hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
Bombers
Feb 27 2004, 03:13 PM
The new exploit that is released is very dangerous! BUT there is a workaround:

The exploit uses the MDMT command
You can simply turn this off in your serv-u admin.

Go to: domains > settings > advanced , en dan "allow MDMT command to change file date/time"

Turn that off!

Yuur serv-u server will crash, but isn't hackable anymore...

Hope you can use this......


plesae replay smile.gif
MxMx
Feb 27 2004, 03:37 PM
biggrin.gif wiehoe .. thanks man smile.gif
this xploit could cause me some serious shit tongue.gif but not anymore ..

thanks
Pro21
Feb 27 2004, 03:40 PM
yes to info i will try this after my work happy.gif
OldSkool
Feb 27 2004, 03:49 PM
thx good job =)
x1`
Feb 27 2004, 03:56 PM
do u only get one chance with this exploit i tried it and it never gave me shell it said maybe its firewalled sad.gif so now the ftp is down
chrispen
Feb 27 2004, 05:23 PM
i tried this localy with serv-u 5 and it still explots it.
jetprice
Feb 27 2004, 05:26 PM
QUOTE (MxMx @ Feb 27 2004, 03:37 PM)
biggrin.gif wiehoe .. thanks man smile.gif
this xploit could cause me some serious shit tongue.gif but not anymore ..

thanks

Yea it would be such a shame to see all your stros go down wouldn't it be?

Actually i find this thread quite amusing, really good for posting in a laughter launge (not the topic tho)
pdf
Feb 27 2004, 05:30 PM
another way to "protect your stro"

try posting download stros like this:

hello:hey world@ip:port
hell o:heyworld@ip:port

hello:hey&world@ip:port

rolleyes.gif

Sedolf
Feb 27 2004, 05:44 PM
guys just take the newest servu! 5.0.0.4
it wont crash but I dont know if it also doesnt give shell
linuxwolf
Feb 27 2004, 06:15 PM
Anyone want to like.. fill me in on this exploit? I've been out of 'the scene' for awhile... Is this windows shell access by erm... serv-u? or root access? or multi system? :s
Flapdrol
Feb 27 2004, 06:28 PM
It allows for remote command execution, and thus a shell. But it only affects Servu when correct credentials are given and it needs a writable dir too. So you might want to patch up when you use servu and give out write-xs accounts to customers for example.

Use the search if you want the sploit itself. It's fairly recently discovered btw.
BuzzDee
Feb 27 2004, 10:51 PM
u dont need a writeable dir! thats makes the sploit even more... errr... dangerous? lame? whatever...

btw: I READ THAT IT GIVES U SYSTEM RIGHTS!!! is that right? i read this on cnhoncker...

greetz
nolimit
Feb 27 2004, 11:40 PM
Duh, if you run your serv-u as system, then yes it gives system rights. if you run it as admin, admin rights, user, user rights. most hackers run as system, eirgo, you get SYSTEM.
Double-=V=-
Feb 27 2004, 11:42 PM
Just updating serv-u is safe imho.
Raedemer
Feb 27 2004, 11:58 PM
Thanks for the information m8 !
I hope scriptkiddies won't hack my ftp server now dry.gif
SkitZZ
Feb 28 2004, 12:08 AM
CODE

C:\Tools>serv-u -h xxx.xxx.xxx.xxx -P xxxx -t 2 -u 123 -p 456 -d 4200
Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit v5.0
bug find by bkbll (bkbll@cnhonker.net) code by Sam (Sam@0x557.org)

# Connecting......
[+] Connected.
[*] USER 123 .
[*] 10 bytes send.
[*] PASS 456 .
[*] 10 bytes send.
[+] login success .
[+] remote version: Serv-U v3.x/4.x/5.x  with Windows 2K EN
[+] trigger vulnerability !
[+] 770 bytes overflow strings sent!
[+] successed!!


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\>whoami.exe
whoami.exe
NT AUTHORITY\SYSTEM


looks like system rights to me tongue.gif


SkitZZ
stonebreaker
Feb 28 2004, 06:07 AM
oh it is a good idea
thx very much
rolleyes.gif
Voxell
Feb 28 2004, 04:47 PM
He bombers.... That was some info I gave you!!!

wink.gif Anyway as long as it works huh... biggrin.gif
linuxwolf
Feb 28 2004, 05:12 PM
Heh. So, everyone going on a mad rooting spree now? :S
DaClueless
Mar 3 2004, 05:38 AM
QUOTE (Bombers @ Feb 27 2004, 03:13 PM)
The new exploit that is released is very dangerous! BUT there is a workaround:

The exploit uses the MDMT command
You can simply turn this off in your serv-u admin.

Go to: domains > settings > advanced , en dan "allow MDMT command to change file date/time"

Turn that off!

Yuur serv-u server will crash, but isn't hackable anymore...

Hope you can use this......


plesae replay smile.gif

When ask if you can disable MDTM command to protect serv-U, here is what the author says about it:

QUOTE
Rob, Serv-U coder
No, it would not. The part that causes the crash deals with parsing the
command. That's done before the check if MDTM should be allowed to change
the file's date/time.

        Rob
        -/-

        Serv-U Author & Manager
        Cat Soft, LLC


The only way to protect from exploit is upgrade to version 5.0.0.4

I hope that helps
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.