(reposted without smime)
Here is a corrected version of your script. Could you explain what you
tried to do ?
blackshell_at_hushmail.com wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>this tool is for the purpose of professional security people testing their own private/corporate networks. under no circumstances
is the blackshell team repsonsible for any misuse of this.
>
>#!/usr/bin/perl -w
>
>#--blackshell tool1--#
>#--blackshell-sshd.pl--#
>
># this is a mass scanner for remote security testing
># of networks for the ssh crc32(deattack) bug.
># this is being exploited in the wild at the present time
># and it leads to complete remote compromisation
># of a vulnerable server
>
># vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes)
>
># a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors
>
>use Thread;
>use Strict;
>use Socket;
>use Getopt::Std;
>use Config;
>
>my $banner = qq(
>Mass SSHD Vulnerability Scanner
>by BlackShell
>blackshell_at_hushmail.com
>);
>
>$exploit_information = qq(
>
>Advisories:
>
>http://www.securityfocus.com/advisories/3088
>http://xforce.iss.net/alerts/advise100.php
>http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
>http://www.securityfocus.com/bugid=2347
>http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
>http://openssh.org/security.html
>http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
>
>
>Information:
>
>http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1
>http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
>http://www.newsbytes.com/news/01/171291.html
>http://www.cert.org/incident_notes/IN-2001-12.html
>
>
>Incidents:
>
>http://archives.neohapsis.com/archives/incidents/2001-12/0009.html
>http://archives.neohapsis.com/archives/incidents/2001-12/0047.html
>http://archives.neohapsis.com/archives/incidents/2001-12/0102.html
>http://archives.neohapsis.com/archives/incidents/2001-12/0103.html
>http://archives.neohapsis.com/archives/incidents/2001-12/0189.html
>http://archives.neohapsis.com/archives/incidents/2001-12/0225.html
>http://archives.neohapsis.com/archives/incidents/2001-12/0240.html
>
>);
>
>
># borrowed from dave's code(thanks :>)
>
>my @affected = (
>'SSH-1.5-1.2.24',
>'SSH-1.5-1.2.25',
>'SSH-1.5-1.2.26',
>'SSH-1.5-1.2.27',
>'SSH-1.5-1.2.28',
>'SSH-1.5-1.2.29',
>'SSH-1.5-1.2.30',
>'SSH-1.5-1.2.31',
>'SSH-1.5-OpenSSH-1.2',
>'SSH-1.5-OpenSSH-1.2.1',
>'SSH-1.5-OpenSSH-1.2.2',
>'SSH-1.5-OpenSSH-1.2.3',
>'SSH-1.99-OpenSSH-2.1',
>'SSH-1.99-OpenSSH_2.1.1',
>'SSH-1.99-OpenSSH_2.2.0',
>'SSH-1.99-OpenSSH_2.2.0p1',
>);
>
>
>
>
>if(! $Config{'usethreads'})
>{
> print "\nNo Threading Supported";
> exit 1;
>}
>
>getopts("d:t:l:i:",%args);
>
>my $debug;
>
>
>
if($args{i})
>
{
>
my $infile = $args{i} || sshd.in;
>
print "\nUsing infile: $infile";
>
}
>
elsif($args{d})
>
{
>
$debug = 1;
>
print "\nUsing Debuging!";
>
}
>
elsif($args{t})
>
{
>
my $timeout = $args{t} || 5;
>
print "\nUsing Timeout: $args{t}!";
>
}
>
elsif($args{l})
>
{
>
my $logfile = $args{l};
>
print "\nUsing logfile: $logfile";
>
}
>
>
open(FILE,"<$infile") || die "\nCant read from $logfile";
>
>
while(<>)
>
{
>
chomp($host = $_);
>
print "\nScanning $host...";
>
>
my $thread = Thread->new(\&check_scan,$host);
>
print "\nScanning $host...";
>
my @return = $thread->join;
>
}
>
if($debug)
>
{
>
my $check;
>
foreach $check (@return)
>
{
>
print "\nDebugging running....";
>
print "\n$debug info...:";
>
print "\n$check";
>
}
>
>
}else{
>
>
print "\n\n$banner\n";
>
print "\n\nOptions: ";
>
print "\n./$0 -i <INFILE> -l <LOGFILE> -d -t 15";
>
print "\n
>
print "\ndefaults: ";
>
print "\ntimeout: 5";
>
print "\nhost list: sshd.in";
>
print "\nlogfile: sshd.log";
>
print "\ndebug: no";
>
}
>
>
}
> }
>
>sub check_scan ($)
>{
>
> eval {
>
> my $host = shift;
> my $iaddr = inet_aton($host);
> my $port = "22";
>
>
my $paddr = sockaddr_in($port, $host);
>
my $proto = getprotobyname('tcp');
>
socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!";
>
alarm($args{t});
>
if(connect(SOCK,$paddr))
>
{
>
print "\nSSHD is open on $host";
>
print "\n${host}'s response...";
>
}
>
while(<SOCK>)
>
{
>
chomp;
>
print;
>
$response = $_;
>
&log($host, $response);
>
print "\analyzing ${host}'s response...";
>
&analyze($host, $response);
>
}
>
>
}
>
>
close(SOCK);
> }
>
>
>
>sub log ($$)
>{
>
> open(LOG,">$logfile") || die "\nCant open $logfile for writing";
>
> select(LOG);
> print "\n$banner\n";
> print "\n$exploit_information"
> close(LOG);
>
> $host = shift;
> $rez = shift;
>
>
open(LOG,">>$logfile") || die "\nCant open $logfile";
>
flock(LOG,2) || die "\nCant file lock";
>
select(LOG);
>
>
print "\nResults:";
>
print "\n${host}: $rez";
>
print "\n\nFinished...\n";
>
> close(LOG);
>
>}
>
>
>
>sun analyze ($$)
>{
>
> $host = shift;
> $result = shift;
>
> foreach $checkz (@affected))
> {
>
if($result = $checkz)
>
{
>
print "\n$host is running a vulnerable version of SSHD";
>
print "\nversion is: $result";
>
}
> }
>}
>-----BEGIN PGP SIGNATURE-----
>Version: Hush 2.1
>Note: This signature can be verified at https://www.hushtools.com
>
>wl8EARECAB8FAjwxR+IYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
>G+kAoIRsS/BUmFjmlsdgNHSKWW2elojfAJ9ItUcz9Ao1dpbbkzuf184f1RJnNg==
>=Z/EV
>-----END PGP SIGNATURE-----
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
--
-o)
Remi Cohen-Scali /\\
<Remi_at_Cohen-Scali.com> <rcoscali_at_rcsnet.net> _\_v
----
#!/usr/bin/perl -w
#--blackshell tool1--#
#--blackshell-sshd.pl--#
# this is a mass scanner for remote security testing
# of networks for the ssh crc32(deattack) bug.
# this is being exploited in the wild at the present time
# and it leads to complete remote compromisation
# of a vulnerable server
# vulnerable OS'es include aix, irix, linux, solaris, hpux, unicos(yes)
# a few thanks: dave dittrich, bindview, team-teso, #!blackshell contributors
use Thread;
#use strict;
use Socket;
use Getopt::Std;
use Config;
my $banner = qq(
Mass SSHD Vulnerability Scanner
by BlackShell
blackshell\@hushmail.com
);
my $exploit_information = qq(
Advisories:
http://www.securityfocus.com/advisories/3088
http://xforce.iss.net/alerts/advise100.php
http://razor.bindview.com/publish/advisories/adv_ssh1crc.html
http://www.securityfocus.com/bugid=2347
http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
http://openssh.org/security.html
http://www.cisco.com/warp/public/707/SSH-multiple-pub.html
Information:
http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1
http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
http://www.newsbytes.com/news/01/171291.html
http://www.cert.org/incident_notes/IN-2001-12.html
Incidents:
http://archives.neohapsis.com/archives/incidents/2001-12/0009.html
http://archives.neohapsis.com/archives/incidents/2001-12/0047.html
http://archives.neohapsis.com/archives/incidents/2001-12/0102.html
http://archives.neohapsis.com/archives/incidents/2001-12/0103.html
http://archives.neohapsis.com/archives/incidents/2001-12/0189.html
http://archives.neohapsis.com/archives/incidents/2001-12/0225.html
http://archives.neohapsis.com/archives/incidents/2001-12/0240.html
);
# borrowed from dave's code(thanks :>)
my @affected = (
'SSH-1.5-1.2.24',
'SSH-1.5-1.2.25',
'SSH-1.5-1.2.26',
'SSH-1.5-1.2.27',
'SSH-1.5-1.2.28',
'SSH-1.5-1.2.29',
'SSH-1.5-1.2.30',
'SSH-1.5-1.2.31',
'SSH-1.5-OpenSSH-1.2',
'SSH-1.5-OpenSSH-1.2.1',
'SSH-1.5-OpenSSH-1.2.2',
'SSH-1.5-OpenSSH-1.2.3',
'SSH-1.99-OpenSSH-2.1',
'SSH-1.99-OpenSSH_2.1.1',
'SSH-1.99-OpenSSH_2.2.0',
'SSH-1.99-OpenSSH_2.2.0p1',
);
if(! $Config{'usethreads'})
{
print "\nNo Threading Supported";
exit 1;
}
getopts("d:t:l:i:",%args);
my $debug;
my $infile;
if($args{i})
{
$infile = $args{i} || "sshd.in";
print "\nUsing infile: $infile";
}
if($args{d})
{
$debug = 1;
print "\nUsing Debuging!";
}
if($args{t})
{
my $timeout = $args{t} || 5;
print "\nUsing Timeout: $args{t}!";
}
if($args{l})
{
my $logfile = $args{l};
print "\nUsing logfile: $logfile";
}
open(FILE,"<$infile") || die "\nCant read from $logfile";
my @return;
while(<FILE>)
{
chomp($host = $_);
print "\nScanning $host...";
my $thread = Thread->new(\&check_scan,$host);
print "\nScanning $host...";
@return = $thread->join;
}
if($debug)
{
my $check;
foreach $check (@return)
{
print "\nDebugging running....";
print "\n$debug info...:";
print "\n$check";
}
}
else
{
print "\n\n$banner\n";
print "\n\nOptions: ";
print "\n./$0 -i <INFILE> -l <LOGFILE> -d -t 15";
print "\n";
print "\ndefaults: ";
print "\ntimeout: 5";
print "\nhost list: sshd.in";
print "\nlogfile: sshd.log";
print "\ndebug: no";
}
sub check_scan($)
{
eval {
my $host = shift;
my $iaddr = inet_aton($host);
my $port = "22";
my $paddr = sockaddr_in($port, $host);
my $proto = getprotobyname('tcp');
socket(SOCK,AF_INET,SOCK_STREAM,$proto) || die "\nCant make Socket: $!";
alarm($args{t});
if(connect(SOCK,$paddr))
{
print "\nSSHD is open on $host";
print "\n${host}'s response...";
}
while(<SOCK>)
{
chomp;
print;
$response = $_;
&log($host, $response);
print "analyzing ${host}'s response...";
&analyze($host, $response);
}
};
close(SOCK);
}
sub log ($$)
{
open(LOG,">$logfile") || die "\nCan't open $logfile for writing";
select(LOG);
print "\n$banner\n";
print "\n$exploit_information";
close(LOG);
$host = shift;
$rez = shift;
open(LOG,">>$logfile") || die "\nCant open $logfile";
flock(LOG,2) || die "\nCant file lock";
select(LOG);
print "\nResults:";
print "\n${host}: $rez";
print "\n\nFinished...\n";
close(LOG);
}
sub analyze($$)
{
$host = shift;
$result = shift;
foreach $checkz (@affected)
{
if($result = $checkz)
{
print "\n$host is running a vulnerable version of SSHD";
print "\nversion is: $result";
}
}
}
Received on Jan 02 2002
Intro
