CVE-2017-1000475 PoC — FreeSSHd 安全漏洞

Source

https://github.com/lajarajorge/CVE-2017-1000475

Associated Vulnerability

Title:FreeSSHd 安全漏洞 (CVE-2017-1000475)
Description:FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allowing local users to launch processes with elevated privileges.

Description

Unquoted Path Service

Readme

# CVE-2017-1000475: Freesshd Unquoted Service Path

### Prove of concept
Windows 10 with freeSSHd 1.3.1, installed by default and with the option running as a system service.

![1](/images/1.png)

Command to check Unquoted Service Path. The service is unquoted by default.

![2](/images/2.png)

The process is running as SYSTEM by default.

![3](/images/3.png)

Create a Reverse Shell with MSFVenom to check the connection against an attacker and rename the executable Program.exe configured to connect against the attacker IP (192.168.158.133:4444):

![4](/images/4.png)

And configure the listener to handle the connection:

![5](/images/5.png)

Windows Network configuration:

![6](/images/6.png)

When the Service is restarted, it executes Program.exe with SYSTEM privileges, returning a “NT AUTHORITY\SYSTEM” shell:

![7](/images/7.png)

File Snapshot


 [4.0K]  /data/pocs/ebb7e4d8932990ef8f2e64b96861a99c6ce15c95
├── [4.0K]  images
│   ├── [784K]  1.png
│   ├── [294K]  2.png
│   ├── [946K]  3.png
│   ├── [355K]  4.png
│   ├── [716K]  5.png
│   ├── [545K]  6.png
│   └── [731K]  7.png
└── [ 876]  README.md

1 directory, 8 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!