Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-10933 PoC — libssh server-side state machine 安全漏洞

Source
https://github.com/blacknbunny/CVE-2018-10933
Associated Vulnerability
Title:libssh server-side state machine 安全漏洞 (CVE-2018-10933)
Description:A vulnerability was found in libssh's server-side state machine before versions 0.7.6 and 0.8.4. A malicious client could create channels without first performing authentication, resulting in unauthorized access.
Description
Spawn to shell without any credentials by using CVE-2018-10933 (LibSSH)
Readme
# libSSH-Authentication-Bypass
Spawn to shell without any credentials by using CVE-2018-10933

Exploit-DB : https://www.exploit-db.com/exploits/45638

Information about CVE-2018-10933 by libSSH : https://www.libssh.org/security/advisories/CVE-2018-10933.txt

Bugfix Release by libSSH : https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-bugfix-release/

### Usage
```
// If paramiko==2.0.8 doesn't works try : pip install paramiko==2.4.2

pip install -r requirements.txt
python libsshauthbypass.py --help

Example:
python libsshauthbypass.py --host 0.0.0.0 --port 22 --command "cat /etc/passwd" --logfile newlogfile.log
```

## Youtube videos that shows how to exploit libSSH by using this PoC (Proof Of Concept) 
[PoC_1](https://www.youtube.com/watch?v=2mBNS2vxSIU)

[PoC_2](https://www.youtube.com/watch?v=ZSWQjmfcn4g)


## Find the right server with these fingerprints:
https://gist.github.com/0x4D31/35ddb0322530414bbb4c3288292749cc

## Check the version of server that you trying to bypass with testversionofserver.py
If output is 0.7.5, 0.6.*, or lowest then the server is vulnerable.

If isn't then it's probably patched, truncated or not using libSSH.

## Shodan.io libSSH
( 22 Port is default, other ports like (2222, 3333, 4444) might be including libSSH )

![](https://i.imgur.com/SWEfcGR.png)
File Snapshot

 [4.0K]  /data/pocs/41d5646e80dfd9633e7ec67d051457ffa8e2249b
├── [ 765]  checkversionofserver.py
├── [1.7K]  libsshauthbypass.py
├── [1.3K]  README.md
└── [  17]  requirements.txt

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →