关联漏洞
标题:
OpenSSH sshd 安全漏洞
(CVE-2016-10708)
描述:OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组所维护的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。sshd是其中的一个独立守护进程。 OpenSSH 7.4之前版本中的sshd存在安全漏洞。远程攻击者可借助乱序的NEWKEYS消息利用该漏洞造成拒绝服务(空指针逆向引用和守护进程崩溃)。
描述
This proof-of-concept script exploits a vulnerability in OpenSSH versions prior to 7.4 (CVE-2016-10708) by sending unexpected `SSH_MSG_NEWKEYS` packets.
介绍
# SSH NEWKEYS Flood PoC (CVE-2016-10708)
---
## Description
This proof-of-concept script exploits a vulnerability in OpenSSH versions prior to 7.4 (CVE-2016-10708) by sending unexpected `SSH_MSG_NEWKEYS` packets which can result in DoS. It can operate in two modes:
- **scan**: Connects to one or more SSH servers, retrieves their banner, parses the OpenSSH version, and reports whether the target is vulnerable.
- **attack**: Opens multiple simultaneous connections and floods the server with crafted `NEWKEYS` messages to trigger a denial-of-service condition.
---
## Warning & Legal Notice
This tool is provided for research and educational purposes only. Unauthorized scanning or attacking of systems that you do not own or have explicit permission to test may violate applicable laws and regulations.
Use this script responsibly:
- Only run against systems you own or have been granted written permission to test.
- Review all relevant laws, regulations, and organizational policies before any testing.
- The author assumes no liability for misuse or damage resulting from this tool.
---
## Requirements
- Python 3.6 or later
- No third-party dependencies
## Command Options
- `-t, --targets`
Comma-separated list of target IPs or hostnames (required)
- `-p, --port`
SSH port to connect to (default: 22)
- `-m, --mode`
Operation mode: `scan` or `attack` (required)
- `--sockets`
Number of TCP connections to open per target (default: 5)
- `--threads`
Maximum number of concurrent worker threads (default: 10)
- `-v, --verbose`
Enable debug-level logging output
---
## How It Works
1. **Banner Exchange**
In scan mode the script connects to each target and reads the SSH banner to extract the OpenSSH version.
2. **Connection Setup**
In attack mode it opens the specified number of TCP sockets per target and immediately sends a fake client banner (`SSH-2.0-OpenSSH_8.9`), then holds the connections open.
3. **Packet Crafting**
It builds raw SSH transport packets containing only the `SSH_MSG_NEWKEYS` payload. Packet length, padding length, and random padding are calculated to conform to the SSH binary packet protocol.
4. **Flood Loop**
The script enters an infinite loop, sending the crafted `NEWKEYS` packet on every socket with randomized sub-millisecond delays. Unpatched sshd instances will mishandle the out-of-order `NEWKEYS` messages and eventually crash or become unstable.
文件快照
[4.0K] /data/pocs/2d3f425d4f644d896668fb8fd84b5d57a77bef7b
├── [6.9K] LICENSE
├── [7.2K] poc.py
└── [2.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。