关联漏洞
标题:
OpenSSH 安全漏洞
(CVE-2024-6387)
描述:OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 存在安全漏洞,该漏洞源于信号处理程序中存在竞争条件,攻击者利用该漏洞可以在无需认证的情况下远程执行任意代码并获得系统控制权。
描述
SSH Exploit for CVE-2024-6387 : RCE in OpenSSH's server, on glibc-based Linux systems
介绍
# CVE-2024-6387
CVE-2024-6387 is a hypothetical example, but let's assume it is a real-world vulnerability in the OpenSSH server implementation. This vulnerability could involve a buffer overflow or memory corruption issue that allows remote attackers to execute arbitrary code on the server. Here’s a high-level explanation of how such a vulnerability could be exploited:
1. Heap Spraying: The attacker prepares the heap in a way that makes it predictable.
2. Memory Corruption: The attacker sends specially crafted packets that cause memory corruption.
3. Arbitrary Code Execution: The attacker places shellcode (malicious code) in a known location and redirects execution to it.
# The Exploit Code
The provided Python code is an exploit designed to take advantage of CVE-2024-6387. Here's a detailed breakdown of the steps it takes:
Setup Connection: Establishes a TCP connection to the target SSH server.
```python
def setup_connection(ip, port):
# ...
```
Send and Receive Packets: Handles sending and receiving packets to/from the SSH server.
```python
def send_packet(sock, packet_type, data):
# ...
```
SSH Version Exchange: Initiates the SSH handshake by sending and receiving the SSH version string.
```python
def send_ssh_version(sock):
# ...
def receive_ssh_version(sock):
# ...
```
Key Exchange Init (KEX_INIT): Sends and receives the key exchange initialization packet.
```python
def send_kex_init(sock):
# ...
def receive_kex_init(sock):
# ...
```
Perform SSH Handshake: Combines the above steps to complete the SSH handshake.
```python
def perform_ssh_handshake(sock):
# ...
```
Heap Preparation: Sends a series of packets to manipulate the heap state on the server.
```python
def prepare_heap(sock):
# ...
```
Fake File Structure: Creates fake file structures to exploit the memory corruption vulnerability.
```python
def create_fake_file_structure(data, glibc_base):
# ...
```
Measure Parsing Time: Measures the time taken by the server to parse certain packets, helping to time the final exploit correctly.
```python
def time_final_packet(sock):
# ...
```
Public Key Packet: Crafts a packet containing the exploit payload, including the shellcode.
```python
def create_public_key_packet(packet, size, glibc_base):
# ...
```
Race Condition Exploit: Attempts to exploit the race condition by timing the final packet correctly.
```python
def attempt_race_condition(sock, parsing_time, glibc_base):
# ...
```
Main Function: Coordinates the overall exploit process, including multiple attempts with different glibc bases.
```python
def main():
# ...
```
# Exploitation Workflow
- [x] Connection Setup: The exploit starts by setting up a connection to the SSH server.
- [x] Handshake and Heap Preparation: The exploit performs the SSH handshake and sends multiple packets to prepare the heap.
- [x] Timing Measurement: The exploit measures the server's response time to certain packets to gauge the timing of the final exploit.
- [x] Final Exploit Attempt: The exploit crafts and sends a final packet that contains the shellcode. It attempts to send this packet in such a way that it triggers the vulnerability.
# Additional Considerations
- [x] Robust Error Handling: The provided code includes improved error handling to ensure that the script can recover from common network issues.
- [x] Modularity: The code is modular, making it easier to understand and maintain.
- [x] Timing and Synchronization: Exploiting a race condition often requires precise timing, which the script attempts to handle by measuring and adjusting the timing of packet sends.
# Summary
CVE-2024-6387 represents a severe vulnerability in OpenSSH that allows remote code execution. The provided Python script exploits this vulnerability by manipulating the heap and timing packet sends to cause memory corruption, ultimately executing the attacker's shellcode on the server. The script demonstrates typical exploit development techniques, including heap spraying, memory corruption, and precise timing for race conditions.
文件快照
[4.0K] /data/pocs/1d094c9c9bbdd32920cfac60ced45049103a77e3
├── [7.6K] CVE-2024-6387.py
├── [ 543] CVE-2024-6387.yaml
├── [1.0K] LICENSE
└── [4.1K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。