Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fuzzers/ssh/ssh_version_2.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Auxiliary::Fuzzer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'SSH 2.0 Version Fuzzer',

16
        'Description' => %q{

17
          This module sends a series of SSH requests with malicious version strings.

18
        },

19
        'Author' => [ 'hdm' ],

20
        'License' => MSF_LICENSE,

21
        'Notes' => {

22
          'Stability' => [CRASH_SERVICE_DOWN],

23
          'SideEffects' => [],

24
          'Reliability' => []

25
        }

26
      )

27
    )

28
    register_options([

29
      Opt::RPORT(22)

30
    ])

31
  end

32


33
  def do_ssh_version(pkt, opts = {})

34
    @connected = false

35
    connect

36
    @connected = true

37


38
    @banner = sock.get_once(-1, opts[:banner_timeout])

39
    return if !@banner

40


41
    sock.put("#{pkt}\r\n")

42
  end

43


44
  def run

45
    last_str = nil

46
    last_inp = nil

47
    last_err = nil

48


49
    make_ssh_version_base

50
    cnt = 0

51


52
    fuzz_strings do |str|

53
      cnt += 1

54


55
      if (cnt % 100 == 0)

56
        print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")

57
      end

58


59
      begin

60
        do_ssh_version(str, banner_timeout: 5)

61
      rescue ::Interrupt

62
        print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")

63
        raise $ERROR_INFO

64
      rescue StandardError => e

65
        last_err = e

66
      ensure

67
        disconnect

68
      end

69


70
      if !@connected

71
        if last_str

72
          print_status("The service may have crashed: iteration:#{cnt - 1} method=#{last_inp} string=#{last_str.unpack('H*')[0]} error=#{last_err}")

73
        else

74
          print_status("Could not connect to the service: #{last_err}")

75
        end

76
        return

77
      end

78


79
      if !@banner

80
        print_status("The service may have crashed (no banner): iteration:#{cnt - 1} method=#{last_inp} string=#{last_str.unpack('H*')[0]} ")

81
        return

82
      end

83


84
      last_str = str

85
      last_inp = @last_fuzzer_input

86
    end

87
  end

88


89
  def make_ssh_version_base

90
    'SSH-2.0-'

91
  end

92
end

93


94