Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
require 'English'
7
class MetasploitModule < Msf::Auxiliary
8
include Msf::Exploit::Remote::Tcp
9
include Msf::Auxiliary::Fuzzer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'SSH 2.0 Version Fuzzer',
16
'Description' => %q{
17
This module sends a series of SSH requests with malicious version strings.
18
},
19
'Author' => [ 'hdm' ],
20
'License' => MSF_LICENSE,
21
'Notes' => {
22
'Stability' => [CRASH_SERVICE_DOWN],
23
'SideEffects' => [],
24
'Reliability' => []
25
}
26
)
27
)
28
register_options([
29
Opt::RPORT(22)
30
])
31
end
32
33
def do_ssh_version(pkt, opts = {})
34
@connected = false
35
connect
36
@connected = true
37
38
@banner = sock.get_once(-1, opts[:banner_timeout])
39
return if !@banner
40
41
sock.put("#{pkt}\r\n")
42
end
43
44
def run
45
last_str = nil
46
last_inp = nil
47
last_err = nil
48
49
make_ssh_version_base
50
cnt = 0
51
52
fuzz_strings do |str|
53
cnt += 1
54
55
if (cnt % 100 == 0)
56
print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
57
end
58
59
begin
60
do_ssh_version(str, banner_timeout: 5)
61
rescue ::Interrupt
62
print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")
63
raise $ERROR_INFO
64
rescue StandardError => e
65
last_err = e
66
ensure
67
disconnect
68
end
69
70
if !@connected
71
if last_str
72
print_status("The service may have crashed: iteration:#{cnt - 1} method=#{last_inp} string=#{last_str.unpack('H*')[0]} error=#{last_err}")
73
else
74
print_status("Could not connect to the service: #{last_err}")
75
end
76
return
77
end
78
79
if !@banner
80
print_status("The service may have crashed (no banner): iteration:#{cnt - 1} method=#{last_inp} string=#{last_str.unpack('H*')[0]} ")
81
return
82
end
83
84
last_str = str
85
last_inp = @last_fuzzer_input
86
end
87
end
88
89
def make_ssh_version_base
90
'SSH-2.0-'
91
end
92
end
93
94