来源

关联漏洞

描述

CVE-2008-5161 OpenSSH 4.7p1 Audit Helper Automates version checking and credential auditing of legacy OpenSSH 4.7p1 (Debian-8ubuntu1) targets by driving Metasploit’s auxiliary/scanner/ssh/ssh_login module from Python via pwntools.

介绍

# CVE-2008-5161 OpenSSH 4.7p1 Audit Helper

Automates version checking and credential auditing of legacy OpenSSH 4.7p1 (Debian-8ubuntu1) targets by driving Metasploit’s `auxiliary/scanner/ssh/ssh_login` module from Python via pwntools.

This project is intended for research and authorized security testing only.

```
   ____                    _____ _____ _    _
  / __ \                  / ____/ ____| |  | |
 | |  | |____   ___ _ __ | (___| (___ | |__| |
 | |  | | '_ \ / _ \ '_ \ \___ \\___ \|  __  |
 | |__| | |_) |  __/ | | |____) |___) | |  | |
  \____/| .__/ \___|_| |_|_____/_____/|_|  |_|
        | |
        |_|
```

- Author: Talha Ahmed (CoreBridge)
- CVE context: CVE-2008-5161
- Script language: Python 3
- Tooling: pwntools + Metasploit Framework

---

## What this tool does

- Connects to an SSH service on a given host (default port 22).
- Reads the banner and verifies it includes `OpenSSH_4.7p1 Debian-8ubuntu1`.
- If a match is found, launches `msfconsole` quietly and runs:
  - `auxiliary/scanner/ssh/ssh_login`
  - Sets `RHOSTS`, `userpass_file`, `stop_on_success`, `threads`, and `verbose`
  - Starts the module and drops into interactive Metasploit
- Shows basic progress and status messages via pwntools’ logger.

Important note about CVE-2008-5161:
- CVE-2008-5161 is a CBC-mode information leakage issue in SSH. This script does not implement a CBC plaintext-recovery attack. Instead, it performs a version check and then automates a credential audit against that target using Metasploit’s `ssh_login` module. Treat it as a helper/automation layer, not a standalone CVE exploit.

---

## Ethics and legal

- Use only on systems you own or are explicitly authorized to test.
- Unauthorized access to computer systems is illegal and unethical.
- The authors and contributors are not responsible for misuse or damage.

---

## Requirements

- OS: Linux (Kali, Ubuntu, etc.)
- Python: 3.8+
- Tools:
  - Metasploit Framework (with `msfconsole` in PATH)
  - pwntools (`pip install pwntools`)
- Wordlist:
  - A combined `user:pass` file. The script references:
    `/usr/share/wordlists/metasploit/piata_ssh_userpass.txt`
    Adjust this path to a wordlist available on your system.

---

## Installation

1. Install Metasploit Framework
   - On Kali: `sudo apt install metasploit-framework`
   - Verify: `msfconsole -v`

2. Install Python dependencies
   - `python3 -m pip install --upgrade pip`
   - `python3 -m pip install pwntools`

3. Get or create a user:password list
   - Example format (one per line): `user1:password1`
   - Update the path in the script if your wordlist is elsewhere.

4. Place the script (e.g., `exploit_ssh.py`) in your project directory.

Heads-up:
- The script uses `random.choice(...)` to print the banner but doesn’t import `random`. Add `import random` at the top if you see `NameError: name 'random' is not defined`.

---

## Usage (in a lab you control)

- Run: `python3 exploit_ssh.py`
- Enter the target IP when prompted.
- If the banner matches, the tool will start Metasploit and automate `ssh_login`.
- On success, it will attempt to show and interact with the session.

Environment example:
- Target must expose SSH on port 22 and present a banner like:
  `SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1`

Note:
- The current banner check is exact and strict. Systems with minor banner variations (e.g., `Debian-8ubuntu1.2`) will not match. See “Customization” below to relax the check.

---

## Customization

- Port:
  - Change the default port by editing `ExploitSSH(ip, port=22)`.

- Wordlist path:
  - Update this line to your file:
    `set userpass_file /path/to/your/userpass.txt`

- Threads and behavior:
  - `set threads 12` and `set stop_on_success true` can be tuned for your lab setup.

- Banner check:
  - Current logic uses:
    - `io.recvuntil(b"SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1")`
    - And checks for `"OpenSSH_4.7p1"`
  - For broader matching, replace the strict `recvuntil(...)` with:
    - `banner = io.recvline(timeout=5)` and then search for substrings like `"OpenSSH_4.7p1"`.
  - Consider adding a timeout to avoid hangs on non-matching targets.

---

## Troubleshooting

- msfconsole not found
  - Ensure Metasploit is installed and `msfconsole` is in PATH.

- No module named pwn
  - Install pwntools: `python3 -m pip install pwntools`

- Script hangs on banner check
  - The strict `recvuntil(...)` may block if the banner differs.
  - Switch to `recvline(timeout=5)` and check with substring logic.

- Wordlist file not found
  - Ensure the path exists or update the script’s `userpass_file` setting.

- Metasploit session handling
  - The script enters `msf.interactive()`, so lines after that may not execute until the session ends. If you prefer fully-automated session handling, remove interactive mode and parse `sessions` programmatically.

---

## Project structure

- Single Python script with:
  - A simple banner
  - `ExploitSSH` class
  - SSH banner verification
  - Metasploit automation via pwntools

---

## Roadmap ideas

- Relaxed banner detection with timeouts and regex matching
- Support for additional OpenSSH versions and fingerprints
- Config file for module options and wordlist paths
- Native param parsing (`argparse`) instead of interactive input
- Non-interactive session handling and reporting
- Dockerized lab harness

---

## Credits

- Author: Talha Ahmed | CoreBridge
- Built with:
  - pwntools — https://docs.pwntools.com/
  - Metasploit Framework — https://www.metasploit.com/
- CVE reference:
  - CVE-2008-5161 — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161

---

## License

Add a LICENSE file to your repository. Common choices:
- MIT — Permissive, simple, widely used
- Apache-2.0 — Permissive with patent grant
- GPL-3.0 — Strong copyleft


---

## Disclaimer

This project is for educational and authorized security testing only. The authors and contributors disclaim all liability for misuse or damage.

文件快照

 [4.0K]  /data/pocs/5e9027df77f26a8c9347386e9af12e35467a7d47
├── [1.0K]  LICENSE
├── [2.3K]  openssh.py
└── [5.8K]  README.md

0 directories, 3 files

备注