Libssh any vulnerable server (CVE-2018-10933)?


(Occupi) #21

Do you want me to grab both sets separately or just the product:libssh set?


I’m not sure but I don’t want let you to waste credits. so grab only libssh ( because should already have product:libssh query results itself

(Occupi) #23

Voila, in CSV format (and gzipped for compression)


File does not exist anymore on the server

(Occupi) #25

Ugh, okay. Uploaded the results to one of our webhosts for now:

(Zain) #26

Ight… let me see what I can do. :stuck_out_tongue:

I payed the one time fee.

(Zain) #27

Ight, so my script is ready and it can be used for multiple different purposes. Please use it, but also edit it as need be… currently gonna add a scanner for libssh if need be but we should be fine… only issue with current scripts for a scanner is that they’d have to take file input. Also, a note on the script, I added the ability to input the number of pages to query. If the pages doesn’t exist, it’ll return a error saying query isn’t valid or something like that. For libssh purposes do the math… lol. 100 results are returned per page with the API, but also, you must have a valid API key too. Currently I don’t have enough credits until next month. @occupi, feel free to use this script especially. :stuck_out_tongue:

Code here:

Any other questions feel free to ask. I’m very busy to so please bear with me. :slight_smile:

Also, @pry0cc, don’t know, but shouldn’t this script have its own post by now? lol. It has been a while since I worked on it. lolol.

With that being said, ~Cheers!

–Techno Forg–


I’m still testing all 6300 server automatically of @occupi list with my script since yesterday.

(Zain) #29

Are you mass scanning them?

(Co-Founder and Part-time Fool ) #30

It’s fine here for now. I don’t think it warrants another post.


All right, I tested all 6300 servers of Shodan, all servers that have vulnerable versions of libssh are ALL unexploitable.
Most common exceptions and reasons are:

·Secsh channel 0 open FAILED: : Administratively prohibited => So Undefinied Exception. Probably channel is closed or not PortForwarded.
·Server down
·Oops, unhandled type 3 ('unimplemented') => So Undefinied Exception.  Probably channel is closed or not PortForwarded.

This vulnerability it’s a bullshit, now is confirmed.

(Zain) #32

Let’s not call BS on it quite yet… the scripts thus far could incomplete. I still need to study a bit longer. Please bear with me. :slight_smile:

(bretph0t0n) #33

X2go is vulnerable ; Shodan doesn’t give a good number. Lot of application working for sehll ssh and not working with openssh

(fxbg) #34

Isn’t it the library that’s vulnerable, and not the ssh server itself? Probably why none of them are exploitable.

(system) #35

This topic was automatically closed after 30 days. New replies are no longer allowed.