| 1 |
I don't mean to re-start an old topic, but would anyone happen to have |
| 2 |
access to the source code for the second phase of the popular SSH |
| 3 |
probes? The reason I'm interested in it is because I'd like to exploit |
| 4 |
some weaknesses in the code and at least cause it to drop a core. |
| 5 |
|
| 6 |
Currently, I have a service started by xinetd and close stdin on the |
| 7 |
command line arguments to avoid hackers hacking my program. I run a |
| 8 |
bash script as user "nobody" that basically looks like this (extra |
| 9 |
extraneous stuff is removed): |
| 10 |
|
| 11 |
#!/bin/bash |
| 12 |
function fakessh() { |
| 13 |
echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service |
| 14 |
/bin/cat /dev/urandom # and send random data |
| 15 |
} |
| 16 |
# Main follows - this is run as user "nobody" |
| 17 |
fakessh <&- # Call the payload and (again) close stdin to avoid hacks |
| 18 |
# EOF - fakessh |
| 19 |
|
| 20 |
The result for someone using a normal ssh client is: |
| 21 |
UNIX> ssh localhost |
| 22 |
Disconnecting: Bad packet length 3349376822. |
| 23 |
|
| 24 |
I am hoping to cause some kind of memory problem here and thats why I |
| 25 |
need the source code. Another exploit to examine is what happens with |
| 26 |
zero length packets if we cat /dev/zero. If there is nothing to exploit |
| 27 |
here, I'll remove the "echo" line so I send random data until the hacker |
| 28 |
client terminates his connection. |
| 29 |
|
| 30 |
Thank you, |
| 31 |
Brian Micek |
Archives