print "$host either doesn't use CGI scripts, or has some tight security\n"; }
}
}
}