CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Fuzzer

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'SSH 2.0 Version Fuzzer',

13
      'Description'    => %q{

14
        This module sends a series of SSH requests with malicious version strings.

15
      },

16
      'Author'         => [ 'hdm' ],

17
      'License'        => MSF_LICENSE

18
    ))

19
    register_options([

20
      Opt::RPORT(22)

21
    ])

22
  end

23


24
  def do_ssh_version(pkt,opts={})

25
    @connected = false

26
    connect

27
    @connected = true

28


29
    @banner = sock.get_once(-1,opts[:banner_timeout])

30
    return if not @banner

31
    sock.put("#{pkt}\r\n")

32
  end

33


34
  def run

35
    last_str = nil

36
    last_inp = nil

37
    last_err = nil

38


39
    ver = make_ssh_version_base

40
    cnt = 0

41


42
    fuzz_strings do |str|

43
      cnt += 1

44


45
      pkt = ver + str

46


47
      if(cnt % 100 == 0)

48
        print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")

49
      end

50


51
      begin

52
        r = do_ssh_version(str,:banner_timeout => 5)

53
      rescue ::Interrupt

54
        print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")

55
        raise $!

56
      rescue ::Exception => e

57
        last_err = e

58
      ensure

59
        disconnect

60
      end

61


62
      if(not @connected)

63
        if(last_str)

64
          print_status("The service may have crashed: iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} error=#{last_err}")

65
        else

66
          print_status("Could not connect to the service: #{last_err}")

67
        end

68
        return

69
      end

70


71
      if(not @banner)

72
        print_status("The service may have crashed (no banner): iteration:#{cnt-1} method=#{last_inp} string=#{last_str.unpack("H*")[0]} ")

73
        return

74
      end

75


76
      last_str = str

77
      last_inp = @last_fuzzer_input

78
    end

79
  end

80


81
  def make_ssh_version_base

82
    "SSH-2.0-"

83
  end

84
end

85


86