1 |
I don't mean to re-start an old topic, but would anyone happen to have |
2 |
access to the source code for the second phase of the popular SSH |
3 |
probes? The reason I'm interested in it is because I'd like to exploit |
4 |
some weaknesses in the code and at least cause it to drop a core. |
5 |
|
6 |
Currently, I have a service started by xinetd and close stdin on the |
7 |
command line arguments to avoid hackers hacking my program. I run a |
8 |
bash script as user "nobody" that basically looks like this (extra |
9 |
extraneous stuff is removed): |
10 |
|
11 |
#!/bin/bash |
12 |
function fakessh() { |
13 |
echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service |
14 |
/bin/cat /dev/urandom # and send random data |
15 |
} |
16 |
# Main follows - this is run as user "nobody" |
17 |
fakessh <&- # Call the payload and (again) close stdin to avoid hacks |
18 |
# EOF - fakessh |
19 |
|
20 |
The result for someone using a normal ssh client is: |
21 |
UNIX> ssh localhost |
22 |
Disconnecting: Bad packet length 3349376822. |
23 |
|
24 |
I am hoping to cause some kind of memory problem here and thats why I |
25 |
need the source code. Another exploit to examine is what happens with |
26 |
zero length packets if we cat /dev/zero. If there is nothing to exploit |
27 |
here, I'll remove the "echo" line so I send random data until the hacker |
28 |
client terminates his connection. |
29 |
|
30 |
Thank you, |
31 |
Brian Micek |