regreSSHion

This repository is a Python-based SSH user-enumeration research and detection project rather than a single weaponized exploit. Its offensive capability is network-based probing of SSH services to determine whether usernames can be distinguished through authentication behavior, timing differences, or tool-assisted enumeration. The main orchestrator is run_investigation.py, which executes a multi-stage pipeline: raw SSH banner grabbing and version parsing, repeated Paramiko authentication attempts against candidate usernames, statistical timing analysis for CVE-2016-6210-style leakage, and auth.log-based detection engineering. Repository structure is split cleanly into attack_tools and detection_tools. attack_tools/banner_fingerprinter.py opens a raw TCP socket to the SSH port, captures the pre-auth banner, extracts implementation/version/OS hints, and maps versions against a small local CVE registry including CVE-2016-6210, CVE-2023-38408, and CVE-2024-6387. attack_tools/manual_ssh.py is the core probing component: it uses Paramiko to attempt password authentication for each username, records elapsed time until AuthenticationException or connection failure, caches the remote SSH banner, and saves structured JSON results. attack_tools/hydra_automation.py and attack_tools/metasploit_scanner.py are wrappers around external tools; they automate Hydra and Metasploit auxiliary/scanner/ssh/ssh_enumuser respectively, parse outputs, and save findings. The detection side is substantial. detection_tools/log_parser.py parses SSH-related auth.log events such as failed password, invalid user, accepted login, and disconnects. detection_tools/pattern_detector.py identifies rapid username cycling from one IP, wordlist correlation, evenly spaced attempts suggesting automation, and distributed probing of the same username from multiple IPs. detection_tools/response_analyzer.py performs Welch’s t-test and Cohen’s d calculations to decide whether valid and invalid usernames are distinguishable by timing. alerting_system.py formats alerts. The repository also includes notebooks for exploratory analysis, wordlists of common usernames, saved JSON outputs from prior runs, and unit tests. Main exploit capabilities: (1) unauthenticated SSH banner fingerprinting over TCP/22; (2) repeated password-auth attempts against many usernames to test for enumeration leakage; (3) optional automation of Hydra and Metasploit enumeration workflows; (4) statistical determination of whether timing differences imply username existence; and (5) post-event detection/reporting from SSH logs. There is no custom RCE payload or shell delivery. The practical result is reconnaissance and validation of SSH username enumeration exposure, plus defender-focused detection artifacts. Based on the included results, the tested OpenSSH 8.9p1 target did not appear vulnerable to timing-based username enumeration, though its banner exposed version information and matched CVE ranges in the local triage registry.

This repository is a small standalone proof-of-concept for CVE-2024-6387 (regreSSHion), containing one C exploit source file, a short README, and a long copy of the Qualys advisory. The main file, 7etsuo-regreSSHion.c, is a network exploit targeting OpenSSH sshd on glibc-based Linux systems via the unauthenticated SSH service. It accepts an IP and port, opens a TCP socket, performs a partial SSH handshake, prepares heap state with crafted packets, estimates parsing time, and repeatedly attempts to win the SIGALRM race condition around LoginGraceTime expiration. The code loops through candidate glibc base addresses for crude ASLR guessing and performs thousands of attempts, reflecting the probabilistic nature of the bug. The exploit is clearly intended to achieve remote code execution as root, but it is incomplete and best classified as a POC rather than an operational exploit. The source explicitly states that the shellcode is a placeholder, glibc bases need adjustment, timing parameters require tuning, heap layout must be adapted per target, and structure offsets must be verified for the target glibc version. The truncated code also shows helper routines such as setup_connection, send_ssh_version, receive_ssh_version, send_kex_init, receive_kex_init, perform_ssh_handshake, prepare_heap, time_final_packet, attempt_race_condition, create_public_key_packet, and create_fake_file_structure, which together indicate the exploit’s structure: establish SSH connectivity, shape memory state, then trigger the race with carefully timed packet delivery. No hardcoded victim infrastructure, C2, callback host, or post-exploitation endpoint is present. The only network target is the operator-supplied SSH server address and port. The repository’s README summarizes the vulnerability and affected versions, while regresshion.txt provides the original advisory, exploitation theory, affected version history, and mitigation guidance. Overall, this repo is a standalone C-based remote exploit POC for OpenSSH regreSSHion, focused on demonstrating the race-condition exploitation workflow rather than delivering a finished weaponized payload.

Repository contains a single Python proof-of-concept exploit script (PoC.py) and a short README referencing CVE-2024-6387 (regreSSHion) and noting it is altered from d0rb/CVE-2024-6387 to try multiple glibc base addresses. PoC.py is a network exploit attempt against an SSH server: it opens a TCP connection to a user-specified target IP/port, receives the SSH banner, sends a custom client banner ("SSH-2.0-Exploit"), sends 1000 NUL bytes as a simplistic "heap preparation" step, then sends a crafted payload consisting of an 8-byte little-endian glibc base guess followed by a NOP sled (0x90*100) and the string "exit\r\n". It repeats attempts up to --max_attempts and uses --num_threads threads per attempt to increase the chance of winning a race condition. Candidate glibc base addresses can be supplied via --glibc_file (comma-separated values), otherwise it defaults to 0xb7400000. The script’s success condition is heuristic: it reads up to 1024 bytes of server response and treats the attempt as successful if the substring "root" appears. It does not implement a full SSH protocol state machine, does not deliver a post-exploitation payload (no reverse shell/command execution), and the timing parameter is minimally used (computed but not actually applied to schedule precise race timing), indicating this is a basic/experimental PoC rather than an operational exploit.

NO REGRESSH is a comprehensive Python-based penetration testing framework focused on exploiting OpenSSH regressions and several SSH-related CVEs, most notably CVE-2024-6387 (regreSSHion). The repository contains modular code for scanning networks, detecting vulnerable SSH services, and launching targeted exploits. It supports multiple payloads (reverse shell, bind shell, custom shellcode) in various languages (bash, python, powershell, perl), and includes a listener manager for handling incoming connections. The framework provides post-exploitation features such as file transfer, screenshot capture, and keylogging. The main entry point is 'no_regresh_launcher.py', which launches a menu-driven interface for scanning, exploitation, listener management, and system checks. The tool is operational and suitable for authorized penetration testing against OpenSSH versions 7.4 through 9.7, targeting both remote code execution and username enumeration vulnerabilities. The code is well-structured, with clear separation of modules for scanning, exploitation, listening, and system management.

This repository contains a proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH server (sshd) on glibc-based Linux systems. The main exploit file, '7etsuo-regreSSHion.c', is a C program that targets a signal handler race condition in affected OpenSSH versions (8.5p1 through 9.8p1). The exploit works by repeatedly connecting to the target SSH server and attempting to trigger the race condition, which can lead to unauthenticated remote code execution as root. The shellcode is a placeholder and must be replaced with a real payload by the user. The exploit requires tuning for the target's glibc base address and timing parameters, as described in the code comments and the included Qualys advisory ('regresshion.txt'). The README provides usage instructions and a brief vulnerability summary. No hardcoded IPs or domains are present; the target is specified at runtime. The repository is structured as a typical PoC: one C source file (the exploit), a README, and a detailed advisory text file.

This repository contains a Python proof-of-concept exploit for CVE-2024-6387, a critical remote code execution vulnerability in OpenSSH. The main file, Exploit_2024_6387.py, is a multithreaded script that attempts to exploit a race condition in the OpenSSH server by repeatedly connecting to the target's SSH port (default 22 at IP 192.168.1.100) and sending crafted payloads. The exploit uses multiple threads to increase the likelihood of success and stops further attempts once exploitation is successful. The README.md provides background on the vulnerability, usage instructions, and legal disclaimers. The exploit is a POC and does not include a fully weaponized or customizable payload, but demonstrates the ability to achieve root-level code execution if the target is vulnerable. The repository is straightforward, with clear separation between code and documentation, and is intended for educational and research purposes only.

This repository provides both a proof-of-concept exploit and a scanner for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH (primarily affecting 32-bit, glibc-based Linux systems). The main files are: - '7etsuo-regreSSHion.c': A C-language exploit that targets the race condition in sshd's SIGALRM handler, attempting to achieve unauthenticated remote code execution as root. The exploit requires the attacker to specify the target IP and port, and it repeatedly attempts to win the race condition, using a placeholder for shellcode (which must be replaced with a real payload for weaponization). The exploit is statistical in nature and may require thousands of attempts. - 'CVE-2024-6387.py': A Python script that can scan single or multiple targets (IP, domain, or CIDR) for vulnerable OpenSSH versions by grabbing SSH banners and checking against a list of known vulnerable and patched versions. It also supports an 'exploit' mode, which attempts to exploit the vulnerability, and provides multi-threaded scanning, output formatting, and optional hostname resolution. - 'Dockerfile': Sets up a vulnerable OpenSSH 9.2p1 environment on a 32-bit Ubuntu system for testing, with root login enabled and ASLR disabled for easier exploitation. - 'README.md': Contains detailed usage instructions, environment setup, and mitigation advice. It emphasizes that the exploit is only effective against 32-bit OpenSSH servers and that many attempts may be required for success. The repository is not part of a framework and is intended for security research and testing. The exploit is operational, requiring some manual adjustment (e.g., shellcode insertion, timing tweaks) for specific targets. The scanner is robust and can be used to identify potentially vulnerable systems across networks.

This repository provides both a vulnerability checker and an exploit for CVE-2024-6387 (regreSSHion), a critical race condition in OpenSSH's signal handling that can allow unauthenticated remote code execution as root on glibc-based Linux systems. The repository contains four files: a README.md with background and usage instructions, a LICENSE, Checker.py (a Python script to scan and categorize SSH servers as SAFE, VULNERABLE, UNKNOWN, or ERROR based on their banner and version), and exploit.py (a Python script that attempts to exploit the race condition by sending crafted SSH handshake and payload data to the target's SSH port, using multithreading to increase the chance of success). The exploit is operational, requiring the attacker to specify the target's IP, port, and optionally glibc base address. The main attack vector is network-based, targeting the SSH service (typically port 22) on vulnerable OpenSSH versions. No hardcoded IPs or domains are present; the scripts are designed for user-supplied targets.

This repository contains a proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH's sshd (versions 8.5p1 to 9.8p1) on glibc-based Linux systems. The exploit leverages a race condition in the SIGALRM handler, which calls async-signal-unsafe functions, allowing an unauthenticated attacker to execute arbitrary code as root. The main file, '7etsuo-regreSSHion.c', is a C program that repeatedly attempts to exploit the race condition by connecting to a user-specified SSH server (IP and port), performing the SSH handshake, and sending crafted packets to manipulate heap layout and timing. The shellcode is a placeholder and must be replaced by the user with a suitable payload. The exploit requires fine-tuning for the target's glibc base address, timing, and heap layout. The repository also includes a README.md summarizing the vulnerability and a copy of the Qualys security advisory (regresshion.txt) detailing the technical background and mitigation steps. No hardcoded endpoints are present; the target is specified at runtime. The exploit is a POC and not weaponized, requiring manual adjustment and payload insertion.

This repository contains a Python exploit script ('ssh_exploiter_cve-2024-6387') and a README. The script targets CVE-2024-6387, a race condition vulnerability in OpenSSH (versions 8.5 through 9.7, except for certain patched distributions). The exploit operates in two phases: first, it scans provided IP addresses (or ranges, or files containing IPs) for SSH servers, retrieves their version banners, and checks if they are likely vulnerable. Second, for each vulnerable server, it attempts to exploit the race condition by sending specially crafted packets and memory structures, aiming to achieve remote code execution. The script is multithreaded for efficient scanning and supports custom ports and timeouts. The payload is a placeholder shellcode, indicating the exploit is operational but may require customization for real-world use. The main attack vector is network-based, targeting SSH (typically port 22). The script outputs a summary of scan results and exploitation attempts. No hardcoded IPs or domains are present; targets are user-supplied via command line or file.

This repository contains a proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH's sshd on glibc-based Linux systems. The main exploit file, '7etsuo-regreSSHion.c', is a C program that targets a race condition in the SIGALRM handler of vulnerable OpenSSH versions (8.5p1 to 9.8p1). The exploit attempts to trigger the race condition by making repeated SSH connections to the target server, carefully timing packets to manipulate the heap and exploit the async-signal-unsafe code path. The shellcode is a placeholder and must be replaced by the user with actual payload code. The exploit is unauthenticated and, if successful, results in remote code execution as root. The repository also includes a README.md summarizing the vulnerability and a copy of the Qualys security advisory (regresshion.txt) with detailed technical background. The exploit requires the attacker to specify the target IP and port (typically port 22 for SSH). The code is a POC and may require tuning for timing, heap layout, and glibc base addresses to work reliably on different targets.

This repository contains a proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH's sshd on glibc-based Linux systems. The exploit is implemented in C (7etsuo-regreSSHion.c) and targets a race condition in the SIGALRM handler, which can be triggered by unauthenticated remote attackers. The exploit attempts to win a race condition by repeatedly connecting to the target SSH server and sending specially crafted packets, aiming to execute arbitrary shellcode as root. The shellcode is a placeholder and must be replaced with a real payload for practical exploitation. The Makefile provides a simple build process, and the README.md gives usage instructions and details about affected OpenSSH versions. The included regresshion.txt is a detailed advisory from Qualys, explaining the vulnerability, affected versions, and mitigation strategies. The exploit requires the attacker to specify the target's IP address and SSH port, and is designed to work against default or non-hardened configurations. The overall structure is typical for a POC: a single C source file, build instructions, documentation, and a vulnerability advisory.

This repository contains two main Python scripts and a README for CVE-2024-6387 (regreSSHion), a critical OpenSSH vulnerability. - 'CVE-2024-6387.py' is a multi-threaded scanner that checks if given IPs, domains, or CIDR ranges are running vulnerable OpenSSH versions by retrieving SSH banners and comparing them to a list of known vulnerable and excluded versions. It outputs a summary of vulnerable, non-vulnerable, and unreachable hosts. - 'CVE-2024-6387_poc.py' is a proof-of-concept exploit that attempts to trigger the race condition in OpenSSH by manipulating heap allocations and timing, with the goal of achieving remote code execution. The script includes a placeholder for shellcode, which must be replaced with actual payload code for exploitation. It is designed to be run against a specific IP and port. The repository is focused on both detection and exploitation of CVE-2024-6387, targeting OpenSSH servers accessible over the network. No hardcoded IPs or domains are present; all targets are user-supplied. The code is written in Python and is operational, with the exploit requiring further payload customization for weaponization.

This repository contains two Python proof-of-concept scripts (PoC.py and PoCipv6.py) and a README.md. The scripts target the OpenSSH CVE-2024-6387 vulnerability, a critical race condition in the OpenSSH signal handler that can lead to remote code execution as root. Both scripts implement a multithreaded approach to increase the chances of successfully triggering the race condition, with support for both IPv4 and IPv6 targets. The exploit works by connecting to the target's SSH service, performing a handshake, preparing the heap, and then attempting to trigger the race condition by sending a specially crafted payload. The scripts allow configuration of the target IP, port, number of attempts, number of threads, and glibc base address. The README provides background on the vulnerability, usage instructions, and legal disclaimers. No hardcoded IPs, domains, or file paths are present; all target information is supplied by the user at runtime.

This repository contains a Python proof-of-concept (PoC) exploit for CVE-2024-6387, a race condition vulnerability in OpenSSH (also known as 'regreSSHion'). The exploit targets 32-bit glibc-based Linux systems running vulnerable versions of OpenSSH (such as 9.2p1). The main file, 'CVE-2024-6387-poc.py', implements a multi-threaded brute-force approach to trigger the race condition by repeatedly performing SSH handshakes and sending specially crafted packets to the target SSH server. The exploit attempts to manipulate heap memory structures and timing to achieve arbitrary code execution, with a placeholder shellcode included. The README provides detailed setup instructions using Docker to create a vulnerable environment and explains the exploit's statistical nature, requiring a large number of attempts (up to 100,000) to succeed. The exploit is network-based, requiring only the target's IP address and SSH port as input. No hardcoded IPs or domains are present; the target is specified at runtime. The repository is structured with a single exploit script and a comprehensive README, making it a focused PoC for researchers and security professionals.

This repository contains a single C-language proof-of-concept exploit (PoC RCE_OpenSSH.c) targeting CVE-2024-6387, a race condition vulnerability in OpenSSH 9.2p1 (regreSSHion) on glibc-based Linux systems. The exploit attempts to achieve remote code execution as root by exploiting a signal handler race in the SSH daemon. The code is structured to repeatedly connect to a user-specified IP and port (the target's SSH service), perform the SSH handshake, and attempt the race condition using various glibc base addresses to bypass ASLR. The shellcode is a placeholder and must be replaced with actual payload code by the user. The exploit requires fine-tuning of timing and heap manipulation parameters for each target. The repository also includes a minimal README. No hardcoded IPs, domains, or file paths are present; the target is specified at runtime. The exploit is a functional PoC and not weaponized, as it requires manual payload insertion and parameter tuning.

This repository contains a proof-of-concept (POC) exploit for CVE-2024-6387, a race condition vulnerability in OpenSSH that can lead to remote code execution. The main file, CVE-2024-6387.py, is a Python script that establishes a TCP connection to a target SSH server, performs a partial SSH handshake, and sends specially crafted packets to manipulate the server's heap memory. The exploit attempts to trigger the race condition by carefully timing packet delivery and heap manipulation, with the goal of executing attacker-supplied shellcode on the server. The script includes a placeholder for shellcode, which must be replaced by the user with a real payload for actual exploitation. The README.md provides a detailed explanation of the exploit's structure, usage instructions, and legal disclaimer. The exploit targets network-accessible SSH servers running vulnerable versions of OpenSSH, and requires the attacker to specify the target IP and port. No hardcoded external endpoints are present beyond the default localhost and port 22, which are meant to be replaced by the user.

This repository contains a proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH's sshd (versions 8.5p1 to 9.8p1) on glibc-based Linux systems. The exploit leverages a race condition in the SIGALRM handler, which calls async-signal-unsafe functions, allowing an unauthenticated attacker to execute arbitrary code as root. The main exploit file, '7etsuo-regreSSHion.c', is a C program that repeatedly attempts to trigger the race condition by connecting to the target SSH server (user-supplied IP and port), performing a partial SSH handshake, and sending specially crafted packets to manipulate heap layout and timing. The shellcode is a placeholder and must be replaced by the user with the desired payload. The exploit requires fine-tuning for specific targets, including glibc base addresses and timing parameters. The repository also includes a README.md summarizing the vulnerability and a copy of the Qualys security advisory (regresshion.txt) detailing the technical background and mitigation steps. No hardcoded IPs, domains, or file paths are present; the exploit is fully user-configurable for the target. The exploit is not weaponized (no post-exploitation automation or payload customization), but demonstrates the vulnerability and provides a foundation for further development.

This repository provides a working proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH affecting versions 1.2.2p1 through 4.4 and 8.5p1 through 9.8. The main exploit script, 'regreSSHion.py', is a Python tool that connects to a target SSH server, performs a crafted handshake and heap manipulation, and delivers a customizable shellcode payload. By default, the payload opens a bind shell on port 9999 using netcat, granting the attacker remote shell access. The repository also includes 'send_socket.py' for testing shellcode delivery and a 'shellcode' file containing the default payload. The exploit is operational and allows for payload customization, making it suitable for real-world exploitation scenarios. The README provides detailed usage instructions, payload customization guidance, and example outputs. The exploit targets network-accessible SSH servers and requires the attacker to specify the target's IP and port. No hardcoded IPs or domains are present; all targeting is user-supplied at runtime.

This repository contains a proof-of-concept exploit for CVE-2024-6387 (regreSSHion), a critical remote code execution vulnerability in OpenSSH's server (sshd) on glibc-based Linux systems. The exploit targets a signal handler race condition introduced in OpenSSH 8.5p1 and present up to 9.7p1, allowing unauthenticated attackers to execute arbitrary code as root by carefully timing connections and exploiting unsafe async-signal handling in the SSH daemon. The main file, '7etsuo-regreSSHion.c', is a C program that repeatedly attempts to exploit the race condition by connecting to a user-specified IP and port (typically SSH port 22), performing the SSH handshake, and sending crafted packets to manipulate the heap and trigger the vulnerability. The shellcode is a placeholder and must be replaced with a real payload for practical exploitation. The exploit requires tuning for timing and heap layout, and may need adjustment for specific glibc versions. The repository also includes a README.md with a brief description and a detailed advisory (regresshion.txt) explaining the vulnerability, affected versions, and mitigation strategies. No hardcoded IPs, domains, or file paths are present; the exploit is fully user-configurable for the target. The code is a functional POC and not weaponized, as it requires manual payload insertion and tuning for each target.

This repository provides a working exploit and scanner for CVE-2024-6387 (regreSSHion), a critical unauthenticated remote code execution vulnerability in OpenSSH server (sshd) on glibc-based Linux systems. The exploit targets a race condition in the SIGALRM signal handler, allowing an attacker to execute arbitrary code as root by sending specially crafted network packets to the SSH service. Repository structure: - '7etsuo-regreSSHion.c': The main C exploit code, which implements the race condition attack. It requires the attacker to specify the target IP and port, and attempts exploitation by brute-forcing timing and glibc base addresses. The shellcode is customizable, allowing for arbitrary payloads (e.g., reverse shell). - 'CVE-2024-6387.py': A Python script that serves as both a scanner and an exploitation orchestrator. It can scan single or multiple targets (from file, CIDR, or list) for vulnerable OpenSSH versions by grabbing SSH banners, and can invoke the C exploit (as a shared library) to perform exploitation. It supports output in CSV, TXT, and JSON formats. - 'README.md': Provides detailed background, usage instructions, payload customization examples, and legal disclaimers. It also includes references to advisories and technical write-ups. - 'targets.txt': Placeholder for a list of target IPs (empty by default). The exploit is operational: it provides a working attack path and customizable payload, but requires the user to compile the C code and optionally generate shellcode (e.g., with msfvenom). The Python script automates scanning and can invoke the exploit for mass exploitation. The main attack vector is network-based, targeting the SSH service (default port 22, but customizable). No hardcoded IPs or domains are present; targets are user-supplied. The exploit is not part of a framework, but is a standalone PoC with practical, real-world impact.