search

maaaaz / thc-hydra-windows

The great THC-HYDRA tool compiled for Windows
932 stars 291 forks source link

Hydra v9.1 - Crash (With stack trace) #35

Open Reelix opened 4 years ago

Reelix commented 4 years ago

On an extended scan in debug mode, I had a crash with the following stack trace after running for a few minutes

Exception: STATUS_ACCESS_VIOLATION at rip=003FF2132D2
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000800729290 rdi=000000080072AA40
r8 =0000000800729290 r9 =0000000000000000 r10=0000000100000000
r11=00000008007299B0 r12=0000000000000000 r13=00000008007299B0
r14=00000000FFFF6260 r15=00000000FFFF62B0
rbp=0000000000000000 rsp=00000000FFFF60D8
program=R:\Utilities\THC-Hydra\hydra.exe, pid 1379, thread main
cs=0033 ds=002B es=002B fs=0053 gs=002B ss=002B
Stack trace:
Frame        Function    Args
00000000000  003FF2132D2 (003FF2126FB, 00800728900, 000FFFF6260, 000FFFF62B0)
00000000000  003FF20FE67 (003FB90E696, 0080072AAC0, 008007288E0, 0080072AA40)
00000000000  003FB90E7EC (003FB942891, 00800728950, 00800727DF0, 000FFFF62B0)
00000000000  003FB90EB6A (00800727DF0, 00000000400, 00800728950, 000FFFF62A8)
00000000000  003FB90A73F (00000000000, 00800728930, 00000000400, 00180321DB0)
00000000000  003FB910DE3 (00000000344, 00180321DB0, 00000000014, 00800727DF0)
00000000014  003FB91A9EA (00180321DB0, 00800727D80, 00000000014, 00000000344)
00000000348  003FB91AF5B (000FFFF6470, 00000001000, 00000000000, 003FB94653B)
003FB91AAE0  003FB92459F (00000000001, 00300001170, 0018013BCFB, 000001B4E41)
00180321DB0  003FB9211C8 (00800728B80, 000001B4E41, 0000C30C468, 00800728730)
00800727D80  003FB92206A (00800727DF0, 00000000022, 003FB923CEC, 000001B4E40)
00800727DF0  003FB92212B (001801B974F, 00000000000, 00000001388, 003FB9629D0)
0000000003C  003FB90AA9F (00800076540, 008006E79B0, 00000000016, 00800726DB4)
0000000003C  001004215EE (00000000000, 00000000000, 00000000130, 0080006E518)
0000000003C  001004040DF (0080008914E, 00800077830, 00800077870, 00100464250)
000FFFF78C0  001004416EA (001803647D0, 0000000000E, 00180058D51, 00180362090)
000FFFFCCE0  0018004AE9D (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048886 (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048934 (00000000000, 00000000000, 00000000000, 00000000000)
End of stack trace
maaaaz commented 4 years ago

Can you paste the command you used ?

Reelix commented 4 years ago

hydra -d -w 5 -L usernames.txt -e snr -o found.txt -M ips.txt ssh

It goes through around 60-70 IP's (A list of 1.5k) then crashes.

The final line being

[INFO] Testing if password authentication is supported by ssh://root@x.x.x.70:22
      0 [main] hydra 603 cygwin_exception::open_stackdumpfile: Dumping stack trace to hydra.exe.stackdump
maaaaz commented 4 years ago

Could you try to run the same command with several pre-v9.0 releases, to see whether it crashes or not ? https://github.com/maaaaz/thc-hydra-windows/releases

I suspect a change for the SSH library.

Reelix commented 4 years ago

Could you try to run the same command with several pre-v9.0 releases, to see whether it crashes or not ?

8.5 doesn't have the issue - Should I try on the 8.7 dev release?

maaaaz commented 4 years ago

Yes, if you can.

maaaaz commented 4 years ago

@Reelix, here is a build of hydra v9.1 with another version of libssh, using the one from mingw64 project (https://packages.msys2.org/package/mingw-w64-x86_64-libssh).

Can you try the same command as the original one (which made you open this issue) ?

Thank you for taking time to debug this :-) build_9.1_with_mingw64-libssh-0.9.4.zip

Reelix commented 4 years ago

build_9.1_with_mingw64-libssh-0.9.4.zip - Crash

Exception: STATUS_ACCESS_VIOLATION at rip=7FF806B54BD5
rax=00000000007BB260 rbx=0000000200000000 rcx=00000000000008B0
rdx=00000000007BBB20 rsi=0000000000720000 rdi=0000000000000000
r8 =0000000028CE573A r9 =0000000000000000 r10=0000000000000000
r11=00000000006144BB r12=0000000000000000 r13=00000000007BBB20
r14=00000000007BBB10 r15=0000000000000001
rbp=0000000000000000 rsp=00000000FFFF6050
program=R:\Utilities\THC-Hydra\hydra.exe, pid 90, thread main
cs=0033 ds=002B es=002B fs=0053 gs=002B ss=002B
Stack trace:
Frame        Function    Args
00000000000  7FF806B54BD5 (00000720000, 00000000008, 00000000000, 00000000000)
00000000008  7FF806AC5D21 (000006008B0, 00000000000, 000006008B0, 00000000000)
00000000008  7FF806189C9C (000007BBB67, 00000000002, 000007BE3D0, 00000000008)
00000000008  00061AF5392 (7FFFCFC8C840, 00000000010, 00000000015, 0000063E6D0)
00000000008  00061AE5EC9 (00000000000, 00000000000, 0000063E6D0, 000FFFF62D0)
00000000010  00061AE1A29 (00061AE1E4C, B43B4FBBBA1D12DD, 00000000015, 7475B56CF4417878)
00000000010  00061AE0ADB (00000627100, 000FFFF63B0, 00000000015, 0000000000C)
00000000010  00061AE129B (000FFFF6500, 000000003C4, 00000000010, 00000000104)
00000000108  00061AE16CD (00000000300, 00061B140B3, 00000000000, 00061B140B3)
00061AE0BD0  00061AED137 (00000000002, 0000000105B, 00061ADCD20, 000006026A0)
00000000001  00061AE8BAC (00180321DB0, 0000000002E, 00000621560, 00800061420)
00061ACCA40  00061AEA34B (001801B974F, 00100450E60, 00000001388, 00061B15990)
0000000002E  00061ACD762 (00800061420, 008000595C0, 00000000016, 0000063BC74)
0000000002E  001004215EE (00000000130, 00000000001, 00000000130, 008000593F8)
0000000002E  001004040DF (0080007402E, 00800062710, 00800062750, 00100464250)
000FFFF78D0  001004416EA (00180058D51, 00180362090, 0000000000C, 00000000000)
000FFFFCCE0  0018004AE9D (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048886 (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048934 (00000000000, 00000000000, 00000000000, 00000000000)
End of stack trace

v8.7_dev -> https://www.virustotal.com/gui/file/85aba198a0ba204e8549ea0c8980447249d30dece0d430e3f517315ad10f32ce/detection

Urmmmm.... Neither 8.5 nor 9.1 give more than 2 false positives. You might want to double-check that build...

Since most of the results were simply "It's Hydra", I decided to run it anyways.

It stops early, although there is no stack trace Edit: Seems the binary vanished even though my AV was disabled ._.

Thank you for taking time to debug this :-)

You help me by maintaining this repo far more than I help you :p

maaaaz commented 4 years ago

Arf, too bad for the crash I really don't know the cause: either compilation/linkage, or just a defect in the lib itself (parsing etc.). Does the crash happen always for the same IP or is it random among your 1.5k list ? If it is always the same IP, it is a lib bug, and should be reported to the lib maintainer.

Then for the virustotal detection, I can't explain but I guess that the specific 8.7_dev version might have been massively used in attacks (compared to other versions), so that it got massively flagged.

As two last tries for today:

Cheers.

Reelix commented 4 years ago

build_9.1_with_full_msys.zip - Got significantly further! Past the initial checks where the other libs were - Crashed at a different location though.

[ATTEMPT] target x.x.x.218 - login "root" - pass "root" - 1 of 51 [child 25] (0/0)
[DEBUG] head_no[26] read n
[DEBUG] send_next_pair_init target 73, head 26, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin root, tpass , logincnt 0/17, passcnt 0/3, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 1, clogin root, cpass root, tlogin root, tpass , redo 0
[ATTEMPT] target x.x.x.103 - login "root" - pass "root" - 1 of 51 [child 26] (0/0)
[DEBUG] head_no[27] read n
[DEBUG] send_next_pair_init target 75, head 27, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin root, tpass , logincnt 0/17, passcnt 0/3, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 1, clogin root, cpass root, tlogin root, tpass , redo 0
[ATTEMPT] target x.x.x.236 - login "root" - pass "root" - 1 of 51 [child 27] (0/0)
[DEBUG] head_no[28] read n
[DEBUG] send_next_pair_init target 78, head 28, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin root, tpass , logincnt 0/17, passcnt 0/3, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 1, clogin root, cpass root, tlogin root, tpass , redo 0
[ATTEMPT] target x.x.x.236 - login "root" - pass "root" - 1 of 51 [child 28] (0/0)
[DEBUG] head_no[29] read n
[DEBUG] send_next_pair_init target 79, head 29, redo 0, redo_state 0, pass_state 0. loop_mode 0, curlogin (null), curpass (null), tlogin root, tpass , logincnt 0/17, passcnt 0/3, loop_cnt 1
[DEBUG] send_next_pair_mid done 1, pass_state 1, clogin root, cpass root, tlogin root, tpass , redo 0
[ATTEMPT] target x.x.x.95 - login "root" - pass "root" - 1 of 51 [child 29] (0/0)
*** stack smashing detected ***: terminated
      0 [main] hydra 1247 cygwin_exception::open_stackdumpfile: Dumping stack trace to hydra.exe.stackdump
[ERROR] could not connect to target port 22: Timeout connecting to x.x.x.178
[ERROR] ssh protocol error
[DEBUG] pid 1255 called child_exit with code 2
[ERROR] could not connect to target port 22: Timeout connecting to x.x.x.236
Stack trace:
Frame        Function    Args
000FFFF6D18  00180063480 (000FFFF6F38, 00000000002, 00000000000, 000FFFFDE50)
000FFFFDE50  0018006563C (00000000064, 00000000000, 00000001BC4, 00000000000)
000FFFF7440  00180147028 (00000000000, 00100000000, 000FFFF774C, 00000000000)
000FFFF77A0  00180170764 (B0963194ED059279, 000FFFF77A0, 0018036C0E0, 00000000041)
000FFFF77A0  0018014332B (000FFFF7720, 0000000002C, 00000000001, 63617473202A2A2A)
000FFFF77A0  001801BF345 (000FFFF78B7, 00000000001, 00000000001, 000FFFF7790)
000FFFF77A0  0018013E3AB (000FFFF78B7, 00000000001, 00000000001, 000FFFF7790)
000FFFF77A0  001004018E4 (0000000001D, 0000000006E, 00000000001, 000FFFF78C0)
000FFFF7908  00100443D06 (00180058D61, 001802EE100, 000FFFFCC50, 0000000002F)
000FFFFCCE0  0018004AEAA (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048846 (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  001800488F4 (00000000000, 00000000000, 00000000000, 00000000000)
End of stack trace

build_9.1_cygwin_old_libssh_0.7.3.zip - Same as the previous one. Got past the authentication check stage, then crashed.

[DEBUG] head_no 57 has pid 750
[DEBUG] child 58 got target 113 selected
[DEBUG] child 58 spawned for target 113 with pid 751
[DEBUG] head_no 58 has pid 751
[DEBUG] child 59 got target 114 selected
[DEBUG] child 59 spawned for target 114 with pid 752
[DEBUG] child 60 got target 115 selected
[DEBUG] head_no 59 has pid 752
[DEBUG] child 60 spawned for target 115 with pid 753
[DEBUG] child 61 got target 116 selected
[DEBUG] head_no 60 has pid 753
[DEBUG] child 61 spawned for target 116 with pid 754
[DEBUG] head_no 61 has pid 754
[DEBUG] child 62 got target 117 selected
[DEBUG] child 62 spawned for target 117 with pid 755
[DEBUG] head_no 62 has pid 755
[DEBUG] child 63 got target 118 selected
[DEBUG] child 63 spawned for target 118 with pid 756
[DEBUG] head_no 63 has pid 756
*** stack smashing detected ***: terminated
      0 [main] hydra 692 cygwin_exception::open_stackdumpfile: Dumping stack trace to hydra.exe.stackdump
Stack trace:
Frame        Function    Args
000FFFF6D18  00180063180 (000FFFF6F38, 00000000002, 00000000000, 000FFFFDE50)
000FFFFDE50  0018006533C (00000000064, 00000000000, 00000002C38, 00000000000)
000FFFF7440  00180144978 (00000000000, 00100000000, 000FFFF774C, 00000000000)
000FFFF77A0  0018016DEF4 (A37242AB760A4706, 000FFFF77A0, 00180367660, 00000000281)
000FFFF77A0  00180140C7B (000FFFF7720, 0000000002C, 00000000001, 63617473202A2A2A)
000FFFF77A0  001801BCA75 (000FFFF78B7, 00000000001, 00000000001, 000FFFF7790)
000FFFF77A0  0018013BCFB (000FFFF78B7, 00000000001, 00000000001, 000FFFF7790)
000FFFF77A0  001004018E4 (00000000000, 00000000076, 00000000607, 000FFFF78C0)
00041100000  00100443316 (00180058D51, 00180362090, 0000000000C, 00000000000)
000FFFFCCE0  0018004AE9D (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048886 (00000000000, 00000000000, 00000000000, 00000000000)
000FFFFFFF0  00180048934 (00000000000, 00000000000, 00000000000, 00000000000)
End of stack trace

Does the crash append always for the same IP or is it random among your 1.5k list ?

A different part always. Both these versions are getting further though.

maaaaz commented 4 years ago

Ok, and if it crashed again, could you try from a linux version of hydra, for instance on a kali linux ?

Reelix commented 4 years ago

I updated my previous post with the progress reports and stack traces. Both of the new builds got further than the password authentication phase that the report was initially opened for, although still crashed further on with the same *** stack smashing detected *** error with stack traces.

could you try from a linux version of hydra, for instance on a kali linux ?

I currently don't have an internal Linux-based VM setup in my work environment (Which is why I'm using a Windows build of Hydra), so that might be a little tricky. I have currently been mitigating the issue by simply splitting the original list into smaller chunks, in which case the issue doesn't appear.

alexunderlag commented 4 years ago

Found a solution?

ghost commented 3 years ago

Describe the bug I can't run it at windows

Steps to reproduce the behavior: nothing happened in windows 10

Screenshots Crash back all the times

Desktop (please complete the following information):

W1one commented 2 years ago

I also encounter the same situation. It is suggested that you can try to solve it by setting the - T parameter to 30