This repository has been archived by the owner. It is now read-only.
Spawn to shell without any credentials by using CVE-2018-10933
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Oct 19, 2018 Update Oct 18, 2018 Update Oct 19, 2018 Update Oct 24, 2018
requirements.txt Update requirements.txt Oct 17, 2018


Spawn to shell without any credentials by using CVE-2018-10933

Information about CVE-2018-10933 by libSSH :

Bugfix Release by libSSH :

Find the right server with these fingerprints:

Check the version of server that you trying to bypass with

If output is 0.7.5, 0.6.*, or lowest then the server is vulnerable.

If isn't then it's probably patched, truncated or not using libSSH.

Generate Fake SSH Key for

Create a ssh server that vulnerable to channels OR directly use tool to bypass remote server:

Important : "People trying to reproduce libssh bug: the sample code (samplesshd-cb) is not vuln because it has explicit auth handlers. You can open a channel but nothing will happen."

As we can see this section is just for opening channel. You can't spawn to a shell in server that ran by "samplesshd-cb"

It's just for opening channel. PoCs that i wrote is just for remote hosts.

Download, uncompress and build the vulnerable libSSH Version :

And then compile and run libSSH on your own server with ssh.

PWD: /libssh-0.7.4/build/examples/samplesshd-cb
./samplesshd-cb --dsakey==yourdsakey --port=2222

libSSH Authentication Bypass with two different tools

If you have got any fake ssh keys use the second

pip install -r requirements.txt
If paramiko==2.0.8 doesn't works try : pip install paramiko==2.4.2

python --help
python --help libSSH