an RCE (remote command execution) approach of CVE-2018-7750
-
Exploit Title: Paramiko < 2.4.1 - Remote Code Execution
-
Date: 2018-11-06
-
Exploit Author: jm33-ng
-
Vendor Homepage: https://www.paramiko.org
-
Software Link: https://github.com/paramiko/paramiko/archive/2.4.0.tar.gz
-
Version: < 1.17.6, 1.18.x < 1.18.5, 2.0.x < 2.0.8, 2.1.x < 2.1.5, 2.2.x < 2.2.3, 2.3.x < 2.3.2, and 2.4.x < 2.4.1
-
Tested on: Multiple platforms
-
CVE: CVE-2018-7750
-
This PoC provides a way to execute arbitrary commands via paramiko SSH server, using CVE-2018-7750.
-
Details about CVE-2018-7750: paramiko/paramiko#1175
-
The original PoC, which makes use of SFTP, can be found at https://www.exploit-db.com/exploits/45712