2009-05-22

freeSSHd administrator stupidity, and fix

Searching for a ssh server for a Windows machine I stumbled upon freeSSHd. I thought it looked nice and threw up a remote desktop the Windows machine and installed version 1.2.4.

Everything went fine until I tried to start the administration interface. It told me I need to be an administrator. Well, fine, I am in the administrator group but not the administrator. Tried running the application as the administrator user, no luck.

Going through their forums I found out the user have to be named "Administrator", case and all. Tough luck for us running non-English Windows versions...

As their did not appear to exist a good solution I finally ended up using OllyDbg (great tool, version 2 is under way) to disable the test. I won't post a patched version as I'm pretty sure it is not legal to do so, but I will show what you need to change, either using OllyDbg (yea, it can edit and save the asm directly) or the hex editor of your choice. You probably should make a backup of the original file and stop the freeSSHd service before you start.

Okay, so what you need to do is to replace the JE (jump equal/zero) instruction, that takes us down the wrong road, with two NOPs (no operation). It is at address 00013726 (yea, it's hex, try Ctrl+G in your tool and specify (file) offset), reading 74 49.

Just simply replace those two bytes with 90 90 and save the file.

Voila, it is possible to administrate freeSSHd!



(I would have posted this on the freeSSHd forum if I was able to register :P)

edit.

Seems it starts a new instance when it's run by the "wrong" user. To get around this just stop the service, make the changes, and restart the service (ie from services.msc).

39 comments:

Anonymous said...

Nice work!

With the newer version of freeSSHd, you may not find '74 49' at 00013726, but surely somewhere near to that address. I found it at 000136fe.

Cheers~
IUnknown a.k.a V

Terence said...

Having the same issue, but I can't seem to find that JE instruction at 00013xxx. Ctrl-G takes me to what seems like a blank area or memory.

Im not familiar with the odbg tool though.

Any help?

Thanks

ZealotouS said...

Better to use opensource SSH server for Windows. I have tested freesshd - it's good, but
KpyM Telnet/SSH Server better alternative without cygwin, and it is opensource BSD license.

Anonymous said...

To register:
http://www.freesshd.com/index.php?ctt=forum&action=reg

David H said...

Yes, it works! But I found 74 49 at address 0041312A.

And this must be the weirdest fix I've ever applied!

It's a mystery how you came up with this solution...

Thanks!

/David

Unknown said...

just got the latest version and admittedly I am a comlete noob when it comes to hex editing but I can not find anything that you guys are talking about. Not even sure I'm searching properly

Help!

Anonymous said...

The location in FreeSSHDService.exe version 1.2.6.22 is at offset 78122/X1312A (for me...) it was the second match on "74 49" from the top of the file.

Andrew Reitz said...

Awesome, thank you very much. I know you said you can't post the changed exe cuz it's not legal, but isn't freeSSHd open source? At lease that's what the title on the website says. I can't seem to find the source anywhere though. Thanks again.

Anonymous said...

bang on...works!

Harun said...

In response to Andrew's question about licensing (for future searchers):
Although freeSSHd uses both the terms "free software" and "open source" to describe itself, it is not using them to mean what the rest of the world uses them to mean.
The program is free-as-in-beer (hence "free software") and the source code can be purchased commercially (hence "open source").
Needless to say, this is confusing to many.
freeSSHd is a great bit of freeware, but it is neither DFSG-style Free, nor OSDL-style Open Source.

anothermarkus said...

Took me a while to figure out how to search...

v 1.2.6 Address: 004EE63A


1) File->Open FreeSSHDService.exe
2) Right Click->Search for -> Binary String
3) Hex Code: 74 49

Replace that guy for 90 90 and it works great!




Unknown said...

Just encountered the same "You don't have administrative rights" error on a Windows 2008 Server R2 box. Weirdly, the following work-around seemed to solve it:

1) "Start > Switch user"
2) Another user account had been logged-in; log-in as this (non-administrative) user.
3) "Start > Log off"
4) Log-in again as the original, administrative user (although the username is not "Administrator").
5) Retry running the ".exe"... now it works!

Anonymous said...

offset 1312A - shift bytes to 9090; good to go

Anonymous said...

^--- version 1.2.6.22 that is

Anonymous said...

I tried the suggested fix but still getting the same error when I run the new .exe ? v1.2.6.22

What could I be missing?

Monica and Tony said...

When I try to save the file it wants to modify a DLL in the syswow64 folder, is that what is supposed to happen?

Monica and Tony said...

When I try to save the exe it says that it wants to save changed to a DLL in the syswow64 folder, is that what is supposed to happen?

Unknown said...

Hi Guys:

I tried to post this on the freesshd forum but the capcha thinggy is not working, you can't post so that is that.

As you know, the freesshd applet does not work in any windows OSs above Vista.
The applet can run but it is not connected to the running service due to new MS security measures for interactive services.

The work around is the run the applet, change the settings you want change, close the applet and then stop and start the freesshdservice. This is fine and works perfectly.

The there is one annoying bug with the applet if you are running your machine NOT using an account in the Administrator's group. If you right click on the applet and choose run as Administrator the applet with fail with the following message:
"You don't have administrator rights! freeSSHd will close!".

Now, this message is confusing because you are selecting to run the applet as an admin user not as the normal user you are logged in as. The problem in the code is here:

if (IsLoggedOnUserAdmin())
{
Shell_NotifyIcon(NIM_ADD, &sm->m_NotifyIcon);
WriteLog("Tray icon shown (admin logged in)");
}
else
{
WriteLog("Tray icon not show (no admin rights)");
if (!_Module.m_bService)
{
MessageBox(NULL, "You don't have administrator rights! freeSSHd will close!", "Security", MB_ICONERROR);
PostQuitMessage(1);
return 0;
}
}

The function "IsLoggedOnUserAdmin()" appears to be returning the result of the DESKTOP logged in user, not the user trying to run the freesshd applet. Hence, the access denied. The claim that reason for this is that your admin user is not named "Administrator" is incorrect. None of my machines' root users are "Administrator" yet they all work....but only if the logged in DESKTOP user has admin rights. So, the issue here is the function IsLoggedOnUserAdmin() needs to be updated to check the process owner of the current freesshd session that just started (the applet) and not the logged in user of the DESKTOP.

The obvious work around is you need to log out as a normal user, log in using an account with admin rights, run the applet, change the settings you want changed, stop and start freesshdservice, log out of the admin account and log back in as your normal user.

Everything now works.

Cheers,
John

Anonymous said...

FYI, I'm trying this on server 2012 R2 and still getting the no admin rights error, and I am an admin user.

Thomas Sayne said...

I installed version 1.3.1 and edited the bytes at 0130333f. The existing bytes were 74 56, rather than 74 49. The rest of the directions were fine.

Peterrabbit said...

Dear Tomas Sayne,
I installed version 1.3.1,but I can't fine 0130333f.I just find 00171660 end of Offset
Could you help me what wrong it.
thks

vincentwoo said...

Hi Thomas

I am using 1.3.1 as well, I am not able to find 0130333f as well.

not sure what I did wrong here. :(

Unknown said...

Using ollydb 2.01 & FreeSSHd v1.3.1.26
0134333E 74 56 JZ SHORT 01343396
change to
0134333E 75 56 JNZ SHORT 01343396

This is running olly on server 2008 r2 64bit

Anonymous said...

For FreeSSHd v1.3.1.26:
0134333E 74 56 JZ SHORT 01343396
change to
0134333E 75 56 JNZ SHORT 01343396

is correct, but remember that the first 4 digits of your address will be different.
Go to View->Executable Modules, look at the 'Base address' of FreeSSHDService.exe take the 1st 4 bytes say "ZZZZ" then append 333E - and go to that address. Then double click the module in the list, and Choose "Ctrl+G" ZZZZ333E.

Or an easier method - open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75. DONE!

Anonymous said...

THIS DID IT!! thank you!!!

Or an easier method - open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75. DONE!

Anonymous said...

There is an easier way: Open the services panel, go to FreeSSHDService and configure it to run with the user you plan to use to execute FreeSSHDService.exe (it does not need to be a local user). Once I did this I was able to run it with my desired user account without any issues.

Anonymous said...

Changing the service account did not work for me, maybe because I'm using a domain account?
Was able to use OllyDbg (the same way mentioned previously using HxD) from the Executable modules window, right click the freeSSHDService.exe and select View executable file, and now you can easier find the right place, CTRL+G, find 1273E, right click Binary-Edit, change 74 to 75.

Anonymous said...

I got it to work, but how did you figure out this was the place to change 74 to 75 though? Can you run the SSH program through OllyDbg somehow, and figure out where it stops?

ardatun said...

Thanks, This works:
Open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75

Cagg said...

Some more info:
You don't necessarily need to be logged in as user 'Administrator'. If you're running this on a server (most likely scenario) and connecting via remote desktop make sure there are no other sessions active under Administrative Tools / Remote Desktop Services / Remote Desktop Services Manager.
Then as long as you're a member of Administrators group, you'll be able to launch the admin tool.
Reminder: if freesshd is installed as a service, then you must launch the freesshd admin tool as administrator.

Anonymous said...

Thanks ardatun, This works:
Open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G to 1273E and replace 74 with 75

The HxD is just 800kb.

Yao said...

Open FreeSSHDService.exe file with HxD portable(google it) Ctrl+G then enter 12730 and replace 74 with 75

nikkolayebba said...

There are definitely lots of details like that to take into consideration. That could be a nice level to bring up. I provide the thoughts above as basic inspiration however clearly there are questions just like the one you deliver up where a very powerful thing will probably be working in trustworthy good faith. I don?t know if finest practices have emerged round things like that, however I'm sure that your job is clearly recognized as a fair game. Each boys and girls really feel the impression of only a moment’s pleasure, for the remainder of their lives. betfair online casino

Anonymous said...

there is no need to hack the exe file to use freesshd under windows2008, windows7, windows8.1, windows2012, windows2016 oe windows10. usage is as follows:
1. install under any administrator account,
2. set to run as service.
3. to adjust the settings, open a cmd session as administrator and enter the following command "sc stop freesshdservice" , the service is now stopped,
4. go to the start menus(programs listing) and find freesshd and run it AS Administrator regardless of who you are logged in as. This step is critical, you MUST run the aerospace session of freesshd as Administrator else any changes you make will NOT be remembered beyond the current session.
5. make any changes you like, home directory location, logging on, users, tunnelling options, certificate options etc,
6. once you have clicked apply, test.
Once You have tested, and it works, close down the aerospace session,
7. go back to the cmd session and enter the command "sc start freesshdservice" ,
8. test. should now work.

Cheers,
john

Anonymous said...

Sorry for the typos above, my silly phone "corrected" some of my spellings and I neglected to check b4 publishing.

cheers,
john

iBuy & Sale said...

New website launched for SSD Hosting. They giving cheap hosting packages. freessdhosting.com

Anonymous said...

On my pc i ran netplwiz then chose user properties and changed group membership to the unrestricted administrators.

Just one black guy.

Unknown said...

For the life of me I cannot get freesshd 1.3.1 to install on Win 7 Home so that it will be a service! I have installed this without problems on Win7 Pro but on 2 different Win 7 Home it will not set up the services entry. I always am logged in as an "administrator" but not named as such. I can right click, run as admin, the fresshd exe, setup what I want and it will run. It will NOT create the service entry even with the corresponding box checked on the freesshd SSH tab. I have followed the steps in this forum and many others yet it will not create the service entry and automatically start on boot and will not place the management icon in the system tray.
Help!

Anonymous said...

Try renaming yourself to "Administrator" .
The Freesshd UI and install routines are written for XP and 2003 so they have no knowledge of UI security control.
Install it under an account named Administrator and then change the account back later. See if that works.

cheers,
john