IIS vulernerability scanner tool

David Dandar ddandar at odu.edu
Fri Jul 20 19:45:54 GMT 2001


Below is a rough-cut perl script I whipped up to test for vulnerable IIS
servers.  I can offer no guarantees, but it seems to be reporting good info. 
It's based on a report on Bugtraq that fingerprinted some different
responses to an exploit attempt.  I know Microsoft has something out there
that reports patch information, but this is an alternative method.

I recommend using nmap or some other method of finding hosts listening on
port 80, then feed the IP addresses in on stdin, or via a file listing on
the command-line to this script.  The output lines contain the first 4k of
the response from the server, whitespace squished, so they can be very long. 
The "cannot determine address" and "bad file descriptor" errors are failed
connects.

It shouldn't crash anything, but you have been warned. :-)  Use at your own
risk.  I recommend trying it on a few known hosts first.

David

-- snip scanner.pl --

#!/usr/bin/perl

use IO::Socket;
use IO::Select;

$parallel=20;
$timeout=5;
$|=1;

while(<>) {	# Take a list of hosts to scan on stdin.
  chomp;
  push(@hosts, $_);
  }

sub sendtest($) {
  my $host=shift;
  print "$host: contacting...\n";

  eval {
    local $SIG{ALRM}=sub { die("$host: TIMEOUT on connect\n")};
    alarm($timeout);
    if($fd=IO::Socket::INET->new(PeerAddr => "$host",
                                 PeerPort => 80,
                                 Proto=>"TCP")) {
      $fd->send("GET /NULL.ida?".("x"x200)."=X HTTP/1.1\nHost: OCCS-test\n\n");
      $fd->autoflush(1);
      alarm(0);
      } else {
        die("$host: Failed to connect: $!\n");
        }
    };
  unless($@) {
    $s->add($fd);
    $hosts{$fd}=$host;
    $timeouts{$fd}=time+5;
    } else {
      print "$@\n";
      }
  }

sub recvtest($) {
   my $fd=shift;
   print "$hosts{$fd}: receiving...\n";
   $fd->recv($msg,4096);
   $msg=~s/\s/ /g;
   if($msg=~/Microsoft-IIS\/(\d+\.\d+)/) {
     $ver=$1;
     if($msg=~/0x80040e14/) {
       print "$hosts{$fd}: patched IIS $ver: $msg\n";
       }
     elsif($msg=~/The IDQ file NULL.ida could not be found./) {
       print "$hosts{$fd}: UNPATCHED IIS $ver: $msg\n";
       }
     elsif($msg=~/404 Object Not Found/ && ($ver ne "5.0")) {
       print "$hosts{$fd}: Possibly UNPATCHED IIS $ver: $msg\n";
       }
     else {
       print "$hosts{$fd}: UNKNOWN IIS $ver: $msg\n";
       }
     } else {
       print "$hosts{$fd}: Unknown Response: $msg\n";
       }
   $s->remove($fd);
   $fd->close;
   delete $hosts{$fd};
   delete $timeouts{$fd};
   }

$s=IO::Select->new();

while(@hosts) {
  while(($s->handles)<$parallel && @hosts) {
    sendtest(shift(@hosts));
    }

  $next=time+$timeout;
  foreach $fd ($s->handles) {
    $next=$timeouts{$fd} if($timeouts{$fd}<$next);
    }

  @ready=$s->can_read($next-time);
  if(@ready) {
    foreach $fd (@ready) {
      recvtest($fd);
      }
    }

  foreach $fd ($s->handles) {
    if(time>$timeouts{$fd}) {
      print "$hosts{$fd}: TIMEOUT on read\n";
      $s->remove($fd);
      delete $hosts{$fd};
      delete $timeouts{$fd};
      }
    }
  }

-- end snip --

-- 
David Dandar 	  	University Data Security Administrator
tel: 757.683.6203 	Office of Computing and Communications Services
fax: 757.683.5155 	Old Dominion University - Norfolk, Virginia. USA

DSA ID 89767A13: 4257 54C2 57EE DA67 8968  6926 B3EF 1FE8 8976 7A13
To report a network/security incident, please e-mail <abuse at odu.edu>



More information about the unisog mailing list