Squirt is a perl tool for finding and exploiting local buffer overflow vulnerabilities which is very configurable and platform independent. It is possible to exploit almost any local overflow on any system by providing the correct values as arguments (or brute forcing them), telling the program how the overflow must be triggered, and by eventually loading (system specific) desired shellcode.
88278cfb3fbfb29856c07040e2ffd772e5316987021af405e4424e3215848f04
OpenBSD Security Advisory - OpenSSH-2.3.1, a development snapshot, only checked if a public key for public key authentication was permitted. In the protocol 2 part of the server, the challenge-response step that ensures that the connecting client is in possession of the corresponding private key has been omitted. As a result, anyone who could obtain the public key listed in the users authorized_keys file could log in as that user without authentication. This vulnerability affects only OpenSSH version 2.3.1 with support for protocol 2 enabled. The latest official release OpenSSH 2.3.0 is not affected by this problem. The latest snapshot version OpenSSH 2.3.2 is not affected either. Fix available here.
68fbfb4c37fcf6a2ccb203e9d14a67d3faefbbe5b690c673b4d718c46e3d1004
Razor Bindview Advisory - A remote root vulnerability exists in the crc32 compensation attack detector (deattack.c) of most ssh daemon installations (F-SECURE, OpenSSH, SSH from ssh.com, OSSH). Insufficient range control calculations (16-bit unsigned variable is used instead of 32-bit, which causes integer overflow) in the detect_attack() function leads to table index overflow bug. This effectively allows an attacker to overwrite arbitrary portions of memory. The altered memory locations affect code that is executed by the daemon with uid 0, and this can be leveraged to obtain general root access to the system. This is fixed in OpenSSH 2.3.0, ossh-1.5.8, and SSH-2.4.0.
72f0b876373954999b3e48c286d832d9874353833141a0ee8db15f4cd9b2c873
ORE SDI Security Advisory CORE-20010207 - SSH1 CRC-32 compensation attack detector vulnerability. In 1998 a design flaw was fixed in SSH1 which allowed an attacker to inject malicious packets into an SSH session. In fixing this bug, a new vulnerability in deattack.c was created which allows remote attackers to execute arbitrary commands on the server. OpenSSH prior to v2.3.0 is vulnerable, as are ssh.com's ssh-1.2.24 through 1.2.31, and F-Secure SSH-1.3.x.
fdc00415fdba450c4d5644f7ad33db0ce3a7dd4e86d112d5602ed9d33c296ded
CORE SDI Security Advisory CORE-20010116 - SSH protocol 1.5 session key recovery vulnerability. An attacker who obtains all the encrypted packets of a session can obtain the session key and decrypt the stored session, or even alter it if it is still active. Some SSH2 servers which fall back to SSH1 are also vulnerable. OpenSSH and SSH2 from ssh.com is not vulnerable.
a78ea5475621a69079002d160cd0ae72cd81f9445059bac41af7e7560de10a54
Angst is an active packet sniffer, based on libpcap and libnet. Dumps into a file the payload of all the packets received on the specified ports. Two methods of active sniffing are implemented - Angst is able to monitor ARP requests, and after enabling IP forwarding on the local host, it sends ARP replies mapping all IPs to the local MAC address. In addition, it has the ability to flood the local network with random MAC addresses (like macof), causing switches to send packets to all ports. Tested on Linux and Free/Net/OpenBSD. Readme available here.
249850a9a68c4357d938e509aae3008f25196a7c756185ea9bcc9f5793422a9a