Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2017-1000475: Freesshd Unquoted Service Path

Prove of concept

Windows 10 with freeSSHd 1.3.1, installed by default and with the option running as a system service.

1

Command to check Unquoted Service Path. The service is unquoted by default.

2

The process is running as SYSTEM by default.

3

Create a Reverse Shell with MSFVenom to check the connection against an attacker and rename the executable Program.exe configured to connect against the attacker IP (192.168.158.133:4444):

4

And configure the listener to handle the connection:

5

Windows Network configuration:

6

When the Service is restarted, it executes Program.exe with SYSTEM privileges, returning a “NT AUTHORITY\SYSTEM” shell:

7