Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-15473 PoC — OpenSSH 竞争条件问题漏洞

Source
https://github.com/jubeenshah/CVE-2018-15473-Exploit
Associated Vulnerability
Title:OpenSSH 竞争条件问题漏洞 (CVE-2018-15473)
Description:OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
Description
Exploit Code for CVE-2018-15473
Readme
# CVE-2018-15473-Exploit

**Updated version with modern Python/Paramiko compatibility**

On August 15th, 2018, the following advisory was posted on the OSS-Security list: [http://openwall.com/lists/oss-security/2018/08/15/5](http://openwall.com/lists/oss-security/2018/08/15/5)

This is an improved version of the original exploit that works with modern Python environments and Paramiko versions (including 4.0.0+).

## 🚀 What's New in This Fork

- ✅ **Fixed Paramiko compatibility** - Works with Paramiko 4.0.0+ and modern Alpine Linux
- ✅ **Updated Dockerfile** - Uses Alpine packages instead of pip to avoid PEP 668 issues
- ✅ **Simplified exploit version** - `sshUsernameEnumExploit_simple.py` with better reliability
- ✅ **Improved error handling** - Better feedback and debugging information
- ✅ **Modern Python support** - Works with Python 3.10+ environments

## 📁 Repository Structure

```
CVE-2018-15473-Exploit/
├── Dockerfile                      # Updated for modern Alpine Linux
├── README.md                       # This file
├── sshUsernameEnumExploit.py      # Original exploit (with compatibility fixes)
├── sshUsernameEnumExploit_simple.py # Simplified, more reliable version
└── test_users.txt                 # Sample username list for testing
```

## 🐳 Docker Usage (Recommended)

### Build the image:
```bash
docker build -t cve-2018-15473 .
```

### Run the exploit:
```bash
# Show help
docker run --rm cve-2018-15473 --help

# Test single username
docker run --rm cve-2018-15473 <target_ip> --username admin

# Test multiple usernames from file
docker run --rm -v /path/to/userlist.txt:/userlist.txt cve-2018-15473 <target_ip> --userList /userlist.txt

# Save results to file
docker run --rm -v /path/to/output:/output cve-2018-15473 <target_ip> --userList /userlist.txt --outputFile /output/results.json --outputFormat json
```

### Clean up:
```bash
# Remove containers and image
docker ps -a | awk '$2 == "cve-2018-15473" {print $1}' | xargs docker rm
docker rmi cve-2018-15473
```

## 🖥️ Local Usage

### Prerequisites
- Python 3.7+
- Paramiko library

### Installation
```bash
# Install paramiko
pip install paramiko

# Or use the simplified version (recommended for modern environments)
python3 sshUsernameEnumExploit_simple.py --help
```

## ⚙️ Features

The exploit includes the following features:

* **Threading** - Default 5 threads (configurable)
  * If more than 10 are used, often the OpenSSH service gets overwhelmed and causes retries
* **Single username evaluation** via `--username` parameter
* **Multiple username evaluation** via `--userList` parameter  
* **File output** via `--outputFile` parameter
* **Multiple output formats** (list, json, csv) via `--outputFormat` parameter
* **Configurable timeout** for connection handling
* **Improved error messages** and debugging information

## 📝 Usage Examples

### Single Username Test
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --username admin
```

### Multiple Usernames from File
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --userList test_users.txt
```

### JSON Output to File
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --userList test_users.txt --outputFile results.json --outputFormat json
```

### With Custom Threading and Timeout
```bash
python3 sshUsernameEnumExploit_simple.py 192.168.1.100 --userList test_users.txt --threads 3 --timeout 15
```

## 🎯 Target Requirements

This exploit targets:
- **Vulnerable versions**: OpenSSH < 7.7
- **Attack vector**: Username enumeration via timing attack
- **Protocol**: SSH (default port 22)

## ⚠️ Important Notes

1. **Legal Use Only**: This tool should only be used for authorized penetration testing and security research
2. **Rate Limiting**: Use appropriate threading limits to avoid overwhelming target services
3. **Patched Systems**: Modern OpenSSH versions (7.7+) are not vulnerable to this attack
4. **Network Considerations**: Ensure you have permission to test the target systems

## 🔄 Version Information

- **Original Author**: Justin Gardner, Penetration Tester @ SynerComm AssureIT
- **Original Repository**: [Rhynorater/CVE-2018-15473-Exploit](https://github.com/Rhynorater/CVE-2018-15473-Exploit)
- **This Fork**: Updated for modern Python/Paramiko compatibility by [jubeenshah](https://github.com/jubeenshah)
- **Date**: August 20, 2018 (Original) / October 26, 2025 (Updated)

## 📄 License

This project maintains the same license as the original repository. Use responsibly and in accordance with applicable laws and regulations.
File Snapshot

 [4.0K]  /data/pocs/dde70b99426e5948b8f369c27797539c058e6c73
├── [ 373]  Dockerfile
├── [4.5K]  README.md
├── [ 11K]  sshUsernameEnumExploit.py
├── [6.7K]  sshUsernameEnumExploit_simple.py
└── [  45]  test_users.txt

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →