rhynorater / cve-2018-15473-exploit Goto Github PK

old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
TypeError: 'property' object is not subscriptable

I copy the code and save on my user_enum_new.py file i am not good in python
after giving execute permission i ran this command ./user_enum_new.py --username root 2.2.2.2 for exploit the CVE and find username this give mi error

Traceback (most recent call last):
  File "user_enum_new.py", line 24, in <module>
    import paramiko
ImportError: No module named paramiko

After this error i run this cmd for install paramiko module pip install paramiko this give me successful response already satisfy

Requirement already satisfied: paramiko in /usr/lib/python3/dist-packages (2.7.2)

now i go to run again this cmd ./user_enum_new.py --username root 2.2.2.2

this give me also same error

Traceback (most recent call last):
  File "user_enum_new.py", line 24, in <module>
    import paramiko
ImportError: No module named paramiko

i tried some other method which i know this not working give same error

what i need to do here kindly help me !!

Also i clone hole repository CVE-2018-15473-Exploit

After cloning i install requirements.txt file with this cmd also got same response satisfied

but also got same error after running this cmd ./sshUsernameEnumExploit.py --username root 2.2.2.2

Thank you

I'm trying to get the data in json and I'm not able to, I only get the data in console, I use this command:

python3 sshUsernsame<enumExploit.py --port --outputFile <name_file> --outputFormat json --userList

I would like to know how can I get the data in json and if I am launching the command wrong or not.

Thank you.

I patched commit f8dc16b to get paramiko working.

However, for any host (patched or unpatched) I've tried I get:

$ docker run cve-2018-15473 --port 22 --username admin 10.193.247.57
/usr/lib/python2.7/site-packages/paramiko/kex_ecdh_nist.py:39: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
m.add_string(self.Q_C.public_numbers().encode_point())
/usr/lib/python2.7/site-packages/paramiko/kex_ecdh_nist.py:92: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
self.curve, Q_S_bytes
/usr/lib/python2.7/site-packages/paramiko/kex_ecdh_nist.py:103: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
hm.add_string(self.Q_C.public_numbers().encode_point())
Target host most probably is not vulnerable or already patched, exiting...

I'm troubling with this

Would you mind adding a license to make it possible to use the code?
CC0, or a permissive (like Apache 2.0, MIT or BSD) maybe?

Thank you!

./sshUsernameEnumExploit.py --port 22 --outputFile /tmp/tst.txt --username collin 192.168.56.3

/home/user/.local/lib/python2.7/site-packages/paramiko/kex_ecdh_nist.py:39: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
  m.add_string(self.Q_C.public_numbers().encode_point())
/home/user/.local/lib/python2.7/site-packages/paramiko/kex_ecdh_nist.py:92: CryptographyDeprecationWarning: Support for unsafe construction of public numbers from encoded data will be removed in a future version. Please use EllipticCurvePublicKey.from_encoded_point
  self.curve, Q_S_bytes
/home/user/.local/lib/python2.7/site-packages/paramiko/kex_ecdh_nist.py:103: CryptographyDeprecationWarning: encode_point has been deprecated on EllipticCurvePublicNumbers and will be removed in a future version. Please use EllipticCurvePublicKey.public_bytes to obtain both compressed and uncompressed point encoding.
  hm.add_string(self.Q_C.public_numbers().encode_point())
collin is not a valid user!

No output file available after doing this, could be due to deprecated functions.

If using this with a large number of usernames, the execution could take some time. Therefore, if an unhandled exception occurs (e.g. communication failure, I/O error, etc.), the script will stop executing, and all intermediate results will be lost.

If the script were to write results incrementally (i.e. once per attempt), instead of at the end of the execution, any intermediate fatal issues wouldn't compromise the output data. This would work well for CSV/text output, but might need some special handling for JSON.

try run this script.
get some error stack dispaly
Unknown exception: Traceback (most recent call last): File "D:\python3\lib\site-packages\paramiko\transport.py", line 1949, in run handler(self.auth_handler, m) File "C:\Users\Administrator\CVE-2018-15473-Exploit\sshUsernameEnumExploit.py", line 47, in call_error raise BadUsername() __mp_main__.BadUsername
but the exception Should not be displayed

File "sshUsernameEnumExploit.py", line 33, in
old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
TypeError: 'property' object has no attribute 'getitem'

I fix this error

master# cat ./Dockerfile
FROM debian:9
LABEL maintainer "Ilya Glotov [email protected]"

RUN apt-get update; apt-get -y install build-essential libffi-dev python-pip python-dev libssl-dev python; pip install pip install --upgrade pip; pip install paramiko==2.4.1

COPY sshUsernameEnumExploit.py /sshUsernameEnumExploit.py

RUN chmod +x /sshUsernameEnumExploit.py

ENTRYPOINT ["python", "sshUsernameEnumExploit.py"]

Запуск контейнера вот так делал

docker run --mount type=bind,source="$(pwd)",target=/cve cve-2018-15473 --port 22 --outputFile /cve/exampleOutput.txt --userList /cve/exampleInput.txt 192.168.16.157

$ docker build -t cve-2018-15473 .
...
Successfully tagged cve-2018-15473:latest
$ docker run cve-2018-15473 -h

Traceback (most recent call last):
  File "sshUsernameEnumExploit.py", line 33, in <module>
    old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
TypeError: 'property' object has no attribute '__getitem__'

$ git log |head

* ae8cb41 Thu Sep 13 11:09:33 2018 -0400 	 (HEAD, origin/master, origin/HEAD, master) Update README.md
*   55a59ab Wed Aug 29 10:02:34 2018 -0400 	 Merge pull request #7 from klau2005/master
|\  
| * 359ceb2 Sun Aug 26 10:16:13 2018 +0300 	 Added simple test to check if target is vulnerable to this exploit
|/  
*   776a3a3 Thu Aug 23 09:23:27 2018 -0400 	 Merge pull request #6 from KonradIT/windows-fix
|\  
| * 8871e96 Thu Aug 23 09:20:34 2018 -0400 	 Fixing spaces
| * 65ff7b4 Wed Aug 22 14:01:34 2018 -0700 	 Add windows fix
* |   14934d9 Thu Aug 23 09:16:30 2018 -0400 	 Merge pull request #5 from KonradIT/master