Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Automated SSH login attempts?
From: Jan Muenther <jan.muenther () nruns com>
Date: Sat, 31 Jul 2004 20:36:39 +0200

Hi there,

Agreed. The thing *is* publicly available, just do 'wget
frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
far is not availability, but lacking knowledge about the ssh protocol on
my side ;-)

Hm, actually, there's fairly little of that required to see what this beast 
does...  
Guys, I can't help but sing the praise of IDA Pro. Get it, it's worth the 
money. 

The tool itself dos not need root rights. What needs to be root is the
portscanner accompanying it.

Yeah, found that too. That, however, is not surprising. It's a SYN-Scanner,
using a detached scanning method, built on libnet (eh, too lazy for raw sockets,
are we) and libpcap, and its statically linked against it. Both binaries
were not stripped by the way :>

You'll need root rights for constructing packets with libnet and root rights
to set the interface into promiscuous mode for the pcap captures. 


hehe. According to a brief look at the strace of this thingy, it does
not do anything suspicious on the local box. But maybe I should have a
second look - who knows? 

Mkay, it really appears to be just an SSH scanner / bruteforcer, which next 
to the hardcoded username / password combinations also tries the identity / 
public key files of the current user to access other boxes. 

Some stuff from the disassembly (label names are mine, function names are from
the binary, as I said, not stripped). 

So, it first tries to open uniq.txt for its input, nothing new, and bails out
if it can't:

.text:080482E3                 push    offset aR       ; "r"
.text:080482E8                 push    offset aUniq_txt ; "uniq.txt"
.text:080482ED                 call    fopen
.text:080482F2                 add     esp, 10h
.text:080482F5                 mov     [ebp+var_C], eax
.text:080482F8                 cmp     [ebp+var_C], 0
.text:080482FC                 jnz     short loc_8048314
.text:080482FE                 sub     esp, 0Ch
.text:08048301                 push    offset aNuPotDeschideU ; "nu pot deschide
 uniq.txt\n"
.text:08048306                 call    printf

Is this romanian? Seen it a lot recently...

.text:0804835B do_it:                                  ; CODE XREF: main+86^Xj
.text:0804835B                 call    fork
.text:08048360                 test    eax, eax
.text:08048362                 jnz     short loc_80483A6
.text:08048364                 sub     esp, 4
.text:08048367                 lea     eax, [ebp+var_418]
.text:0804836D                 push    eax
.text:0804836E                 push    offset aTest    ; "test"
.text:08048373                 push    offset aTest    ; "test"
.text:08048378                 call    ccheckauth
.text:0804837D                 add     esp, 10h
.text:08048380                 sub     esp, 4
.text:08048383                 lea     eax, [ebp+var_418]
.text:08048389                 push    eax
.text:0804838A                 push    offset aGuest   ; "guest"
.text:0804838F                 push    offset aGuest   ; "guest"
.text:08048394                 call    ccheckauth
.text:08048399                 add     esp, 10h
.text:0804839C                 sub     esp, 0Ch
.text:0804839F                 push    0
.text:080483A1                 call    exit

Mkay, so, it forks and calls a function called ccheckauth(), giving test and
guest as parameters for the username and password variables of that function. 
Once that's done, it exits. 


So, here's that function:

text:080481E8                 public ccheckauth
.text:080481E8 ccheckauth      proc near               ; CODE XREF: main+AB^Yp
.text:080481E8                                         ; main+C7^Yp
.text:080481E8
.text:080481E8 var_14          = dword ptr -14h
.text:080481E8 var_10          = dword ptr -10h
.text:080481E8 var_C           = dword ptr -0Ch
.text:080481E8 var_8           = dword ptr -8
.text:080481E8 var_4           = dword ptr -4
.text:080481E8 arg_0           = dword ptr  8
.text:080481E8 arg_4           = dword ptr  0Ch
.text:080481E8 arg_8           = dword ptr  10h
.text:080481E8
.text:080481E8                 push    ebp
.text:080481E9                 mov     ebp, esp
.text:080481EB                 sub     esp, 18h
.text:080481EE                 mov     [ebp+var_C], 1
.text:080481F5                 mov     [ebp+var_10], offset aNone ; "none"
.text:080481FC                 sub     esp, 0Ch
.text:080481FF                 push    0Fh
.text:08048201                 call    alarm
.text:08048206                 add     esp, 10h
.text:08048209                 sub     esp, 8
.text:08048206                 add     esp, 10h
.text:08048209                 sub     esp, 8
.text:0804820C                 lea     eax, [ebp+var_10]
.text:0804820F                 push    eax
.text:08048210                 lea     eax, [ebp+var_C]
.text:08048213                 push    eax
.text:08048214                 call    ssh_getopt
.text:08048219                 add     esp, 10h
.text:0804821C                 mov     [ebp+var_8], eax
.text:0804821F                 sub     esp, 8
.text:08048222                 push    [ebp+arg_0]
.text:08048225                 push    [ebp+var_8]
.text:08048228                 call    options_set_username
.text:0804822D                 add     esp, 10h
.text:08048230                 sub     esp, 8
.text:08048233                 push    [ebp+arg_8]
.text:08048236                 push    [ebp+var_8]
.text:08048239                 call    options_set_host
.text:0804823E                 add     esp, 10h
.text:08048241                 sub     esp, 0Ch
.text:08048244                 push    [ebp+var_8]
.text:08048247                 call    ssh_connect
.text:0804824C                 add     esp, 10h
.text:0804824F                 mov     [ebp+var_4], eax
.text:0804824C                 add     esp, 10h
.text:0804824F                 mov     [ebp+var_4], eax
.text:08048252                 cmp     [ebp+var_4], 0
.text:08048256                 jnz     short loc_804825A
.text:08048258                 jmp     short locret_80482CB
.text:0804825A ; ---------------------------------------------------------------
------------

It basically calls a bunch of other functions which do the entire session 
setup stuff for the SSH connection attempts. These functions do exactly what 
their names imply, so I save the disassemblies here for brevity's sake. 

So, there's nothing spectacular here, it's a SSH bruteforcer. One thing though,
it also uses key auth (determines the current user's home dir and looks for
publickey and id files):

.text:08048B90 trykey:                                 ; CODE XREF: ssh_userauth
_autopubkey+F6^Yj
.text:08048B90                 sub     esp, 8
.text:08048B93                 lea     eax, [ebp+var_10]
.text:08048B96                 push    eax
.text:08048B97                 lea     eax, [ebp+var_14]
.text:08048B9A                 push    eax
.text:08048B9B                 lea     eax, [ebp+var_18]
.text:08048B9E                 push    eax
.text:08048B9F                 push    offset keys_path
.text:08048BA4                 push    offset pub_keys_path
.text:08048BA9                 push    edi
.text:08048BAA                 call    publickey_from_next_file
.text:08048BAF                 add     esp, 20h
.text:08048BB2                 test    eax, eax
.text:08048BAF                 add     esp, 20h
.text:08048BB2                 test    eax, eax
.text:08048BB4                 mov     ebx, eax
.text:08048BB6                 jz      nokeymatch
.text:08048BBC                 push    ebx
.text:08048BBD                 mov     eax, [ebp+var_14]
.text:08048BC0                 push    eax
.text:08048BC1                 push    0
.text:08048BC3                 push    edi
.text:08048BC4                 call    ssh_userauth_offer_pubkey
.text:08048BC9                 add     esp, 10h
.text:08048BCC                 cmp     eax, 0FFFFFFFFh
.text:08048BCF                 jz      cleanupkey
.text:08048BD5                 test    eax, eax
.text:08048BD7                 jnz     pubrefused
.text:08048BDD                 push    0
.text:08048BDF                 mov     eax, [ebp+var_14]
.text:08048BE2                 push    eax
.text:08048BE3                 mov     eax, [ebp+var_18]
.text:08048BE6                 push    eax
.text:08048BE7                 push    edi
.text:08048BE8                 call    privatekey_from_file
.text:08048BED                 add     esp, 10h
.text:08048BF0                 test    eax, eax
.text:08048BED                 add     esp, 10h
.text:08048BF0                 test    eax, eax
.text:08048BF2                 mov     esi, eax
.text:08048BF4                 jz      readprivfail
.text:08048BFA                 push    eax
.text:08048BFB                 push    ebx
.text:08048BFC                 push    0
.text:08048BFE                 push    edi
.text:08048BFF                 call    ssh_userauth_pubkey
.text:08048C04                 add     esp, 10h
.text:08048C07                 cmp     eax, 0FFFFFFFFh
.text:08048C0A                 jz      loc_8048CAA
.text:08048C10                 test    eax, eax
.text:08048C12                 jz      short auth_success
.text:08048C14                 sub     esp, 8
.text:08048C17                 push    offset aWeirdServerAcc ; "Weird : server
accepted our public key "...
.text:08048C1C                 push    0
.text:08048C1E                 call    ssh_say
.text:08048C23                 mov     [esp+38h+var_38], ebx
.text:08048C26                 call    free
.text:08048C2B                 mov     [esp+38h+var_38], esi
.text:08048C2E                 call    private_key_free

So, yeah, it's a bruteforcer, nothing magic here. 

Right. And somebody volunteered for this job right now, did you? ;-)

Eh. Limited time, new girlfriend is here and it's weekend :-/
So forgive the incompleteness of this :>
Maybe more on monday. FWIW, if there are other versions out, they might be
more interesting than this tool. 

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]