-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-25136 #8912
Comments
Hello @mastercho , thank you so much for sharing this template with the community and contributing to this project 🍻 In our repository, we aim to include CVEs along with complete POCs instead of solely relying on version detection. This approach helps avoid false positive results. So we are closing this issue Feel Free to re-open this issue with Full POC Thanks |
But i open Template Request issue not Template Contribution, and im asking for help and directions, not like hey this is the template. You know that i would create template if i was know the approach... |
Hi @mastercho You can try to write a Javascript Template as follow , i have raised the drafted a PR #8914 for the same. Thanks id: CVE-2023-25136
info:
name: OpenSSH Pre-Auth Double Free
author: DhiyaneshDK
severity: critical
description: |
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states \"remote code execution is theoretically possible.
metadata:
shodan-query: "OpenSSH_9.1"
verified: true
tags: js,ssh,double-free,network
javascript:
- pre-condition: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
var response = c.ConnectSSHInfoMode(Host, Port);
response["UserAuth"].includes("password")
code: |
var m = require("nuclei/ssh");
var c = m.SSHClient();
c.Connect(Host,Port,Username,Password);
args:
Host: "{{Host}}"
Port: "22"
Username: " "
Password: " "
matchers:
- type: dsl
dsl:
- "response == true"
- "success == true"
condition: and |
Thanks brother, shodan have lot ips on different ports than 22, can we use different port in javascript condition? |
Hi @mastercho If no ports specified in the args as shown below, it will auto connect on pick port in input. Hope this helps Thanks
|
Current template is missing crucial part that actually exploits vulnerability, empty login and password aren't causing double free. The public exploit is causing DoS while connecting to vulnerable server with absolete CLIENT_ID: RCE is mentioned but only general technical information is provided and no exploit made public. Here's proper writeup about issue: |
Template for?
CVE-2023-25136
Details:
I'm not sure which approach i should go with this template like, network protocol or ssh javascript?
Like that? According PoC https://github.com/ticofookfook/CVE-2023-25136 its also connect with no password if is valid vuln
The text was updated successfully, but these errors were encountered: