Spawn to shell without any credentials by using CVE-2018-10933
Clone or download
Pull request Compare This branch is 16 commits behind blacknbunny:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Spawn to shell without any credentials by using CVE-2018-10933

Information about CVE-2018-10933 by libSSH :

Bugfix Release by libSSH :

Find the right server with these fingerprints:

Generate Fake SSH Key for

Create a ssh server that vulnerable to channels OR directly use tool to bypass remote server:

Important : "People trying to reproduce libssh bug: the sample code (samplesshd-cb) is not vuln because it has explicit auth handlers. You can open a channel but nothing will happen."

As we can see this section is just for opening channel. You can't spawn to a shell in server that ran by "samplesshd-cb"

It's just for opening channel. PoCs that i wrote is just for remote hosts.

Download, uncompress and build the vulnerable libSSH Version :

And then compile and run libSSH on your own server with ssh.

PWD: /libssh-0.7.4/build/examples/samplesshd-cb
./samplesshd-cb --dsakey==yourdsakey --port=2222

libSSH Authentication Bypass with two different tools

If you have got any fake ssh keys use the second

pip install -r requirements.txt
If paramiko==2.0.8 doesn't works try : pip install paramiko==2.4.2

python --help
python --help libSSH