Analysis of SSH crc32 compensation attack detector exploit

Dave Dittrich dittrich at
Fri Nov 9 21:03:34 GMT 2001


It was pointed out to me that I forgot to include the README in
Appendix B.  I also left out one other comment as well.

> The most recent version of this file can be found at:

The missing pieces are:

 . . .

(Re: Scanning)

[NOTE: You are not necessarily vulnerable just because the banner
shows a version string that is listed as "affected".  If the patches
listed in the RAZOR advisory, e.g., are applied, or if you eliminate
v1 and use v2 of the protocol exclusively, the server will not be

 . . .

Appendix B

The following is a README file that is accompanying one version
of the SSH crc32 exploit:


sh exploit demystified: info supplied by XXXXXXXXXXXXXXXXXXXXXXXXXXXX
1. rename the exploit to filename: ssh
2. type:export blah=loser
3. Once u figured out the syntax, this is how the exploit works

First stage is the brute force, if it quits while brute forcing and says
stack not found means the ssh is not vunerable
Note:This takes ages, if it brute forces for anything more than 45min >
i suggest you cancel it
Second stage:
If brute force is successful it will mvoe on to the second stage
it will try some values

if the exploit shows this:
and freezes on the dots, it means your in business


Instead open another term and telnet to the hosts port 12345 for a
bindshell remeber to append commands with ; eg: ls;

If it tries all the values and fails, then u're outta business and it
should drop u back to shell

p.s:from my experience i have found the openssh 1.5 to be utter shit in
exploiting, the ssh 1.2.6-1.2.30 has a higher chance of success rate
Last words:This exploit only works maybe 2/10 times so be patient.


Dave Dittrich                           Computing & Communications
dittrich at             University Computing Services    University of Washington

PGP key
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

More information about the unisog mailing list