sshmitm.plugins.scp.inject_file module

A plugin for exploiting CVE-2019-6111, CVE-2019-6110, based on the vulnerability ‘SSHtranger Things’ of OpenSSH Client.

This class is a subclass of SCPForwarder and injects an additional file during SCP transmission by exploiting the OpenSSH Client vulnerability ‘SSHtranger Things’. This vulnerability has been patched in OpenSSH versions greater than 8.0p1. The exploitation process starts by parsing the SCP command and identifying whether the SCP client is downloading a file. If yes, the class instance is returned and the exploit method is called. The method exploits both CVE-2019-6111 and CVE-2019-6110.

class sshmitm.plugins.scp.inject_file.SCPInjectFile(*args, **kwargs)

Bases: SCPForwarder

Injecting an additional file during SCP transmission (CVE-2019-6111, CVE-2019-6110)

This feature is based on a OpenSSH Client Vulnerability ‘SSHtranger Things’ that has been patched with version > OpenSSH 8.0p1

Title: SSHtranger Things Author: Mark E. Haase <mhaase@hyperiongray.com> Homepage: https://www.hyperiongray.com Date: 2019-01-17 CVE: CVE-2019-6111, CVE-2019-6110 Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt

exploit() → None

This method starts to exploit CVE-2019-6111 and CVE-2019-6110.

hide_tracks() → None

This method exploits CVE-2019-6110: the client will display the text that we send to stderr, even if it contains ANSI escape sequences. We can send ANSI codes that clear the current line to hide the fact that a second file was transmitted.. Covering our tracks by sending ANSI escape sequence; complete stealth: x1b[1Ax1b[2K

classmethod parser_arguments() → None

process_data(traffic: bytes) → bytes