/* Install: make jas or: gcc -o jas jas.c Tested on RedHat 6.1 , Openbsd 2.6 / 2.7, SuSe 6.3 so it should run on your box... (J)ust (A)nother (S)canner by : decker@n3t.net note - If you see code in here that looks like yours, chances are it is :) I claim no responsibility for anything you or anyone you know does with this. This was merely written to get an idea of a few different things to do with C. If you can't figure out how to run it then you need to turn off that RedHat bawx mommy installed for you. It should also be apparent how to add new vulnerabilities to check for. */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include int cdat3=1; int cdat2=1; int cdat=1; int fndd=0; int numvuln=0; char stuff[100]; int main(int argc, char *argv[]) { int sock; int sock_crap; struct in_addr addr; struct sockaddr_in host; struct hostent *yada; unsigned long uno; char *server; int port; char dodo[26]; char gethead[2121]; char buffy[21]; char *cmpit; char *sendme[100]; char *me_is[100]; char *dirfind[20]; char *me_diris[20]; /* cgi-bin or other scripts directory */ dirfind[1] = "GET /cgi-bin/ HTTP/1.0\n\n"; dirfind[2] = "GET /cgi/ HTTP/1.0\n\n"; dirfind[3] = "GET /local-bin/ HTTP/1.0\n\n"; dirfind[4] = "GET /scripts/ HTTP/1.0\n\n"; /* names of the directories */ me_diris[1] = "/cgi-bin/"; me_diris[2] = "/cgi/"; me_diris[3] = "/local-bin/"; me_diris[4] = "/scripts/"; /*_______________________________*/ /* let's start this shit already */ /*-------------------------------*/ system("clear"); printf("$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n"); printf("$$ -==- jas -==- $$\n"); printf("$$ decker@n3t.net $$\n"); printf("$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n"); /* did you give all the info we need? */ if (argc != 3) { printf("\nUsage: %s [server] [port]\n", argv[0]); exit(0); } printf("\nScanning %s:%s ...\n", argv[1], argv[2]); strcpy(stuff,argv[1]); if ((yada=gethostbyname(argv[1])) == NULL) { printf("\nCould not resolve hostname\n"); printf("Killing scan...\n"); exit(0); } printf("Hostname resolved...\nAttempting to connect..\n"); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(yada->h_addr, (char *)&host.sin_addr, yada->h_length); host.sin_family=AF_INET; host.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&host, sizeof(host))!=0) { printf("Connection attempt failed.. either %s is down or something is screwed up ;p \n", argv[1]); exit(0); } printf("\nConnected. \nInitiating scan...\n\n"); /* get headers */ send(sock, "HEAD / HTTP/1.0\n\n", 17, 0); recv(sock, gethead, sizeof(gethead), 0); printf("%s", gethead); close(sock); /* find the cgi-bin or equivalent */ printf("Determining location of cgi scripts\n"); while (cdat2 < 5) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(yada->h_addr, (char *)&host.sin_addr, yada->h_length); host.sin_family=AF_INET; host.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&host, sizeof(host))!=0){ printf("Connection attempt failed.. either %s went down in past few seconds or something is screwed up.\n", argv[1]); exit(0); } send(sock, dirfind[cdat2],strlen(dirfind[cdat2]),0); recv(sock, dodo, sizeof(dodo),0); if(strstr(dodo,"403")) { close(sock); printf("HTTP 403 ->"); printf("Found %s%s\nPermissions seem to be set correctly\n\n",argv[1], me_diris[cdat2]); printf("[hit enter to continue]\n"); getchar(); fndd++; if(fndd > 0) { do_me(); } do_meagain(); exit(0); } else if(strstr(dodo,"200")) { close(sock); printf("HTTP 200 ->"); printf("Found %s%s \nWorld readable directory...\n\n", argv[1], me_diris[cdat2]); printf("[hit enter to continue]\n"); getchar(); fndd++; if(fndd > 0) { do_me(); } do_meagain(); exit(0); } else if(strstr(dodo,"404")) { printf("HTTP 404 ->"); printf("%s%s not found...\n", argv[1], me_diris[cdat2]); cdat2++; } else if(strstr(dodo,"302")) { printf("HTTP 302 ->"); printf("%s%s -- File moved (not there)\n", argv[1], me_diris[cdat2]); cdat2++; } else { printf("%s%s -- Unrecognized HTTP header response\n", argv[1], me_diris[cdat2]); cdat2++; } close(sock); } printf("Couldn't find a cgi script bin directory, scanning only\nfor default install files (MS type)\n"); do_meagain(); printf("\nDONE.\n"); } int do_me(int argc, char *argv[]) { char uno[100]; char dos[100]; char *me_diris[20]; char *sendme[100]; char *me_is[100]; char *me_d[20]; int sock2; int sock_crap2; struct hostent *yada2; struct in_addr addr2; struct sockaddr_in host2; int port2; char dodo2[26]; me_diris[1] = "/cgi-bin/"; me_diris[2] = "/cgi/"; me_diris[3] = "/local-bin/"; me_diris[4] = "/scripts/"; me_d[1] = "GET /cgi-bin/"; me_d[2] = "GET /cgi/"; me_d[3] = "GET /local-bin/"; me_d[4] = "GET /scripts/"; /* sploits get url string -> cgi-bin related */ sendme[1] = "phf HTTP/1.0\n\n"; me_is[1] = "phf"; sendme[2] = "php.cgi HTTP/1.0\n\n"; me_is[2] = "php.cgi"; sendme[3] = "perl.exe HTTP/1.0\n\n"; me_is[3] = "perl.exe"; sendme[4] = "test-cgi HTTP/1.0\n\n"; me_is[4] = "test-cgi"; sendme[5] = "nph-test-cgi HTTP/1.0\n\n"; me_is[5] = "nph-test.cgi"; sendme[6] = "nph-publish HTTP/1.0\n\n"; me_is[6] = "nph-publish"; sendme[7] = "webgais HTTP/1.0\n\n"; me_is[7] = "webgais"; sendme[8] = "webdist.cgi HTTP/1.0\n\n"; me_is[8] = "webdist.cgi"; sendme[9] = "faxsurvey HTTP/1.0\n\n"; me_is[9] = "faxsurvey"; sendme[10] = "htmlscript HTTP/1.0\n\n"; me_is[10] = "htmlscript"; sendme[11] = "pfdisplay.cgi HTTP/1.0\n\n"; me_is[11] = "pfdisplay"; sendme[12] = "www-sql HTTP/1.0\n\n"; me_is[12] = "www-sql"; sendme[13] = "view-source HTTP/1.0\n\n"; me_is[13] = "view-source"; sendme[14] = "campas HTTP/1.0\n\n"; me_is[14] = "campas"; sendme[15] = "aglimpse HTTP/1.0\n\n"; me_is[15] = "aglimpse"; sendme[16] = "glimpse HTTP/1.0\n\n"; me_is[16] = "glimpse"; sendme[17] = "man.sh HTTP/1.0\n\n"; me_is[17] = "man.sh"; sendme[18] = "AT-admin.cgi HTTP/1.0\n\n"; me_is[18] = "AT-admin.cgi"; sendme[19] = "filemail.pl HTTP/1.0\n\n"; me_is[19] = "filemail.pl"; sendme[20] = "maillist.pl HTTP/1.0\n\n"; me_is[20] = "maillist.pl"; sendme[21] = "jj HTTP/1.0\n\n"; me_is[21] = "jj"; sendme[22] = "info2www HTTP/1.0\n\n"; me_is[22] = "info2www"; sendme[23] = "files.pl HTTP/1.0\n\n"; me_is[23] = "files.pl"; sendme[24] = "finger HTTP/1.0\n\n"; me_is[24] = "finger"; sendme[25] = "bnbform.cgi HTTP/1.0\n\n"; me_is[25] = "bnbform.cgi"; sendme[26] = "survey.cgi HTTP/1.0\n\n"; me_is[26] = "survey.cgi"; sendme[27] = "classifieds.cgi HTTP/1.0\n\n"; me_is[27] = "classifieds.cgi"; sendme[28] = "environ.cgi HTTP/1.0\n\n"; me_is[28] = "environ.cgi"; sendme[29] = "wrap HTTP/1.0\n\n"; me_is[29] = "wrap"; sendme[30] = "cgiwrap HTTP/1.0\n\n"; me_is[30] = "cgiwrap"; sendme[31] = "guestbook.cgi HTTP/1.0\n\n"; me_is[31] = "guestbook.cgi"; sendme[32] = "edit.pl HTTP/1.0\n\n"; me_is[32] = "edit.pl"; sendme[33] = "perlshop.cgi HTTP/1.0\n\n"; me_is[33] = "perlshop.cgi"; sendme[34] = "tigvote.cgi HTTP/1.0\n\n"; me_is[34] = "tigvote.cgi"; sendme[35] = "php.pp HTTP/1.0\n\n"; me_is[35] = "php.pp"; sendme[36] = "infosrch.cgi HTTP/1.0\n\n"; me_is[36] = "infosrch.cgi"; while (cdat <37) { char tres[100]="GET "; strcpy(uno,me_diris[cdat2]); strcpy(dos,sendme[cdat]); strcat(uno,dos); strcat(tres, uno); if ((yada2=gethostbyname(stuff)) == NULL) { printf("\nCould not resolve hostname\n"); printf("Killing scan...\n"); exit(0); } sock2=socket(AF_INET, SOCK_STREAM, 0); bcopy(yada2->h_addr, (char *)&host2.sin_addr, yada2->h_length); host2.sin_family=AF_INET; host2.sin_port=htons(80); if (connect(sock2, (struct sockaddr*)&host2, sizeof(host2))!=0){ printf("Connection attempt failed.. either %s went down in past few seconds or something is screwed up.\n", stuff); exit(0); } send(sock2, tres,strlen(tres),0); recv(sock2, dodo2, sizeof(dodo2),0); if(strstr(dodo2,"200")) { printf("HTTP 200 ->"); printf("Found %s%s\n", me_diris[cdat2], me_is[cdat]); numvuln++; } else if(strstr(dodo2,"404")) { printf("HTTP 404 ->"); printf("%s%s Not Found\n", me_diris[cdat2], me_is[cdat]); } else { printf("%s%s ??? Unknown Header response\n", me_diris[cdat2], me_is[cdat]); } cdat++; } } int do_meagain(int argc, char *argv[]) { char uno[100]; char dos[100]; char *me_diris[20]; char *sendme[100]; char *me_is[100]; char *me_d[20]; int sock2; int sock_crap2; struct hostent *yada2; struct in_addr addr2; struct sockaddr_in host2; int port2; char dodo2[26]; sendme[1] = "GET /_vti_pvt/service.pwd HTTP/1.0\n\n"; me_is[1] = "/_vti_pvt/service.pwd"; sendme[2] = "GET /_vti_pvt/users.pwd HTTP/1.0\n\n"; me_is[2] = "/_vti_pvt/users.pwd"; sendme[3] = "GET /_vti_pvt/authors.pwd HTTP/1.0\n\n"; me_is[3] = "/_vti_pvt/authors.pwd"; sendme[4] = "GET /_vti_pvt/administrators.pwd HTTP/1.0\n\n"; me_is[4] = "/_vti_pvt/administrators.pwd"; sendme[5] = "GET /_vti_bin/shtml.dll HTTP/1.0\n\n"; me_is[5] = "/_vti_bin/shtml.dll"; sendme[6] = "GET /_vti_bin/shtml.exe HTTP/1.0\n\n"; me_is[6] = "/_vti_bin/shtml.exe"; sendme[7] = "GET /cgi-dos/args.bat HTTP/1.0\n\n"; me_is[7] = "/cgi-dos/args.bat"; sendme[8] = "GET /cgi-win/uploader.exe HTTP/1.0\n\n"; me_is[8] = "/cgi-win/uploader.exe"; sendme[9] = "GET /cgi-bin/rguest.exe HTTP/1.0\n\n"; me_is[9] = "/cgi-bin/rguest.exe"; sendme[10] = "GET /cgi-bin/wguest.exe HTTP/1.0\n\n"; me_is[10] = "/cgi-bin/wguest.exe"; sendme[11] = "GET /scripts/issadmin/bdir.htr HTTP/1.0\n\n"; me_is[11] = "/scripts/issadmin/bdir.htr"; sendme[12] = "GET /scripts/CGImail.exe HTTP/1.0\n\n"; me_is[12] = "/scripts/CGImail.exe"; sendme[13] = "GET /scripts/tools/newdsn.exe HTTP/1.0\n\n"; me_is[13] = "/scripts/tools/newdsn.exe"; sendme[14] = "GET /scripts/fpcount.exe HTTP/1.0\n\n"; me_is[14] = "/scripts/fpcount.exe"; sendme[15] = "GET /cfdocs/expelval/openfile.cfm HTTP/1.0\n\n"; me_is[15] = "/cfdocs/expelval/openfile.cfm"; sendme[16] = "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0\n\n"; me_is[16] = "/cfdocs/expelval/exprcalc.cfm"; sendme[17] = "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0\n\n"; me_is[17] = "/cfdocs/expelval/displayopenedfile.cfm"; sendme[18] = "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0\n\n"; me_is[18] = "/cfdocs/expelval/sendmail.cfm"; sendme[19] = "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n"; me_is[19] = "/iissamples/exair/howitworks/codebrws.asp"; sendme[20] = "GET /carbo.dll HTTP/1.0\n\n"; me_is[20] = "/carbo.dll"; sendme[21] = "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n"; me_is[21] = "/iissamples/sdk/asp/docs/codebrws.asp"; sendme[22] = "GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0\n\n"; me_is[22] = "/msads/Samples/SELECTOR/showcode.asp"; sendme[23] = "GET /search97.vts HTTP/1.0\n\n"; me_is[23] = "/search97.vts"; sendme[24] = "GET /msadc/msadcs.dll HTTP/1.0\n\n"; me_is[24] = "/msadc/msadcs.dll"; sendme[25] = "GET /default.asd::$DATA HTTP/1.0\n\n"; me_is[25] = "/default.asd::$DATA"; sendme[26] = "GET /advworks/equitment/catalog_type.asp HTTP/1.0\n\n"; me_is[26] = "/advworks/equitment/catalog_type.asp"; sendme[27] = "GET /aspsamp/advworks/equitment/catalog_type.asp HTTP/1.0\n\n"; me_is[27] = "/aspsamp/advworks/equitment/catalog_type.asp"; sendme[28] = "GET /aspsamp/advworks/equitment/catalog_type.asp HTTP/1.0\n\n"; me_is[28] = "/aspsamp/advworks/equitment/catalog_type.asp"; sendme[29] = "GET /session/adminlogin?RCpage=/sysadmin/index.stm HTTP/1.0\n\n"; me_is[29] = "/session/adminlogin?RCpage=/sysadmin/index.stm"; while (cdat3 <30) { if ((yada2=gethostbyname(stuff)) == NULL) { printf("\nCould not resolve hostname\n"); printf("Killing scan...\n"); exit(0); } sock2=socket(AF_INET, SOCK_STREAM, 0); bcopy(yada2->h_addr, (char *)&host2.sin_addr, yada2->h_length); host2.sin_family=AF_INET; host2.sin_port=htons(80); if (connect(sock2, (struct sockaddr*)&host2, sizeof(host2))!=0){ printf("Connection attempt failed.. either %s went down in past few seconds or something is screwed up.\n", stuff); exit(0); } send(sock2, sendme[cdat3],strlen(sendme[cdat3]),0); recv(sock2, dodo2, sizeof(dodo2),0); if(strstr(dodo2,"200")) { printf("HTTP 200 ->"); printf("Found %s\n", me_is[cdat3]); numvuln++; } else if(strstr(dodo2,"404")) { printf("HTTP 404 ->"); printf("%s Not Found\n", me_is[cdat3]); } else { printf("Unknown Header response\n"); } cdat3++; } printf("\nJAS found %d lame ass holes on the site\n", numvuln); }