#!/usr/bin/perl ################################################################# # domscan heavily modified to find root.exe on any number # # of hosts. Although not the quickest scanner it's better # # than searching by hand, no? # # Also you can play with the timeout to your likeings. I just # # chose 2 because of slow webservers. Feel free to try 1. # # if you modify this please put my email on it, and send me # # the revised code. # # written by: idawson@athenasecurity.com. # # (domscan written by Pavel Aubuchon-Mendoza, 1998 # # root@deviance.org, http://www.deviance.org/ # # give props to him because his ip scheme is sweet ;). # # Usage: ./rootscan 111.111.111.111 222.222.222.222 # ################################################################# use IO::Socket; $start = $ARGV[0]; $end = $ARGV[1]; $EOL = "\015\012"; $BLANK = $EOL x 4; if($start eq "" || $end eq "") { &usage; } print "Show every connection attempt [y/n]?: "; chomp($verbose=); if ($verbose eq "y") { $verbose = 1; } else { $verbose = 0; print "\n\nPlease wait for results...\n" } @ip1 = split(/\./,$start); @ip2 = split(/\./,$end); $numip1 = &countelm(@ip1); $numip2 = &countelm(@ip2); if($numip1 ne 4 || $numip2 ne 4) { print "\nMalformed Ip address!\n"; die "Breaking on bad IP"; } $ip1 = (($ip1[0]*16777216)+($ip1[1]*65536)+($ip1[2]*256)+$ip1[3]); $ip2 = (($ip2[0]*16777216)+($ip2[1]*65536)+($ip2[2]*256)+$ip2[3]); if($ip2 < $ip1) { die "Way to type cap'n..."; } print "\nroot.exe Scanner Written by: idawson\@athenasecurity.com\n"; print "Scanning from $start to $end\n\n"; $cip = $ip1; $eip = $ip2+1; $log = "$start.log"; open(FOUND, ">>$log") || warn "can't log to $log: $!"; @dirs = ("/msadc", "/scripts"); @found = (); $i = 0; while($cip ne $eip) { @bytes = &getquad($cip); $target = "$bytes[0]\.$bytes[1]\.$bytes[2]\.$bytes[3]"; foreach $dirs (@dirs) { $flag = 0; @res = (); $results = (); if ($verbose == 1) { print "\nTrying $target$dirs/root.exe\t"; } $host = $target; $port = 80; $sock = new IO::Socket::INET(PeerAddr => $host, PeerPort => $port, Timeout => 2, Proto => 'tcp'); if(!$sock) { $flag = 0; if ($verbose == 1) { print "Can't Connect";} } else { $SIG{ALRM} = sub { die "Timed Out"; }; alarm(10); eval { $cmd = "GET $dirs/root.exe?/c+dir HTTP/1.0$BLANK"; print $sock "$cmd"; read $sock, $results, 1000; alarm(0); # cancel pending alarm }; } if ($@ =~ /Timed Out/) { print "Timed out\n"; close($sock); } else { @res = split(/\n/, $results); if ($res[0] =~ /HTTP\/1.1 200/) { $found[$i] = ("$target$dirs\n"); $flag = 1; print FOUND "$found[$i]\n"; if ($flag == 1 && $verbose == 1) { print "\tFound\n"; } } if ($flag == 0 && $verbose == 1) { print "\tNot Found\n"; } } $i++; } $cip++; } @flog = ( "IP\(s\) with root.exe backdoor:", "-----------------------------", ); print join("\n",@flog) . "\n"; print @found; close(FOUND); sub getquad { my($ip) = @_; $bytes[0] = int $ip/16777216; $rem = $ip % 16777216; $bytes[1] = int $rem/65536; $rem = $rem % 65536; $bytes[2] = int $rem/256; $rem = $rem % 256; $bytes[3] = $rem; @bytes; } sub usage { print "root.exe scanner for help locating cr2 backdoor.\n\n"; print "coded by:idawson\@athenasecurity.com"; print "\nSyntax:\n\n"; print " $0 [starting IP] [ending IP]\n\n"; print " Ex : $0 1.1.1.1 1.1.2.36\n\n\n"; die "Invalid syntax.\n"; } sub countelm { my(@ip) = @_; $count = 0; while($ip[$count] ne "") { $count++; } $count; }