Daniel Alcántara de la Hoz <seguridad@iproyectos.net> writes: > In December 16, 2002 Rapid 7.Inc released a security alert about > vulnerabilities in ssh2 implementations from multiple vendors. We > have used the concept to code this exploit/proof of concept. > > It's a fake server to exploit the putty client. To test it you need > to change the url in the shellcode; that file will be downloaded and > run on exploitation. I should point out that the vulnerabilities uncovered by Rapid 7 were fixed in PuTTY 0.53b, released on November 12th 2002. (S) (PuTTY team member)
