Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2008-5161 PoC — OpenSSH CBC模式信息泄露漏洞

Source
https://github.com/talha3117/OpenSSH-4.7p1-CVE-2008-5161-Exploit
Associated Vulnerability
Title:OpenSSH CBC模式信息泄露漏洞 (CVE-2008-5161)
Description:Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
Description
CVE-2008-5161 OpenSSH 4.7p1 Audit Helper Automates version checking and credential auditing of legacy OpenSSH 4.7p1 (Debian-8ubuntu1) targets by driving Metasploit’s auxiliary/scanner/ssh/ssh_login module from Python via pwntools.
Readme
# CVE-2008-5161 OpenSSH 4.7p1 Audit Helper

Automates version checking and credential auditing of legacy OpenSSH 4.7p1 (Debian-8ubuntu1) targets by driving Metasploit’s `auxiliary/scanner/ssh/ssh_login` module from Python via pwntools.

This project is intended for research and authorized security testing only.

```
   ____                    _____ _____ _    _
  / __ \                  / ____/ ____| |  | |
 | |  | |____   ___ _ __ | (___| (___ | |__| |
 | |  | | '_ \ / _ \ '_ \ \___ \\___ \|  __  |
 | |__| | |_) |  __/ | | |____) |___) | |  | |
  \____/| .__/ \___|_| |_|_____/_____/|_|  |_|
        | |
        |_|
```

- Author: Talha Ahmed (CoreBridge)
- CVE context: CVE-2008-5161
- Script language: Python 3
- Tooling: pwntools + Metasploit Framework

---

## What this tool does

- Connects to an SSH service on a given host (default port 22).
- Reads the banner and verifies it includes `OpenSSH_4.7p1 Debian-8ubuntu1`.
- If a match is found, launches `msfconsole` quietly and runs:
  - `auxiliary/scanner/ssh/ssh_login`
  - Sets `RHOSTS`, `userpass_file`, `stop_on_success`, `threads`, and `verbose`
  - Starts the module and drops into interactive Metasploit
- Shows basic progress and status messages via pwntools’ logger.

Important note about CVE-2008-5161:
- CVE-2008-5161 is a CBC-mode information leakage issue in SSH. This script does not implement a CBC plaintext-recovery attack. Instead, it performs a version check and then automates a credential audit against that target using Metasploit’s `ssh_login` module. Treat it as a helper/automation layer, not a standalone CVE exploit.

---

## Ethics and legal

- Use only on systems you own or are explicitly authorized to test.
- Unauthorized access to computer systems is illegal and unethical.
- The authors and contributors are not responsible for misuse or damage.

---

## Requirements

- OS: Linux (Kali, Ubuntu, etc.)
- Python: 3.8+
- Tools:
  - Metasploit Framework (with `msfconsole` in PATH)
  - pwntools (`pip install pwntools`)
- Wordlist:
  - A combined `user:pass` file. The script references:
    `/usr/share/wordlists/metasploit/piata_ssh_userpass.txt`
    Adjust this path to a wordlist available on your system.

---

## Installation

1. Install Metasploit Framework
   - On Kali: `sudo apt install metasploit-framework`
   - Verify: `msfconsole -v`

2. Install Python dependencies
   - `python3 -m pip install --upgrade pip`
   - `python3 -m pip install pwntools`

3. Get or create a user:password list
   - Example format (one per line): `user1:password1`
   - Update the path in the script if your wordlist is elsewhere.

4. Place the script (e.g., `exploit_ssh.py`) in your project directory.

Heads-up:
- The script uses `random.choice(...)` to print the banner but doesn’t import `random`. Add `import random` at the top if you see `NameError: name 'random' is not defined`.

---

## Usage (in a lab you control)

- Run: `python3 exploit_ssh.py`
- Enter the target IP when prompted.
- If the banner matches, the tool will start Metasploit and automate `ssh_login`.
- On success, it will attempt to show and interact with the session.

Environment example:
- Target must expose SSH on port 22 and present a banner like:
  `SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1`

Note:
- The current banner check is exact and strict. Systems with minor banner variations (e.g., `Debian-8ubuntu1.2`) will not match. See “Customization” below to relax the check.

---

## Customization

- Port:
  - Change the default port by editing `ExploitSSH(ip, port=22)`.

- Wordlist path:
  - Update this line to your file:
    `set userpass_file /path/to/your/userpass.txt`

- Threads and behavior:
  - `set threads 12` and `set stop_on_success true` can be tuned for your lab setup.

- Banner check:
  - Current logic uses:
    - `io.recvuntil(b"SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1")`
    - And checks for `"OpenSSH_4.7p1"`
  - For broader matching, replace the strict `recvuntil(...)` with:
    - `banner = io.recvline(timeout=5)` and then search for substrings like `"OpenSSH_4.7p1"`.
  - Consider adding a timeout to avoid hangs on non-matching targets.

---

## Troubleshooting

- msfconsole not found
  - Ensure Metasploit is installed and `msfconsole` is in PATH.

- No module named pwn
  - Install pwntools: `python3 -m pip install pwntools`

- Script hangs on banner check
  - The strict `recvuntil(...)` may block if the banner differs.
  - Switch to `recvline(timeout=5)` and check with substring logic.

- Wordlist file not found
  - Ensure the path exists or update the script’s `userpass_file` setting.

- Metasploit session handling
  - The script enters `msf.interactive()`, so lines after that may not execute until the session ends. If you prefer fully-automated session handling, remove interactive mode and parse `sessions` programmatically.

---

## Project structure

- Single Python script with:
  - A simple banner
  - `ExploitSSH` class
  - SSH banner verification
  - Metasploit automation via pwntools

---

## Roadmap ideas

- Relaxed banner detection with timeouts and regex matching
- Support for additional OpenSSH versions and fingerprints
- Config file for module options and wordlist paths
- Native param parsing (`argparse`) instead of interactive input
- Non-interactive session handling and reporting
- Dockerized lab harness

---

## Credits

- Author: Talha Ahmed | CoreBridge
- Built with:
  - pwntools — https://docs.pwntools.com/
  - Metasploit Framework — https://www.metasploit.com/
- CVE reference:
  - CVE-2008-5161 — https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5161

---

## License

Add a LICENSE file to your repository. Common choices:
- MIT — Permissive, simple, widely used
- Apache-2.0 — Permissive with patent grant
- GPL-3.0 — Strong copyleft


---

## Disclaimer

This project is for educational and authorized security testing only. The authors and contributors disclaim all liability for misuse or damage.
File Snapshot

 [4.0K]  /data/pocs/5e9027df77f26a8c9347386e9af12e35467a7d47
├── [1.0K]  LICENSE
├── [2.3K]  openssh.py
└── [5.8K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →