Author: Wiseman (wiseman@spray.se)
Website for now: www.geocities.com/real_wiseman
Filename:iisupload.pl
Current Version: 1.03
Created: 28th of May 2001
Last Changed: 26th of October 2001
-------------------------------------------------------------------------
Description:
------------------------------------------------------------------------
iisupload.pl checks if a IIS4/5 is vulnerable to the
Unicode exploit. If so it also gives the user the option to
uploads files to the webserver

This kind of scripts has been written before. I know, I know.
Sometime I just prefer to write my own scripts so I know
exactly (yeah, right...) what happens.

-------------------------------------------------------------------------
Syntax:
------------------------------------------------------------------------

Syntax:
iisupload.pl -i <IP-address of target:port> [-u <name of file to upload>]

Mandatory switches:
-------------------
 -i <IP-address of target:port>, if no port is specified, port 80/http is assumed

Optional switches:
------------------
-u <name of file to upload>


------------------------------------------------------------------------
Change History
------------------------------------------------------------------------

1.03: (26th of October)
 Changed the order of the directories so the script directoriy is checked
 first. No big deal.

 Added another .asp file with a corresponding .bat file to create a user
 with Administrator privelegies on an IIS4. (If you have not received the
 files, just this Perl-script, check my website or mail me)

 1.02: (25th of July)
 What can I say... I found a serious bug in the Sendraw routine which I
 btw ripped from Roelof who in turn ripped it from rfp.
 It bugged out when certain IP-address was found.
 I have now fixed this but I have *not yet* commented all that I did.
 Live with this until version 1.03...

 1.01: (25th of July)
 Updated the Unicode directories. Be warned though that many of these
 directories *will* indicate a vulnerbaility for the Unicode exploit, and
 of course you can do some DOS commands etc. but they wont let you upload,
 or more specifically, wont let you copy CMD.EXE.
 You have been warned.

 1.0: (20th of July 2001)
 Did a lot of small changes:
 1) Added check for brand of webserver.
 Why? I'm glad I asked:
 There seems to be different user permissions assigned in IIS4 vs IIS5 where
 several directories will accept the Unicode file listing
 exploit, ie. will let you do a dir etc but wont really let you copy
 cmd.exe or upload files as the permissions disallows writing.
 I verified this on my W2k AS and several of the directories that is
 "known" to be vulnerable seems to be false positives. You can do some DOS
 commands but not upload anything. 2 bad.
 Right now the directories loaded is the same for IIS4 and IIS 5 but this
 setup let me load different directories depending on webserver version.
 Perhaps I will use this feature in 1.01, who knows.

 2) When uploading, the script will try to upload to every directory found
 vulnerable until it succeeds or the diretories run out.

 3) If a file is found on the target with the *same* filename as the
 file the script is trying to upload, the file at the target is first
 *deleted* before the new file is uploaded. I coded this so that ASP-files
 that you upload won't be corrupted if you accidently upload them again.

 4) Fixed some bugs too of course, but I won't tell you how many... :-)


 0.99: (14th of June 2001)
 Code cleanup. I finally got it to work too! :-)
 There is some small issues still which I plan to incorporate in the
 1.0 version. This is my last day before vacation so the changes will
 probably be done after summer

 0.9:
 First version

------------------------------------------------------------------------
The Usual Disclaimer:
------------------------------------------------------------------------
 This script is written AS-IS and will not be supported
 Wiseman is not responsible for the script's misuse and is not responsible
 for any damage resulting from running this script.
 It is *not* my fault so stop complaining

-----------------------------------------------------------------------
 Known Issues
-----------------------------------------------------------------------
 1) Sometimes the ">" sign isn't transferred OK, mainly *inside* ASP-files.
 God knows why, and neither do I.
 This bug seems not to affect the starting <% and ending %> of ASP-files.
 If you try to upload an ASP-file that creates a BAT-file (like the file
 pd.asp that you should have received with this Perl-script) with piping-
 commands like "pwdump2 > passwords.txt" the ">" will not be transferred
 OK. A workaround is to put these kind of lines in an ordinary BAT-file and
 uploading this file through Upload.asp
 (which you should have received with this script too).
 Execute this batfile from an asp-file and everything should be okay.
 An example of this is found in pd.asp.

 -----------------------------------------------------------------------
 Credits:
 -----------------------------------------------------------------------
 * Roelof Temmingh (roelof@sensepost.com). I ripped some codesnippets
   from his script Unicodeloader.pl
 * Keith Jones (Keith.jones@foundstone.com) from Foundstone, for providing
   me with some nice ideas (and some nice .ASP files too to upload...)
 * BoloTron (bolo@mundivia.com) from whom I took some nice exploitable
   Unicode paths


 ------------------------------------------------------------------------
