On Wed, Jul 03, 2024 at 11:26:54AM +0000, Qualys Security Advisory wrote: > Many people have asked us about an alleged proof of concept named > "7etsuo-regreSSHion.c": it is not a proof of concept, it is essentially > empty code (it might even be dangerous to compile and execute, we have > not checked). It is not just the shellcode that is missing, everything > else is missing too: the key-exchange code does nothing, the public-key > code does nothing useful, etc etc. > > It looks great but it does nothing. A working proof of concept for this > vulnerability will be much longer and complex, and will take much more > time to write than this.
It's been almost a month, but apparently there still isn't a public exploit. 7etsuo's unfinished code was forked to lots of GitHub repos - some acknowledge it's a fork, most don't, a few claim it's their own. Most made no changes at all, a few added non-English comments, a few added Python wrappers (it's quite ridiculous to have wrappers for non-working code), none brought it significantly closer to completion. Perhaps most interestingly, someone tried to lure people into downloading and perhaps running Linux malware apparently (if I understood and recall some tweet threads right) by scanning the Internet for SSH servers from an IP address that also had a web server running. The web server had a directory listing with a variation of 7etsuo's code to make this look real, along with malware binaries. Targeted advertising, right? Here's a lengthy blog post on this incident: The Wild West of Proof of Concept Exploit Code (PoC) By Vlad O & Daniel C https://santandersecurityresearch.github.io/blog/sshing_the_masses.html > On closer examination it quickly became evident that the source code of > the exploit itself was a decoy designed as a lure to infect the machine > on which it was executed. This attack chain primary component was > identified as a heavily modified version of a relatively obscure Golang, > multi-platform Command and Control (C2) framework The Remote Access > Trojan (RAT) called Chaos (https://github.com/tiagorlampert/CHAOS). Alexander
