0x4D31

Libssh authentication bypass vulnerability (CVE-2018-10933)

An analysis of Censys Public Scan 20180807 (only port 22) to estimate the number of servers {potentially} vulnerable to the recent Libssh bug.

• CVE-2018-10933 Advisory
• Exploit - Patched Libssh Client
• CVE-2018-10933-test
• libSSH-Authentication-Bypass
• HASSH - an SSH client/server profiling method
• ssh-hassh nmap script

masutaka

(defun my-lisp-load (filename)
  "Load lisp from FILENAME"
  (let ((fullname (expand-file-name (concat "spec/" filename) user-emacs-directory))
        lisp)
    (when (file-readable-p fullname)
      (with-temp-buffer
        (progn
          (insert-file-contents fullname)
          (setq lisp
                (condition-case nil

worawit

#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb, ntlm
from struct import pack
import sys
import socket

'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

worawit

#!/usr/bin/python
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
from impacket import smb
from struct import pack
import sys
import socket

'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)

phroxvs

# Background and description

The VMware vSphere Data Protection (VDP) appliance is based on the EMC Avamar solution. To perform an in-depth analysis of VDP, a virtual test appliance of EMC Avamar was downloaded. Known Avamar default credentials did work fine on the Avamar appliance, but were not valid to log into the vSphere Data Protection. Further file system objects in the EMC Avamar appliance were analyzed, leading to the interesting detection of a private SSH key belonging to the admin user.

A web search did reveal that the corresponding password for the SSH key file is ‘P3t3rPan’ (see http://judsonian.com/content/licensing-an-avamar-system/). Using the SSH key file a login as admin to the VMware Data Protection was successful and did grant root permissions on the appliance.

# Disclosure timeline

11.08.2016 report of vulnerability to VMware Security Response team

scumjr

/*
 * CVE-2016-5195 dirtypoc
 *
 * This PoC is memory only and doesn't write anything on the filesystem.
 * /!\ Beware, it triggers a kernel crash a few minutes.
 *
 * gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread
 */

#define _GNU_SOURCE

rverton

/*
* (un)comment correct payload first (x86 or x64)!
* 
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten

apokalyptik

The Goal

Set up Kubernetes on 3 Debian Jessie virtual machines: One master. Two nodes. Additionally do this without any "magic" so that what is required to be running to make everything work is plain and obvious.

We will be using flannel for the inter-machine networking layer. Mainly because it is useful and it seems to be pretty popular.

The Setup

worawit

#!/usr/bin/python
"""
Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya

The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by 
ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'
in libtalloc does not write a value on 'creds' address.

Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

dnozay

Simple collection of Groovy scripts to help me maintain some Jenkins systems.

See also https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console

Please comment & let me know if you have a fork / fixes you'd like to include.