CVE-2017-1000475 PoC — FreeSSHd 安全漏洞

Source

https://github.com/lajarajorge/CVE-2017-1000475

Associated Vulnerability

Title:FreeSSHd 安全漏洞 (CVE-2017-1000475)
Description:FreeSSHd是Windows平台下的一款免费SSH服务器。 FreeSSHd 1.3.1版本中存在安全漏洞。攻击者可利用该漏洞以提升的权限启动进程。

Description

Unquoted Path Service

Readme

# CVE-2017-1000475: Freesshd Unquoted Service Path

### Prove of concept
Windows 10 with freeSSHd 1.3.1, installed by default and with the option running as a system service.

![1](/images/1.png)

Command to check Unquoted Service Path. The service is unquoted by default.

![2](/images/2.png)

The process is running as SYSTEM by default.

![3](/images/3.png)

Create a Reverse Shell with MSFVenom to check the connection against an attacker and rename the executable Program.exe configured to connect against the attacker IP (192.168.158.133:4444):

![4](/images/4.png)

And configure the listener to handle the connection:

![5](/images/5.png)

Windows Network configuration:

![6](/images/6.png)

When the Service is restarted, it executes Program.exe with SYSTEM privileges, returning a “NT AUTHORITY\SYSTEM” shell:

![7](/images/7.png)

File Snapshot


 [4.0K]  /data/pocs/ebb7e4d8932990ef8f2e64b96861a99c6ce15c95
├── [4.0K]  images
│   ├── [784K]  1.png
│   ├── [294K]  2.png
│   ├── [946K]  3.png
│   ├── [355K]  4.png
│   ├── [716K]  5.png
│   ├── [545K]  6.png
│   └── [731K]  7.png
└── [ 876]  README.md

1 directory, 8 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!