Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem about poc.py of CVE-2016-3115 #5

Closed
ghost opened this issue Aug 28, 2018 · 3 comments
Closed

Problem about poc.py of CVE-2016-3115 #5

ghost opened this issue Aug 28, 2018 · 3 comments

Comments

@ghost
Copy link

ghost commented Aug 28, 2018

environment:

clients:

  • openssh 7.7p1
  • openssl 1.0.2o
  • kali 2018-2
  • python 2.7.15

server:

  • openssh 6.6.1p1
  • openssl 1.0.1f
  • Ubuntu 14.0.4.1-LTS
  • X11Forward yes

It seemed that I used this poc.py login as user2 successfully.
But when i typed ".info" or any other commands, it crashed like this.

Traceback (most recent call last):
  File "poc.py", line 152, in <module>
    LOGGER.info(ex.exploit_fwd_readfile(cmd.split(" ",1)[1]))
  File "poc.py", line 52, in exploit_fwd_readfile
    data = self.exploit("xxxx\nsource %s\n"%path)
  File "poc.py", line 38, in exploit
    session.request_x11(auth_cookie=cmd)
  File "/usr/lib/python2.7/dist-packages/paramiko/channel.py", line 63, in _check
    return func(self, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/paramiko/channel.py", line 474, in request_x11
    self._wait_for_event()
  File "/usr/lib/python2.7/dist-packages/paramiko/channel.py", line 1198, in _wait_for_event
    raise e
paramiko.ssh_exception.SSHException: Channel closed.
@tintinweb
Copy link
Owner

hi @hawthorninsummer, what does the server log say?

@ghost
Copy link
Author

ghost commented Aug 29, 2018

Aug 29 16:00:44 localhost sshd[16899]: Accepted password for user2 from [kali ip] port 31959 ssh2
Aug 29 16:00:44 localhost sshd[16899]: pam_unix(sshd:session): session opened for user user2 by (uid=0)
Aug 29 16:00:44 localhost systemd-logind[793]: New session 4 of user user2.
Aug 29 16:00:48 localhost sshd[16933]: error: Invalid X11 forwarding data
Aug 29 16:00:48 localhost sshd[16899]: pam_unix(sshd:session): session closed for user user2

It said invalid X11 forwarding data!

@tintinweb
Copy link
Owner

tintinweb commented Aug 29, 2018

your opensshd seems to be patched already --> https://github.com/openssh/openssh-portable/blame/6728f31bdfdc864d192773c32465b1860e23f556/session.c#L2027
this error was introduced with the fix for this cve.

cheers,
tin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant