|
regreSSHion: Remote Unauthenticated Code Execution Vulnerability in OpenSSH server
by ssveCY008 - Monday July 1, 2024 at 02:37 PM
|
|
Jul 01, 2024, 02:37 PM
The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387
https://blog.qualys.com/vulnerabilities-...ssh-server Any PoC???asking for a friend... 
Jul 01, 2024, 03:26 PM
There's https://github.com/zgzhang/cve-2024-6387-poc but there aren't really instructions on how to get it working
Jul 02, 2024, 03:06 AM
Seems pretty broken, either on purpose or not.
"send_packet: Resource temporarily unavailable"
Jul 02, 2024, 03:56 AM
PoC and how to execute this:
PoC 1: https://github.com/acrono/cve-2024-6387-poc PoC 2: lflare/cve-2024-6387-poc Instructions: Step 1: curl -O https://raw.githubusercontent.com/lflare...reSSHion.c Step 2: gcc 7etsuo-regreSSHion.c -o regreSSHion Step 3: ./regreSSHion <ip> <port> I got "send_packet: Resource temporarily unavailable" on multiple POCs
Jul 02, 2024, 09:01 AM
how it looks on my side
Received SSH version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7 Received KEX_INIT (1024 bytes) Received SSH version: SSH-2.0-OpenSSH_8.4p1 Debian-5 Received KEX_INIT (1024 bytes)
Jul 02, 2024, 10:17 AM
What's the query in shodan to search all openssh?
This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
There is a PoC for certain i386 (32-bit) versions of OpenSSH where glibc is at a static base address, so no ASLR bypass is needed.
Since the approx exploitation time (or efforts, which is ~10k requests) is based on i386, it can be assumed that newer systems (those running x86_64 / AMD64) would take a lot longer to exploit due to the need for an ASLR bypass.
Jul 02, 2024, 10:26 AM
Jul 02, 2024, 11:52 AM
most of these publicly available PoCs they target 32 bit architecture (for script kiddies to be fascinated about it).
you won't find any IRL these days. and for those don't know 32 bit & 64 bit archs, they basically have different call conventions. So, lol you can't simply run expl for 32bit against 64 bit arch. And in every modern systems you also have to deal with ASLR and PIE bypasses + stack canaries. and this basically means leaking addresses. Even if you got a race condition, you still need to leak addresses of a heap, libc base & so on..
Jul 08, 2024, 04:49 PM
(This post was last modified: Jul 08, 2024, 04:51 PM by someone_33.)
|
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| BreachForums Leak Free Data | 178 | 13,213 |
Apr 29, 2026, 10:25 AM Last Post: HidanG |
||
| News: Pitney Bowes Breached. | 0 | 155 |
Apr 29, 2026, 08:43 AM Last Post: dai5 |
||
| PDF Exploit Builder by TheStrain – worth it? | 0 | 180 |
Apr 29, 2026, 03:28 AM Last Post: xXTH3_R3DXx |
||
| Corruptiion of PLN [Indonesia] - 2025 Investigation Viral | 25 | 1,567 |
Apr 25, 2026, 09:23 PM Last Post: dipiwef113 |
||
| The Ratification of the TNI Bill, Has an Impact on Indonesia? | 12 | 791 |
Apr 25, 2026, 02:50 PM Last Post: dipiwef113 |
||
