POC详情: ebb7e4d8932990ef8f2e64b96861a99c6ce15c95

来源
https://github.com/lajarajorge/CVE-2017-1000475
关联漏洞
标题: FreeSSHd 安全漏洞 (CVE-2017-1000475)
描述:FreeSSHd是Windows平台下的一款免费SSH服务器。 FreeSSHd 1.3.1版本中存在安全漏洞。攻击者可利用该漏洞以提升的权限启动进程。
描述
Unquoted Path Service
介绍
# CVE-2017-1000475: Freesshd Unquoted Service Path

### Prove of concept
Windows 10 with freeSSHd 1.3.1, installed by default and with the option running as a system service.

![1](/images/1.png)

Command to check Unquoted Service Path. The service is unquoted by default.

![2](/images/2.png)

The process is running as SYSTEM by default.

![3](/images/3.png)

Create a Reverse Shell with MSFVenom to check the connection against an attacker and rename the executable Program.exe configured to connect against the attacker IP (192.168.158.133:4444):

![4](/images/4.png)

And configure the listener to handle the connection:

![5](/images/5.png)

Windows Network configuration:

![6](/images/6.png)

When the Service is restarted, it executes Program.exe with SYSTEM privileges, returning a “NT AUTHORITY\SYSTEM” shell:

![7](/images/7.png)
文件快照

 [4.0K]  /data/pocs/ebb7e4d8932990ef8f2e64b96861a99c6ce15c95
├── [4.0K]  images
│   ├── [784K]  1.png
│   ├── [294K]  2.png
│   ├── [946K]  3.png
│   ├── [355K]  4.png
│   ├── [716K]  5.png
│   ├── [545K]  6.png
│   └── [731K]  7.png
└── [ 876]  README.md

1 directory, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。