Gentoo Archives: gentoo-security

From: Brian Micek <bmicek@×××××××××.net>
To: gentoo-security@l.g.o
Subject: [gentoo-security] SSH probes
Date: Sat, 05 Nov 2005 20:03:36
Message-Id: 1131220618.8882.78.camel@localhost.localdomain
1 I don't mean to re-start an old topic, but would anyone happen to have
2 access to the source code for the second phase of the popular SSH
3 probes? The reason I'm interested in it is because I'd like to exploit
4 some weaknesses in the code and at least cause it to drop a core.
6 Currently, I have a service started by xinetd and close stdin on the
7 command line arguments to avoid hackers hacking my program. I run a
8 bash script as user "nobody" that basically looks like this (extra
9 extraneous stuff is removed):
11 #!/bin/bash
12 function fakessh() {
13 echo SSH-2.0-OpenSSH_3.9p1 # ID ourself as a valid SSH service
14 /bin/cat /dev/urandom # and send random data
15 }
16 # Main follows - this is run as user "nobody"
17 fakessh <&- # Call the payload and (again) close stdin to avoid hacks
18 # EOF - fakessh
20 The result for someone using a normal ssh client is:
21 UNIX> ssh localhost
22 Disconnecting: Bad packet length 3349376822.
24 I am hoping to cause some kind of memory problem here and thats why I
25 need the source code. Another exploit to examine is what happens with
26 zero length packets if we cat /dev/zero. If there is nothing to exploit
27 here, I'll remove the "echo" line so I send random data until the hacker
28 client terminates his connection.
30 Thank you,
31 Brian Micek


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] SSH probes William Yang <wyang@××××.net>