Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
I don't mean to re-start an old topic, but would anyone happen to have access to the source code for the second phase of the popular SSH probes? The reason I'm interested in it is because I'd like to exploit some weaknesses in the code and at least cause it to drop a core.<BR>
<BR>
Currently, I have a service started by xinetd and close stdin on the command line arguments to avoid hackers hacking my program. I run a bash script as user "nobody" that basically looks like this (extra extraneous stuff is removed):<BR>
<BR>
#!/bin/bash<BR>
function fakessh() {<BR>
echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service<BR>
/bin/cat /dev/urandom # and send random data<BR>
}<BR>
# Main follows - this is run as user "nobody"<BR>
fakessh <&- # Call the payload and (again) close stdin to avoid hacks<BR>
# EOF - fakessh<BR>
<BR>
The result for someone using a normal ssh client is:<BR>
UNIX> ssh localhost<BR>
Disconnecting: Bad packet length 3349376822.<BR>
<BR>
I am hoping to cause some kind of memory problem here and thats why I need the source code. Another exploit to examine is what happens with zero length packets if we cat /dev/zero. If there is nothing to exploit here, I'll remove the "echo" line so I send random data until the hacker client terminates his connection.<BR>
<BR>
Thank you,<BR>
Brian Micek
</BODY>
</HTML>
|
| Attachment: |
|
signature.asc (This is a digitally signed message part)
|
|
