2009-05-22

freeSSHd administrator stupidity, and fix

Searching for a ssh server for a Windows machine I stumbled upon freeSSHd. I thought it looked nice and threw up a remote desktop the Windows machine and installed version 1.2.4.

Everything went fine until I tried to start the administration interface. It told me I need to be an administrator. Well, fine, I am in the administrator group but not the administrator. Tried running the application as the administrator user, no luck.

Going through their forums I found out the user have to be named "Administrator", case and all. Tough luck for us running non-English Windows versions...

As their did not appear to exist a good solution I finally ended up using OllyDbg (great tool, version 2 is under way) to disable the test. I won't post a patched version as I'm pretty sure it is not legal to do so, but I will show what you need to change, either using OllyDbg (yea, it can edit and save the asm directly) or the hex editor of your choice. You probably should make a backup of the original file and stop the freeSSHd service before you start.

Okay, so what you need to do is to replace the JE (jump equal/zero) instruction, that takes us down the wrong road, with two NOPs (no operation). It is at address 00013726 (yea, it's hex, try Ctrl+G in your tool and specify (file) offset), reading 74 49.

Just simply replace those two bytes with 90 90 and save the file.

Voila, it is possible to administrate freeSSHd!



(I would have posted this on the freeSSHd forum if I was able to register :P)

edit.

Seems it starts a new instance when it's run by the "wrong" user. To get around this just stop the service, make the changes, and restart the service (ie from services.msc).

29 comments:

Anonymous said...

Nice work!

With the newer version of freeSSHd, you may not find '74 49' at 00013726, but surely somewhere near to that address. I found it at 000136fe.

Cheers~
IUnknown a.k.a V

Terence said...

Having the same issue, but I can't seem to find that JE instruction at 00013xxx. Ctrl-G takes me to what seems like a blank area or memory.

Im not familiar with the odbg tool though.

Any help?

Thanks

ZealotouS said...

Better to use opensource SSH server for Windows. I have tested freesshd - it's good, but
KpyM Telnet/SSH Server better alternative without cygwin, and it is opensource BSD license.

Anonymous said...

To register:
http://www.freesshd.com/index.php?ctt=forum&action=reg

David H said...

Yes, it works! But I found 74 49 at address 0041312A.

And this must be the weirdest fix I've ever applied!

It's a mystery how you came up with this solution...

Thanks!

/David

Rafael & Kathryn said...

just got the latest version and admittedly I am a comlete noob when it comes to hex editing but I can not find anything that you guys are talking about. Not even sure I'm searching properly

Help!

Anonymous said...

The location in FreeSSHDService.exe version 1.2.6.22 is at offset 78122/X1312A (for me...) it was the second match on "74 49" from the top of the file.

Andrew said...

Awesome, thank you very much. I know you said you can't post the changed exe cuz it's not legal, but isn't freeSSHd open source? At lease that's what the title on the website says. I can't seem to find the source anywhere though. Thanks again.

Anonymous said...

bang on...works!

Harun said...

In response to Andrew's question about licensing (for future searchers):
Although freeSSHd uses both the terms "free software" and "open source" to describe itself, it is not using them to mean what the rest of the world uses them to mean.
The program is free-as-in-beer (hence "free software") and the source code can be purchased commercially (hence "open source").
Needless to say, this is confusing to many.
freeSSHd is a great bit of freeware, but it is neither DFSG-style Free, nor OSDL-style Open Source.

anothermarkus said...

Took me a while to figure out how to search...

v 1.2.6 Address: 004EE63A


1) File->Open FreeSSHDService.exe
2) Right Click->Search for -> Binary String
3) Hex Code: 74 49

Replace that guy for 90 90 and it works great!




Luke Hill said...

Just encountered the same "You don't have administrative rights" error on a Windows 2008 Server R2 box. Weirdly, the following work-around seemed to solve it:

1) "Start > Switch user"
2) Another user account had been logged-in; log-in as this (non-administrative) user.
3) "Start > Log off"
4) Log-in again as the original, administrative user (although the username is not "Administrator").
5) Retry running the ".exe"... now it works!

Anonymous said...

offset 1312A - shift bytes to 9090; good to go

Anonymous said...

^--- version 1.2.6.22 that is

Anonymous said...

I tried the suggested fix but still getting the same error when I run the new .exe ? v1.2.6.22

What could I be missing?

Monica and Tony said...

When I try to save the file it wants to modify a DLL in the syswow64 folder, is that what is supposed to happen?

Monica and Tony said...

When I try to save the exe it says that it wants to save changed to a DLL in the syswow64 folder, is that what is supposed to happen?

jim jones said...

Hi Guys:

I tried to post this on the freesshd forum but the capcha thinggy is not working, you can't post so that is that.

As you know, the freesshd applet does not work in any windows OSs above Vista.
The applet can run but it is not connected to the running service due to new MS security measures for interactive services.

The work around is the run the applet, change the settings you want change, close the applet and then stop and start the freesshdservice. This is fine and works perfectly.

The there is one annoying bug with the applet if you are running your machine NOT using an account in the Administrator's group. If you right click on the applet and choose run as Administrator the applet with fail with the following message:
"You don't have administrator rights! freeSSHd will close!".

Now, this message is confusing because you are selecting to run the applet as an admin user not as the normal user you are logged in as. The problem in the code is here:

if (IsLoggedOnUserAdmin())
{
Shell_NotifyIcon(NIM_ADD, &sm->m_NotifyIcon);
WriteLog("Tray icon shown (admin logged in)");
}
else
{
WriteLog("Tray icon not show (no admin rights)");
if (!_Module.m_bService)
{
MessageBox(NULL, "You don't have administrator rights! freeSSHd will close!", "Security", MB_ICONERROR);
PostQuitMessage(1);
return 0;
}
}

The function "IsLoggedOnUserAdmin()" appears to be returning the result of the DESKTOP logged in user, not the user trying to run the freesshd applet. Hence, the access denied. The claim that reason for this is that your admin user is not named "Administrator" is incorrect. None of my machines' root users are "Administrator" yet they all work....but only if the logged in DESKTOP user has admin rights. So, the issue here is the function IsLoggedOnUserAdmin() needs to be updated to check the process owner of the current freesshd session that just started (the applet) and not the logged in user of the DESKTOP.

The obvious work around is you need to log out as a normal user, log in using an account with admin rights, run the applet, change the settings you want changed, stop and start freesshdservice, log out of the admin account and log back in as your normal user.

Everything now works.

Cheers,
John

Anonymous said...

FYI, I'm trying this on server 2012 R2 and still getting the no admin rights error, and I am an admin user.

Thomas Sayne said...

I installed version 1.3.1 and edited the bytes at 0130333f. The existing bytes were 74 56, rather than 74 49. The rest of the directions were fine.

peter yang said...

Dear Tomas Sayne,
I installed version 1.3.1,but I can't fine 0130333f.I just find 00171660 end of Offset
Could you help me what wrong it.
thks

vincentwoo said...

Hi Thomas

I am using 1.3.1 as well, I am not able to find 0130333f as well.

not sure what I did wrong here. :(

Unknown said...

Using ollydb 2.01 & FreeSSHd v1.3.1.26
0134333E 74 56 JZ SHORT 01343396
change to
0134333E 75 56 JNZ SHORT 01343396

This is running olly on server 2008 r2 64bit

Anonymous said...

For FreeSSHd v1.3.1.26:
0134333E 74 56 JZ SHORT 01343396
change to
0134333E 75 56 JNZ SHORT 01343396

is correct, but remember that the first 4 digits of your address will be different.
Go to View->Executable Modules, look at the 'Base address' of FreeSSHDService.exe take the 1st 4 bytes say "ZZZZ" then append 333E - and go to that address. Then double click the module in the list, and Choose "Ctrl+G" ZZZZ333E.

Or an easier method - open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75. DONE!

Anonymous said...

THIS DID IT!! thank you!!!

Or an easier method - open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75. DONE!

Anonymous said...

There is an easier way: Open the services panel, go to FreeSSHDService and configure it to run with the user you plan to use to execute FreeSSHDService.exe (it does not need to be a local user). Once I did this I was able to run it with my desired user account without any issues.

Anonymous said...

Changing the service account did not work for me, maybe because I'm using a domain account?
Was able to use OllyDbg (the same way mentioned previously using HxD) from the Executable modules window, right click the freeSSHDService.exe and select View executable file, and now you can easier find the right place, CTRL+G, find 1273E, right click Binary-Edit, change 74 to 75.

Anonymous said...

I got it to work, but how did you figure out this was the place to change 74 to 75 though? Can you run the SSH program through OllyDbg somehow, and figure out where it stops?

ardatun said...

Thanks, This works:
Open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75