Author: Wiseman (wiseman@spray.se) Website for now: www.geocities.com/real_wiseman Filename:iisupload.pl Current Version: 1.03 Created: 28th of May 2001 Last Changed: 26th of October 2001 -------------------------------------------------------------------------- Description: ------------------------------------------------------------------------- iisupload.pl checks if a IIS4/5 is vulnerable to the Unicode exploit. If so it also gives the user the option to uploads files to the webserver This kind of scripts has been written before. I know, I know. Sometime I just prefer to write my own scripts so I know exactly (yeah, right...) what happens. -------------------------------------------------------------------------- Syntax: ------------------------------------------------------------------------- Syntax: iisupload.pl -i [-u ] Mandatory switches: ------------------- -i , if no port is specified, port 80/http is assumed Optional switches: ------------------ -u ------------------------------------------------------------------------- Change History ------------------------------------------------------------------------- 1.03: (26th of October) Changed the order of the directories so the script directoriy is checked first. No big deal. Added another .asp file with a corresponding .bat file to create a user with Administrator privelegies on an IIS4. (If you have not received the files, just this Perl-script, check my website or mail me) 1.02: (25th of July) What can I say... I found a serious bug in the Sendraw routine which I btw ripped from Roelof who in turn ripped it from rfp. It bugged out when certain IP-address was found. I have now fixed this but I have *not yet* commented all that I did. Live with this until version 1.03... 1.01: (25th of July) Updated the Unicode directories. Be warned though that many of these directories *will* indicate a vulnerbaility for the Unicode exploit, and of course you can do some DOS commands etc. but they wont let you upload, or more specifically, wont let you copy CMD.EXE. You have been warned. 1.0: (20th of July 2001) Did a lot of small changes: 1) Added check for brand of webserver. Why? I'm glad I asked: There seems to be different user permissions assigned in IIS4 vs IIS5 where several directories will accept the Unicode file listing exploit, ie. will let you do a dir etc but wont really let you copy cmd.exe or upload files as the permissions disallows writing. I verified this on my W2k AS and several of the directories that is "known" to be vulnerable seems to be false positives. You can do some DOS commands but not upload anything. 2 bad. Right now the directories loaded is the same for IIS4 and IIS 5 but this setup let me load different directories depending on webserver version. Perhaps I will use this feature in 1.01, who knows. 2) When uploading, the script will try to upload to every directory found vulnerable until it succeeds or the diretories run out. 3) If a file is found on the target with the *same* filename as the file the script is trying to upload, the file at the target is first *deleted* before the new file is uploaded. I coded this so that ASP-files that you upload won't be corrupted if you accidently upload them again. 4) Fixed some bugs too of course, but I won't tell you how many... :-) 0.99: (14th of June 2001) Code cleanup. I finally got it to work too! :-) There is some small issues still which I plan to incorporate in the 1.0 version. This is my last day before vacation so the changes will probably be done after summer 0.9: First version ------------------------------------------------------------------------- The Usual Disclaimer: ------------------------------------------------------------------------- This script is written AS-IS and will not be supported Wiseman is not responsible for the script's misuse and is not responsible for any damage resulting from running this script. It is *not* my fault so stop complaining ------------------------------------------------------------------------ Known Issues ------------------------------------------------------------------------ 1) Sometimes the ">" sign isn't transferred OK, mainly *inside* ASP-files. God knows why, and neither do I. This bug seems not to affect the starting <% and ending %> of ASP-files. If you try to upload an ASP-file that creates a BAT-file (like the file pd.asp that you should have received with this Perl-script) with piping- commands like "pwdump2 > passwords.txt" the ">" will not be transferred OK. A workaround is to put these kind of lines in an ordinary BAT-file and uploading this file through Upload.asp (which you should have received with this script too). Execute this batfile from an asp-file and everything should be okay. An example of this is found in pd.asp. ----------------------------------------------------------------------- Credits: ----------------------------------------------------------------------- * Roelof Temmingh (roelof@sensepost.com). I ripped some codesnippets from his script Unicodeloader.pl * Keith Jones (Keith.jones@foundstone.com) from Foundstone, for providing me with some nice ideas (and some nice .ASP files too to upload...) * BoloTron (bolo@mundivia.com) from whom I took some nice exploitable Unicode paths ------------------------------------------------------------------------