Vulnerability Development mailing list archives
Re: blackshell tool1: SSHD vulnerability scanner
From: Rémi Cohen-Scali <Remi () Cohen-Scali com>
Date: Wed, 02 Jan 2002 05:16:49 +0100
(reposted without smime) Here is a corrected version of your script. Could you explain what you tried to do ? blackshell () hushmail com wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >>this tool is for the purpose of professional security people testing their own private/corporate networks. under no circumstances is the blackshell team repsonsible for any misuse of this.
> >#!/usr/bin/perl -w > >#--blackshell tool1--# >#--blackshell-sshd.pl--# > ># this is a mass scanner for remote security testing ># of networks for the ssh crc32(deattack) bug. ># this is being exploited in the wild at the present time ># and it leads to complete remote compromisation ># of a vulnerable server > ># vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes) > ># a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors > >use Thread; >use Strict; >use Socket; >use Getopt::Std; >use Config; > >my $banner = qq( >Mass SSHD Vulnerability Scanner >by BlackShell >blackshell () hushmail com >); > >$exploit_information = qq( > >Advisories: > >http://www.securityfocus.com/advisories/3088 >http://xforce.iss.net/alerts/advise100.php >http://razor.bindview.com/publish/advisories/adv_ssh1crc.html >http://www.securityfocus.com/bugid=2347 >http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm >http://openssh.org/security.html >http://www.cisco.com/warp/public/707/SSH-multiple-pub.html > > >Information: > >http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 >http://staff.washington.edu/dittrich/misc/ssh-analysis.txt >http://www.newsbytes.com/news/01/171291.html >http://www.cert.org/incident_notes/IN-2001-12.html > > >Incidents: > >http://archives.neohapsis.com/archives/incidents/2001-12/0009.html >http://archives.neohapsis.com/archives/incidents/2001-12/0047.html >http://archives.neohapsis.com/archives/incidents/2001-12/0102.html >http://archives.neohapsis.com/archives/incidents/2001-12/0103.html >http://archives.neohapsis.com/archives/incidents/2001-12/0189.html >http://archives.neohapsis.com/archives/incidents/2001-12/0225.html >http://archives.neohapsis.com/archives/incidents/2001-12/0240.html > >); > > ># borrowed from dave's code(thanks :>) > >my @affected = ( >'SSH-1.5-1.2.24', >'SSH-1.5-1.2.25', >'SSH-1.5-1.2.26', >'SSH-1.5-1.2.27', >'SSH-1.5-1.2.28', >'SSH-1.5-1.2.29', >'SSH-1.5-1.2.30', >'SSH-1.5-1.2.31', >'SSH-1.5-OpenSSH-1.2', >'SSH-1.5-OpenSSH-1.2.1', >'SSH-1.5-OpenSSH-1.2.2', >'SSH-1.5-OpenSSH-1.2.3', >'SSH-1.99-OpenSSH-2.1', >'SSH-1.99-OpenSSH_2.1.1', >'SSH-1.99-OpenSSH_2.2.0', >'SSH-1.99-OpenSSH_2.2.0p1', >); > > > > >if(! $Config{'usethreads'}) >{ > print "\nNo Threading Supported"; > exit 1; >} > >getopts("d:t:l:i:",%args); > >my $debug; > >> if($args{i}) > { > my $infile = $args{i} || sshd.in; > print "\nUsing infile: $infile"; > } > elsif($args{d}) > { > $debug = 1; > print "\nUsing Debuging!"; > } > elsif($args{t}) > { > my $timeout = $args{t} || 5; > print "\nUsing Timeout: $args{t}!"; > } > elsif($args{l}) > { > my $logfile = $args{l}; > print "\nUsing logfile: $logfile"; > }
>> open(FILE,"<$infile") || die "\nCant read from $logfile";
>> while(<>) > { > chomp($host = $_); > print "\nScanning $host...";
>> my $thread = Thread->new(\&check_scan,$host); > print "\nScanning $host..."; > my @return = $thread->join; > } > if($debug) > { > my $check; > foreach $check (@return) > { > print "\nDebugging running...."; > print "\n$debug info...:"; > print "\n$check"; > }
>> }else{
>> print "\n\n$banner\n"; > print "\n\nOptions: "; > print "\n./$0 -i <INFILE> -l <LOGFILE> -d -t 15"; > print "\n > print "\ndefaults: "; > print "\ntimeout: 5"; > print "\nhost list: sshd.in"; > print "\nlogfile: sshd.log"; > print "\ndebug: no"; > }
>> }
> }
>
>sub check_scan ($)
>{
>
> eval {
>
> my $host = shift;
> my $iaddr = inet_aton($host);
> my $port = "22";
>
>
my $paddr = sockaddr_in($port, $host);
>
my $proto = getprotobyname('tcp');
>
socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!";
>
alarm($args{t});
>
if(connect(SOCK,$paddr))
>
{
>
print "\nSSHD is open on $host";
>
print "\n${host}'s response...";
>
}
>
while(<SOCK>)
>
{
>
chomp;
>
print;
>
$response = $_;
>
&log($host, $response);
>
print "\analyzing ${host}'s response...";
>
&analyze($host, $response);
>
}
>> }
>> close(SOCK);
> }
>
>
>
>sub log ($$)
>{
>
> open(LOG,">$logfile") || die "\nCant open $logfile for writing";
>
> select(LOG);
> print "\n$banner\n";
> print "\n$exploit_information"
> close(LOG);
>
> $host = shift;
> $rez = shift;
>
>
open(LOG,">>$logfile") || die "\nCant open $logfile";
>
flock(LOG,2) || die "\nCant file lock";
>
select(LOG);
>> print "\nResults:"; > print "\n${host}: $rez"; > print "\n\nFinished...\n";
>
> close(LOG);
>
>}
>
>
>
>sun analyze ($$)
>{
>
> $host = shift;
> $result = shift;
>
> foreach $checkz (@affected))
> {
>
if($result = $checkz)
>
{
>
print "\n$host is running a vulnerable version of SSHD";
>
print "\nversion is: $result";
>
}
> } >} >-----BEGIN PGP SIGNATURE----- >Version: Hush 2.1 >Note: This signature can be verified at https://www.hushtools.com > >wl8EARECAB8FAjwxR+IYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut >G+kAoIRsS/BUmFjmlsdgNHSKWW2elojfAJ9ItUcz9Ao1dpbbkzuf184f1RJnNg== >=Z/EV >-----END PGP SIGNATURE----- > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > -- -o) Remi Cohen-Scali /\\ <Remi () Cohen-Scali com> <rcoscali () rcsnet net> _\_v ----
#!/usr/bin/perl -w #--blackshell tool1--# #--blackshell-sshd.pl--# # this is a mass scanner for remote security testing # of networks for the ssh crc32(deattack) bug. # this is being exploited in the wild at the present time # and it leads to complete remote compromisation # of a vulnerable server # vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes) # a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors use Thread; #use strict; use Socket; use Getopt::Std; use Config; my $banner = qq( Mass SSHD Vulnerability Scanner by BlackShell blackshell\@hushmail.com ); my $exploit_information = qq( Advisories: http://www.securityfocus.com/advisories/3088 http://xforce.iss.net/alerts/advise100.php http://razor.bindview.com/publish/advisories/adv_ssh1crc.html http://www.securityfocus.com/bugid=2347 http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm http://openssh.org/security.html http://www.cisco.com/warp/public/707/SSH-multiple-pub.html Information: http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1 http://staff.washington.edu/dittrich/misc/ssh-analysis.txt http://www.newsbytes.com/news/01/171291.html http://www.cert.org/incident_notes/IN-2001-12.html Incidents: http://archives.neohapsis.com/archives/incidents/2001-12/0009.html http://archives.neohapsis.com/archives/incidents/2001-12/0047.html http://archives.neohapsis.com/archives/incidents/2001-12/0102.html http://archives.neohapsis.com/archives/incidents/2001-12/0103.html http://archives.neohapsis.com/archives/incidents/2001-12/0189.html http://archives.neohapsis.com/archives/incidents/2001-12/0225.html http://archives.neohapsis.com/archives/incidents/2001-12/0240.html ); # borrowed from dave's code(thanks :>) my @affected = ( 'SSH-1.5-1.2.24', 'SSH-1.5-1.2.25', 'SSH-1.5-1.2.26', 'SSH-1.5-1.2.27', 'SSH-1.5-1.2.28', 'SSH-1.5-1.2.29', 'SSH-1.5-1.2.30', 'SSH-1.5-1.2.31', 'SSH-1.5-OpenSSH-1.2', 'SSH-1.5-OpenSSH-1.2.1', 'SSH-1.5-OpenSSH-1.2.2', 'SSH-1.5-OpenSSH-1.2.3', 'SSH-1.99-OpenSSH-2.1', 'SSH-1.99-OpenSSH_2.1.1', 'SSH-1.99-OpenSSH_2.2.0', 'SSH-1.99-OpenSSH_2.2.0p1', ); if(! $Config{'usethreads'}) { print "\nNo Threading Supported"; exit 1; } getopts("d:t:l:i:",%args); my $debug; my $infile; if($args{i}) { $infile = $args{i} || "sshd.in"; print "\nUsing infile: $infile"; } if($args{d}) { $debug = 1; print "\nUsing Debuging!"; } if($args{t}) { my $timeout = $args{t} || 5; print "\nUsing Timeout: $args{t}!"; } if($args{l}) { my $logfile = $args{l}; print "\nUsing logfile: $logfile"; } open(FILE,"<$infile") || die "\nCant read from $logfile"; my @return; while(<FILE>) { chomp($host = $_); print "\nScanning $host..."; my $thread = Thread->new(\&check_scan,$host); print "\nScanning $host..."; @return = $thread->join; } if($debug) { my $check; foreach $check (@return) { print "\nDebugging running...."; print "\n$debug info...:"; print "\n$check"; } } else { print "\n\n$banner\n"; print "\n\nOptions: "; print "\n./$0 -i <INFILE> -l <LOGFILE> -d -t 15"; print "\n"; print "\ndefaults: "; print "\ntimeout: 5"; print "\nhost list: sshd.in"; print "\nlogfile: sshd.log"; print "\ndebug: no"; } sub check_scan($) { eval { my $host = shift; my $iaddr = inet_aton($host); my $port = "22"; my $paddr = sockaddr_in($port, $host); my $proto = getprotobyname('tcp'); socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!"; alarm($args{t}); if(connect(SOCK,$paddr)) { print "\nSSHD is open on $host"; print "\n${host}'s response..."; } while(<SOCK>) { chomp; print; $response = $_; &log($host, $response); print "analyzing ${host}'s response..."; &analyze($host, $response); } }; close(SOCK); } sub log ($$) { open(LOG,">$logfile") || die "\nCan't open $logfile for writing"; select(LOG); print "\n$banner\n"; print "\n$exploit_information"; close(LOG); $host = shift; $rez = shift; open(LOG,">>$logfile") || die "\nCant open $logfile"; flock(LOG,2) || die "\nCant file lock"; select(LOG); print "\nResults:"; print "\n${host}: $rez"; print "\n\nFinished...\n"; close(LOG); } sub analyze($$) { $host = shift; $result = shift; foreach $checkz (@affected) { if($result = $checkz) { print "\n$host is running a vulnerable version of SSHD"; print "\nversion is: $result"; } } }
Current thread:
- blackshell tool1: SSHD vulnerability scanner blackshell (Dec 31)
- Re: blackshell tool1: SSHD vulnerability scanner Rémi Cohen-Scali (Jan 01)
- Re: blackshell tool1: SSHD vulnerability scanner Rémi Cohen-Scali (Jan 02)