Security Incidents mailing list archives
Re: Analysis of SSH crc32 compensation attack detector exploit
From: Dave Dittrich <dittrich () cac washington edu>
Date: Fri, 9 Nov 2001 13:03:34 -0800 (PST)
Errata. It was pointed out to me that I forgot to include the README in Appendix B. I also left out one other comment as well.
The most recent version of this file can be found at:
http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
The missing pieces are: . . . (Re: Scanning) [NOTE: You are not necessarily vulnerable just because the banner shows a version string that is listed as "affected". If the patches listed in the RAZOR advisory, e.g., are applied, or if you eliminate v1 and use v2 of the protocol exclusively, the server will not be vulnerable.] . . . Appendix B ========== The following is a README file that is accompanying one version of the SSH crc32 exploit: --- sh exploit demystified: info supplied by XXXXXXXXXXXXXXXXXXXXXXXXXXXX 1. rename the exploit to filename: ssh 2. type:export blah=loser 3. Once u figured out the syntax, this is how the exploit works First stage is the brute force, if it quits while brute forcing and says stack not found means the ssh is not vunerable Note:This takes ages, if it brute forces for anything more than 45min > i suggest you cancel it Second stage: If brute force is successful it will mvoe on to the second stage it will try some values if the exploit shows this: and freezes on the dots, it means your in business exploiting... DO NOT CLOSE THE EXPLOIT Instead open another term and telnet to the hosts port 12345 for a bindshell remeber to append commands with ; eg: ls; If it tries all the values and fails, then u're outta business and it should drop u back to shell EOF p.s:from my experience i have found the openssh 1.5 to be utter shit in exploiting, the ssh 1.2.6-1.2.30 has a higher chance of success rate Last words:This exploit only works maybe 2/10 times so be patient. --- -- Dave Dittrich Computing & Communications dittrich () cac washington edu University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Analysis of SSH crc32 compensation attack detector exploit Dave Dittrich (Nov 09)
- Re: Analysis of SSH crc32 compensation attack detector exploit Dave Dittrich (Nov 09)
- Re: Analysis of SSH crc32 compensation attack detector exploit Dave Dittrich (Nov 14)