Skip to content

havokzero/RustgreSSHion

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
src
src
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
security_advisory.txt
security_advisory.txt
 
 

Repository files navigation

RustgreSSHion

Overview

RustgreSSHion is a Rust-based tool designed to exploit a known vulnerability in certain versions of OpenSSH. The vulnerability is related to a race condition in the SSH banner exchange, which can be manipulated to trigger a specific heap-based memory flaw, leading to potential remote code execution. the CVE-2024-6387 which has been dubbed RegreSSHion.

This project is created for educational and legal penetration testing purposes. It allows you to attempt an exploit on vulnerable SSH servers, particularly targeting specific OpenSSH versions, by sending crafted packets and interacting with the server.

Vulnerability

This vulnerability affects certain versions of OpenSSH (e.g., 8.5 - 9.7) where a race condition in the SSH banner exchange phase can be exploited. The attacker can manipulate memory to force the SSH daemon into an unstable state, eventually allowing arbitrary code execution and SSH login bypass to a root shell.

This project utilizes heap manipulation techniques to simulate a crafted file structure in memory, sending malformed SSH packets that exploit the vulnerable versions of OpenSSH.

Running RustgreSSHion

Steps to Run

  1. Clone the Repository:

    git clone [https://github.com/yourusername/RustgreSSHion.git](https://github.com/havokzero/RustgreSSHion.git)
cd RustgreSSHion

  2. Build the Project:

    cargo build --release

  3. Run the Exploit:

    Provide the target IP and SSH port when running the program.

    cargo run <target_ip> <target_port>

    Example:

    cargo run 192.168.1.100 22

  4. Monitor SSH Logs:

    You can use this command to monitor incoming SSH connections on the server:

    tail -f /var/log/secure

How the Exploit Works

  1. SSH Banner Grab: The tool connects to the SSH server and attempts to retrieve the SSH banner to determine the version of OpenSSH running.

  2. Vulnerability Check: It uses a regular expression to identify whether the SSH server version is vulnerable.

  3. Heap Manipulation: The tool uses crafted packets to manipulate the memory layout of the server by simulating heap operations, sending fake file structures.

  4. Shell Interaction: If successful, it attempts to spawn a remote shell on the vulnerable system. However, failure to do so may result in the server forcibly closing the connection.

Example Output

Connecting to SSH server at 192.168.1.100:22
Connected to the SSH server.
SSH Banner: SSH-2.0-OpenSSH_8.5

This version of OpenSSH is vulnerable.
Target is vulnerable. Proceeding with exploit...
Attempting exploit with glibc base: 0x7f13d808d000
Sending crafted exploit packet #1...
Sending packet #1...
Possible race condition hit!
Exploit succeeded.
Interacting with shell...
Error reading from shell: An existing connection was forcibly closed by the remote host. (os error 10054)  <-- this happens mostly due to bad glib bases
Shell closed connection.
Exploit process completed.

About

Testing

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages